Bug#833634: jessie-pu: package apache2/2.4.10-10+deb8u6
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi release team,
please review the following bug-fix update for inclusion into the next
stable point release. Full debdiff is attached.
Cheers,
Stefan
apache2 (2.4.10-10+deb8u6) jessie; urgency=medium
* Fix race condition and logical error in init script. Thanks to Thomas
Stangner for the patch. Closes: #822144
* Remove links to manpages.debian.org in default index.html to avoid
broken robots doing a DoS on the site. Closes: #821313
* mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive
connections. Closes: #803035
* mod_proxy_fcgi: Fix wrong behavior with 304 responses. Closes: #827472
* Correct systemd-sysv-generator behavior by customizing some parameters.
This fixes 'systemctl status' returning incorrect results.
Closes: #827444
* mod_proxy_html: Add missing config file mods-available/proxy_html.conf.
This is intentionally not enabled during upgrade, to make it less
likely to break existing setups. It will be enabled by a a2dismod/a2enmod
cycle, though. Closes: #827258
-- Stefan Fritsch <sf@debian.org> Sun, 07 Aug 2016 12:58:11 +0200
diff -Nru apache2-2.4.10/debian/apache2.init apache2-2.4.10/debian/apache2.init
--- apache2-2.4.10/debian/apache2.init 2016-07-20 08:41:40.000000000 +0200
+++ apache2-2.4.10/debian/apache2.init 2016-08-07 12:56:37.000000000 +0200
@@ -139,6 +139,7 @@
apache_wait_stop() {
local STATUS=$1
+ local METH=$2
if [ $STATUS != 0 ] ; then
return $STATUS
@@ -146,11 +147,18 @@
PIDTMP=$(pidofproc -p $PIDFILE $DAEMON)
if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then
+
+ if [ "$METH" = "kill" ]; then
+ killproc -p $PIDFILE $DAEMON
+ else
+ $APACHE2CTL $METH > /dev/null 2>&1
+ fi
+
local i=0
while kill -0 "${PIDTMP:-}" 2> /dev/null; do
if [ $i = '60' ]; then
- break
STATUS=2
+ break
fi
[ "$VERBOSE" != no ] && log_progress_msg "."
sleep 1
@@ -223,15 +231,13 @@
fi
if [ $AP_RET = 2 ] && apache_conftest ; then
- $APACHE2CTL $STOP > /dev/null 2>&1
- apache_wait_stop $?
+ apache_wait_stop $? $STOP
return $?
else
if [ $AP_RET = 2 ]; then
- clear_error_msg
+ clear_error_msg
APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX configtest failed, so we are trying to kill it manually. This is almost certainly suboptimal, so please make sure your system is working as you'd expect now!"
- killproc -p $PIDFILE $DAEMON
- apache_wait_stop $?
+ apache_wait_stop $? "kill"
return $?
elif [ $AP_RET = 1 ] ; then
APACHE2_INIT_MESSAGE="There are processes named 'apache2' running which do not match your pid file which are left untouched in the name of safety, Please review the situation by hand".
diff -Nru apache2-2.4.10/debian/apache2.install apache2-2.4.10/debian/apache2.install
--- apache2-2.4.10/debian/apache2.install 2016-07-20 08:41:40.000000000 +0200
+++ apache2-2.4.10/debian/apache2.install 2016-08-07 12:56:37.000000000 +0200
@@ -5,3 +5,4 @@
debian/a2query /usr/sbin
debian/ask-for-passphrase /usr/share/apache2/
debian/debhelper/apache2-maintscript-helper /usr/share/apache2/
+debian/forking.conf /lib/systemd/system/apache2.service.d/forking.conf
diff -Nru apache2-2.4.10/debian/apache2.postinst apache2-2.4.10/debian/apache2.postinst
--- apache2-2.4.10/debian/apache2.postinst 2016-07-20 08:41:40.000000000 +0200
+++ apache2-2.4.10/debian/apache2.postinst 2016-08-07 12:56:45.000000000 +0200
@@ -270,6 +270,21 @@
fi
}
+is_problematic_index_html () {
+ local FILE="$1"
+ [ -f "$FILE" ] || return 1
+ local MD5=$(md5sum "$FILE" 2> /dev/null |cut -d' ' -f 1)
+ [ -n "$MD5" ] || return 1
+ grep -q "$MD5" <<- EOF
+ 1736dfc80cf1f5a8966c096a0b094377
+ 776221a94e5a174dc2396c0f3f6b6a74
+ 51a41c3207374dad24ec64a0f2646bdc
+ c481228d439cbb54bdcedbaec5bbb11a
+ 3183a3d71d86bcc88aaf3ca5cbbefb45
+ 74cec59a19e5d16f7cc6a2445e35fa3b
+ EOF
+}
+
# XXX: This site is installed in the apache2-data package. Should the postinst
# scriptlet move there too?
install_default_files()
@@ -292,6 +307,14 @@
if $do_copy ; then
cp /usr/share/apache2/default-site/index.html /var/www/html/index.html
fi
+ else
+ # see #821313
+ for dir in /var/www /var/www/html ; do
+ local file=$dir/index.html
+ if is_problematic_index_html $file ; then
+ cp /usr/share/apache2/default-site/index.html $file
+ fi
+ done
fi
}
diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog
--- apache2-2.4.10/debian/changelog 2016-07-20 08:42:34.000000000 +0200
+++ apache2-2.4.10/debian/changelog 2016-08-07 13:02:55.000000000 +0200
@@ -1,3 +1,22 @@
+apache2 (2.4.10-10+deb8u6) jessie; urgency=medium
+
+ * Fix race condition and logical error in init script. Thanks to Thomas
+ Stangner for the patch. Closes: #822144
+ * Remove links to manpages.debian.org in default index.html to avoid
+ broken robots doing a DoS on the site. Closes: #821313
+ * mod_socache_memcache: Increase idle timeout to 15s to allow keep-alive
+ connections. Closes: #803035
+ * mod_proxy_fcgi: Fix wrong behavior with 304 responses. Closes: #827472
+ * Correct systemd-sysv-generator behavior by customizing some parameters.
+ This fixes 'systemctl status' returning incorrect results.
+ Closes: #827444
+ * mod_proxy_html: Add missing config file mods-available/proxy_html.conf.
+ This is intentionally not enabled during upgrade, to make it less
+ likely to break existing setups. It will be enabled by a a2dismod/a2enmod
+ cycle, though. Closes: #827258
+
+ -- Stefan Fritsch <sf@debian.org> Sun, 07 Aug 2016 12:58:11 +0200
+
apache2 (2.4.10-10+deb8u5) jessie-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru apache2-2.4.10/debian/config-dir/mods-available/proxy_html.conf apache2-2.4.10/debian/config-dir/mods-available/proxy_html.conf
--- apache2-2.4.10/debian/config-dir/mods-available/proxy_html.conf 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/config-dir/mods-available/proxy_html.conf 2016-07-21 23:15:10.000000000 +0200
@@ -0,0 +1,75 @@
+# Configuration example.
+#
+# For detailed information about these directives see
+# <URL:http://httpd.apache.org/docs/2.4/mod/mod_proxy_html.html>
+# and for mod_xml2enc see
+# <URL:http://httpd.apache.org/docs/2.4/mod/mod_xml2enc.html>
+#
+
+# All knowledge of HTML links has been removed from the mod_proxy_html
+# code itself, and is instead read from httpd.conf (or included file)
+# at server startup. So you MUST declare it. This will normally be
+# at top level, but can also be used in a <Location>.
+#
+# Here's the declaration for W3C HTML 4.01 and XHTML 1.0
+
+ProxyHTMLLinks a href
+ProxyHTMLLinks area href
+ProxyHTMLLinks link href
+ProxyHTMLLinks img src longdesc usemap
+ProxyHTMLLinks object classid codebase data usemap
+ProxyHTMLLinks q cite
+ProxyHTMLLinks blockquote cite
+ProxyHTMLLinks ins cite
+ProxyHTMLLinks del cite
+ProxyHTMLLinks form action
+ProxyHTMLLinks input src usemap
+ProxyHTMLLinks head profile
+ProxyHTMLLinks base href
+ProxyHTMLLinks script src for
+
+# To support scripting events (with ProxyHTMLExtended On),
+# you'll need to declare them too.
+
+ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
+ onmouseover onmousemove onmouseout onkeypress \
+ onkeydown onkeyup onfocus onblur onload \
+ onunload onsubmit onreset onselect onchange
+
+# If you need to support legacy (pre-1998, aka "transitional") HTML or XHTML,
+# you'll need to uncomment the following deprecated link attributes.
+# Note that these are enabled in earlier mod_proxy_html versions
+#
+# ProxyHTMLLinks frame src longdesc
+# ProxyHTMLLinks iframe src longdesc
+# ProxyHTMLLinks body background
+# ProxyHTMLLinks applet codebase
+#
+# If you're dealing with proprietary HTML variants,
+# declare your own URL attributes here as required.
+#
+# ProxyHTMLLinks myelement myattr otherattr
+#
+###########
+# EXAMPLE #
+###########
+#
+# To define the URL /my-gateway/ as a gateway to an appserver with address
+# http://some.app.intranet/ on a private network, after loading the
+# modules and including this configuration file:
+#
+# ProxyRequests Off <-- this is an important security setting
+# ProxyPass /my-gateway/ http://some.app.intranet/
+# <Location /my-gateway/>
+# ProxyPassReverse /
+# ProxyHTMLEnable On
+# ProxyHTMLURLMap http://some.app.intranet/ /my-gateway/
+# ProxyHTMLURLMap / /my-gateway/
+# </Location>
+#
+# Many (though not all) real-life setups are more complex.
+#
+# See the documentation at
+# http://apache.webthing.com/mod_proxy_html/
+# and the tutorial at
+# http://www.apachetutor.org/admin/reverseproxies
diff -Nru apache2-2.4.10/debian/forking.conf apache2-2.4.10/debian/forking.conf
--- apache2-2.4.10/debian/forking.conf 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/forking.conf 2016-07-21 23:15:10.000000000 +0200
@@ -0,0 +1,3 @@
+[Service]
+Type=forking
+RemainAfterExit=no
diff -Nru apache2-2.4.10/debian/index.html apache2-2.4.10/debian/index.html
--- apache2-2.4.10/debian/index.html 2016-07-20 08:41:40.000000000 +0200
+++ apache2-2.4.10/debian/index.html 2016-07-21 23:15:10.000000000 +0200
@@ -293,17 +293,17 @@
*-available/ counterparts. These should be managed
by using our helpers
<tt>
- <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enmod";>a2enmod</a>,
- <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dismod";>a2dismod</a>,
+ a2enmod,
+ a2dismod,
</tt>
<tt>
- <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2ensite";>a2ensite</a>,
- <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dissite";>a2dissite</a>,
+ a2ensite,
+ a2dissite,
</tt>
and
<tt>
- <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enconf";>a2enconf</a>,
- <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2disconf";>a2disconf</a>
+ a2enconf,
+ a2disconf
</tt>. See their respective man pages for detailed information.
</li>
@@ -326,7 +326,7 @@
<p>
By default, Debian does not allow access through the web browser to
<em>any</em> file apart of those located in <tt>/var/www</tt>,
- <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html";>public_html</a>
+ <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html"; rel="nofollow">public_html</a>
directories (when enabled) and <tt>/usr/share</tt> (for web
applications). If your site is using a web document root
located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
@@ -347,8 +347,8 @@
<p>
Please use the <tt>reportbug</tt> tool to report bugs in the
Apache2 package with Debian. However, check <a
- href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0";>existing
- bug reports</a> before reporting a new bug.
+ href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0";
+ rel="nofollow">existing bug reports</a> before reporting a new bug.
</p>
<p>
Please report bugs specific to modules (such as PHP and others)
diff -Nru apache2-2.4.10/debian/patches/mod_proxy_fcgi_304_body.patch apache2-2.4.10/debian/patches/mod_proxy_fcgi_304_body.patch
--- apache2-2.4.10/debian/patches/mod_proxy_fcgi_304_body.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/patches/mod_proxy_fcgi_304_body.patch 2016-08-07 12:56:37.000000000 +0200
@@ -0,0 +1,51 @@
+# https://svn.apache.org/r1650677
+# https://bz.apache.org/bugzilla/show_bug.cgi?id=57198
+--- apache2.orig/modules/proxy/mod_proxy_fcgi.c
++++ apache2/modules/proxy/mod_proxy_fcgi.c
+@@ -367,7 +367,7 @@ static apr_status_t dispatch(proxy_conn_
+ const char **err)
+ {
+ apr_bucket_brigade *ib, *ob;
+- int seen_end_of_headers = 0, done = 0;
++ int seen_end_of_headers = 0, done = 0, ignore_body = 0;
+ apr_status_t rv = APR_SUCCESS;
+ int script_error_status = HTTP_OK;
+ conn_rec *c = r->connection;
+@@ -577,9 +577,16 @@ recv_again:
+ APR_BRIGADE_INSERT_TAIL(ob, tmp_b);
+ r->status = status;
+ ap_pass_brigade(r->output_filters, ob);
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01070)
+- "Error parsing script headers");
+- rv = APR_EINVAL;
++ if (status == HTTP_NOT_MODIFIED) {
++ /* The 304 response MUST NOT contain
++ * a message-body, ignore it. */
++ ignore_body = 1;
++ }
++ else {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01070)
++ "Error parsing script headers");
++ rv = APR_EINVAL;
++ }
+ break;
+ }
+
+@@ -598,7 +605,7 @@ recv_again:
+ }
+
+ if (script_error_status == HTTP_OK
+- && !APR_BRIGADE_EMPTY(ob)) {
++ && !APR_BRIGADE_EMPTY(ob) && !ignore_body) {
+ /* Send the part of the body that we read while
+ * reading the headers.
+ */
+@@ -626,7 +633,7 @@ recv_again:
+ * but that could be a huge amount of data; so we pass
+ * along smaller chunks
+ */
+- if (script_error_status == HTTP_OK) {
++ if (script_error_status == HTTP_OK && !ignore_body) {
+ rv = ap_pass_brigade(r->output_filters, ob);
+ if (rv != APR_SUCCESS) {
+ *err = "passing brigade to output filters";
diff -Nru apache2-2.4.10/debian/patches/mod_socache_memcache_idle_timeout.patch apache2-2.4.10/debian/patches/mod_socache_memcache_idle_timeout.patch
--- apache2-2.4.10/debian/patches/mod_socache_memcache_idle_timeout.patch 1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/patches/mod_socache_memcache_idle_timeout.patch 2016-08-07 12:56:37.000000000 +0200
@@ -0,0 +1,11 @@
+--- apache2.orig/modules/cache/mod_socache_memcache.c
++++ apache2/modules/cache/mod_socache_memcache.c
+@@ -51,7 +51,7 @@
+ #endif
+
+ #ifndef MC_DEFAULT_SERVER_TTL
+-#define MC_DEFAULT_SERVER_TTL 600
++#define MC_DEFAULT_SERVER_TTL (15*1000*1000) /* 15 seconds */
+ #endif
+
+ struct ap_socache_instance_t {
diff -Nru apache2-2.4.10/debian/patches/series apache2-2.4.10/debian/patches/series
--- apache2-2.4.10/debian/patches/series 2016-07-20 08:42:34.000000000 +0200
+++ apache2-2.4.10/debian/patches/series 2016-08-07 12:56:37.000000000 +0200
@@ -19,3 +19,5 @@
mpm_event_crash.diff
split_logfile-strict.patch
CVE-2016-5387.patch
+mod_socache_memcache_idle_timeout.patch
+mod_proxy_fcgi_304_body.patch
Reply to: