You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Paul Querna <ch...@force-elite.com> on 2005/06/24 10:03:57 UTC

2.1.6 is available for veto^H^H^H^Hvoting

Please vote on releasing 2.1.6 as -alpha.

Available at:
http://httpd.apache.org/dev/dist/
http://people.apache.org/~pquerna/dev/httpd-2.1.6/

MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b

Thanks,

Paul

Re: 2.0.55

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 01:12 PM 6/27/2005, Sander Striker wrote:
>William A. Rowe, Jr. wrote:
>
>[...]
>>My goal is to tag and roll 2.0 by Friday for release early next
>>week, unless the fixes are ready sooner.  There is a list of already-accepted patches in status, if anyone wants to pick some
>>low hanging fruit for 2.0.
>
>Bill, are you volunteering for RM?  I'm happy to RM FWIW, and do
>the 2.0.55 T&R on friday.  Which, by the way, will imply release
>around wednesday the following week given our regular own dogfood
>test.

Ack on the force-feeding.  Yes I would RM - but would be happy
to pass that half of the baton, if you would like to RM the source
I'll handle the .zip's/.msi's etc, with you.

Bill

2.0.55, WAS: Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Sander Striker <st...@apache.org>.

William A. Rowe, Jr. wrote:

[...]
> My goal is to tag and roll 2.0 by Friday for release early next
> week, unless the fixes are ready sooner.  There is a list of 
> already-accepted patches in status, if anyone wants to pick some
> low hanging fruit for 2.0.

Bill, are you volunteering for RM?  I'm happy to RM FWIW, and do
the 2.0.55 T&R on friday.  Which, by the way, will imply release
around wednesday the following week given our regular own dogfood
test.

Thanks,

Sander

Re: 2.0.55

Posted by Jeff Trawick <tr...@gmail.com>.

On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> At 12:20 PM 6/27/2005, Jeff Trawick wrote:
> >On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> >
> >> My goal is to tag and roll 2.0 by Friday for release early next
> >> week, unless the fixes are ready sooner.  There is a list of
> >> already-accepted patches in status, if anyone wants to pick some
> >> low hanging fruit for 2.0.
> >
> >I have a tested proxy smuggling patch for 2.0  which I'll upload to
> >people.apache.org and add to STATUS.  It is somewhere amidst the 2.1.5
> >or 2.1.6 messages.
> 
> Thanks!  The patch raised another question for me.  We have the
> downgrade-1.0 and nokeepalive switches to force the CLIENT connection
> to skip any spoofing attack.
> 
> But since 2.0/2.1 mod_proxy now uses keepalives for real, do we have
> any similar choice for administrators to 'work around' potentially
> broken back ends?

proxy_http.c:    if ( apr_table_get(r->subprocess_env,"proxy-nokeepalive")) {

Re: 2.0.55

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 12:20 PM 6/27/2005, Jeff Trawick wrote:
>On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
>
>> My goal is to tag and roll 2.0 by Friday for release early next
>> week, unless the fixes are ready sooner.  There is a list of
>> already-accepted patches in status, if anyone wants to pick some
>> low hanging fruit for 2.0.
>
>I have a tested proxy smuggling patch for 2.0  which I'll upload to
>people.apache.org and add to STATUS.  It is somewhere amidst the 2.1.5
>or 2.1.6 messages.

Thanks!  The patch raised another question for me.  We have the
downgrade-1.0 and nokeepalive switches to force the CLIENT connection
to skip any spoofing attack.

But since 2.0/2.1 mod_proxy now uses keepalives for real, do we have
any similar choice for administrators to 'work around' potentially
broken back ends?

It's certainly not a security hole in Apache.  But it would help
folks who have insecure back end applications to mitigate the damage.

Bill

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Jeff Trawick <tr...@gmail.com>.

On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:

> My goal is to tag and roll 2.0 by Friday for release early next
> week, unless the fixes are ready sooner.  There is a list of
> already-accepted patches in status, if anyone wants to pick some
> low hanging fruit for 2.0.

I have a tested proxy smuggling patch for 2.0  which I'll upload to
people.apache.org and add to STATUS.  It is somewhere amidst the 2.1.5
or 2.1.6 messages.

HTTP Spoofing

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

1.3 proxy doesn't accept T-E:chunked request bodies.

1.3 proxy doesn't perform keep-alives against a backend.

I think we are safe, but additional opinions are welcome.

Bill

At 02:18 PM 6/30/2005, Mark J Cox wrote:
>> I'm obtaining a CVE name for this issue -- (as the issue is already public 
>> it requires co-ordination with Mitre)
>
>CAN-2005-2088
>
>Has anyone looked to make sure this doesn't apply to later 1.3 releases?  
>
>Cheers,
>Mark

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Mark J Cox <ma...@awe.com>.

> I'm obtaining a CVE name for this issue -- (as the issue is already public 
> it requires co-ordination with Mitre)

CAN-2005-2088

Has anyone looked to make sure this doesn't apply to later 1.3 releases?  

Cheers,
Mark

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Mark J Cox <ma...@awe.com>.

> Do we have an incident number for this report as it pertains
> to the Apache HTTP Server?

I'm obtaining a CVE name for this issue -- (as the issue is already public 
it requires co-ordination with Mitre)

Cheers, Mark

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

In the announce, we should have;

     proxy HTTP: If a response contains both Transfer-Encoding 
     and a Content-Length, remove the Content-Length to eliminate 
     an HTTP Request Smuggling vulnerability, and and don't reuse 
     the connection, stopping some HTTP Request Spoofing attacks.

  "The Apache httpd project thanks the Watchfire team of Linhart,
  Klein, Heled and Orrin for the responsible notification and
  disclosure of this information."

Do we have an incident number for this report as it pertains
to the Apache HTTP Server?

I agree with Jeff after spending quite a few hours; patches to
the proxy now diverge quite radically from 2.0's proxy_http.c.
The band aids will land in slightly different places, but we
should encourage folks to validate proper proxied header and
body transmission.

My goal is to tag and roll 2.0 by Friday for release early next
week, unless the fixes are ready sooner.  There is a list of 
already-accepted patches in status, if anyone wants to pick some
low hanging fruit for 2.0.

Bill

At 01:08 PM 6/26/2005, Paul Querna wrote:

>+1 for Alpha from Joe Orton, Brad Nicholes, Wilfredo Sánchez Vega, and Paul Querna.
>
>Therefore, I consider 2.1.6-alpha to be released.
>
>I have moved the 2.1.6-alpha source files to the dist folder to be picked up by mirrors.  I will add it to the download.xml and index.xml for httpd.apache.org later today, after giving the mirrors time to pick it up.
>
>Thanks to everyone who tested it,
>
>-Paul
>
>Paul Querna wrote:
>
>>Please vote on releasing 2.1.6 as -alpha.
>>
>>Available at:
>>http://httpd.apache.org/dev/dist/
>>http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>>
>>MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
>>MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
>>MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>>
>>Thanks,
>>
>>Paul
>

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Paul Querna <ch...@force-elite.com>.

+1 for Alpha from Joe Orton, Brad Nicholes, Wilfredo Sánchez Vega, and 
Paul Querna.

Therefore, I consider 2.1.6-alpha to be released.

I have moved the 2.1.6-alpha source files to the dist folder to be 
picked up by mirrors.  I will add it to the download.xml and index.xml 
for httpd.apache.org later today, after giving the mirrors time to pick 
it up.

Thanks to everyone who tested it,

-Paul

Paul Querna wrote:

> Please vote on releasing 2.1.6 as -alpha.
>
> Available at:
> http://httpd.apache.org/dev/dist/
> http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>
> MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
> MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
> MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>
> Thanks,
>
> Paul

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 03:03 AM 6/24/2005, Paul Querna wrote:
>Please vote on releasing 2.1.6 as -alpha.

Your subject would probably mislead some casual readers,
Releases cannot be veto'ed.  They need 3 +1's, more +1's
than -1's for release (with some reasonable time for folks
to vote, 2-3 days seems typical.)

Patches -can- be vetoed, but on technical merit with specific
justification.

In any case, if this picked up Trawick's patch 193205, then
I'll zip up a win32 source package and even tinker with rolling
binaries.  Will likely have to disable TLS, if it's enabled by
default, for LDAP.  Microsoft's SDK grows cruftier (it already
was, somewhat) as ldap_start_tls comes into play.  SVN trunk
seems to behave correctly w.r.t. issues raised by Watchfire
but I have a bit more testing of some other combinations.

Bill

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Paul Querna <ch...@force-elite.com>.

And for the record, +1 on FreeBSD 6.0-CURRENT.

Paul Querna wrote:

> Please vote on releasing 2.1.6 as -alpha.
>
> Available at:
> http://httpd.apache.org/dev/dist/
> http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>
> MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
> MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
> MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>
> Thanks,
>
> Paul

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Joe Orton <jo...@redhat.com>.

On Fri, Jun 24, 2005 at 01:03:57AM -0700, Paul Querna wrote:
> Please vote on releasing 2.1.6 as -alpha.

+1 for alpha, manual test OK and httpd-test passes for this tarball on 
all-the-linuxes here.

joe

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Posted by Wilfredo Sánchez Vega <ws...@apple.com>.

+1 on Mac OS 10.4.

     -wsv


On Jun 24, 2005, at 1:03 AM, Paul Querna wrote:

> Please vote on releasing 2.1.6 as -alpha.
>
> Available at:
> http://httpd.apache.org/dev/dist/
> http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>
> MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
> MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
> MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>
> Thanks,
>
> Paul
>