You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Stefan Priebe - Profihost AG <s....@profihost.ag> on 2019/01/22 07:09:11 UTC

Apache 0-day / apache-uaf / use after free bugs

Hi,

in twitter and other social media channels they're talking about a
current apache 0 day:
https://twitter.com/i/web/status/1087593706444730369

which wasn't handled / isn't currently fixed.

Some details are here:
https://github.com/hannob/apache-uaf

If this is true there will be exploits soon. Is there anything planned?
Does 2.4.38 fix those issues?

Greets,
Stefan

Re: Apache 0-day / apache-uaf / use after free bugs

Posted by Stefan Eissing <st...@greenbytes.de>.

Thanks! I also wrote about the h2 related parts at https://icing.github.io/mod_h2/pool-debugging.html

> Am 22.01.2019 um 13:31 schrieb Rainer Jung <ra...@kippdata.de>:
> 
> Am 22.01.2019 um 10:33 schrieb Daniel Gruno:
>> On 1/22/19 8:09 AM, Stefan Priebe - Profihost AG wrote:
>>> Hi,
>>> 
>>> in twitter and other social media channels they're talking about a
>>> current apache 0 day:
>>> https://twitter.com/i/web/status/1087593706444730369
>>> 
>>> which wasn't handled / isn't currently fixed.
>>> 
>>> Some details are here:
>>> https://github.com/hannob/apache-uaf
>>> 
>>> If this is true there will be exploits soon. Is there anything planned?
>>> Does 2.4.38 fix those issues?
>>> 
>>> Greets,
>>> Stefan
>>> 
>> Hi Stefan, and good morning.
>> I figured I should write something to calm people that might be concerned.
>> I will reply in length in a while (coffee is needed first), it takes time to write a proper response that explains our processes and considerations with issues like this, especially when people start hyping the matter. Such is social media, I guess.
>> Until then, I will say quickly that we do not at present consider this something you should be alarmed about. Boring elaboration to follow in a while when I have compiled it :)
>> With regards,
>> Daniel, speaking as just a normal committer.
> 
> Here's the response we have compiled from Daniel, Stefan and others:
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63098
> 
> Regards,
> 
> Rainer

Re: Apache 0-day / apache-uaf / use after free bugs

Posted by Stefan Eissing <st...@greenbytes.de>.

Thanks for the update, Stefan!

> Am 22.01.2019 um 13:42 schrieb Stefan Sperling <st...@stsp.name>:
> 
> On Tue, Jan 22, 2019 at 01:31:43PM +0100, Rainer Jung wrote:
>> Here's the response we have compiled from Daniel, Stefan and others:
>> 
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=63098
> 
> FYI, I have disabled pool debugging in OpenBSD's port of APR.
> We are now using Yann's patch to force the default allocator to
> call free(3) when APR pools are cleared:
> https://marc.info/?l=openbsd-ports-cvs&m=154815812713288&w=2
> 
> This change only affects OpenBSD -current.
> I do not plan to backport a patch to the OpenBSD 6.4 release.
> We have had no reports indicating that http2 was crashing on OpenBSD.
> The likely reason is that nobody is actually running such a setup.
> If people intend to run such a setup, they should use -current for now,
> or wait until OpenBSD 6.5 is released.

Re: Apache 0-day / apache-uaf / use after free bugs

Posted by Stefan Sperling <st...@stsp.name>.

On Tue, Jan 22, 2019 at 01:31:43PM +0100, Rainer Jung wrote:
> Here's the response we have compiled from Daniel, Stefan and others:
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63098

FYI, I have disabled pool debugging in OpenBSD's port of APR.
We are now using Yann's patch to force the default allocator to
call free(3) when APR pools are cleared:
https://marc.info/?l=openbsd-ports-cvs&m=154815812713288&w=2

This change only affects OpenBSD -current.
I do not plan to backport a patch to the OpenBSD 6.4 release.
We have had no reports indicating that http2 was crashing on OpenBSD.
The likely reason is that nobody is actually running such a setup.
If people intend to run such a setup, they should use -current for now,
or wait until OpenBSD 6.5 is released.

Re: Apache 0-day / apache-uaf / use after free bugs

Posted by Rainer Jung <ra...@kippdata.de>.

Am 22.01.2019 um 10:33 schrieb Daniel Gruno:
> On 1/22/19 8:09 AM, Stefan Priebe - Profihost AG wrote:
>> Hi,
>>
>> in twitter and other social media channels they're talking about a
>> current apache 0 day:
>> https://twitter.com/i/web/status/1087593706444730369
>>
>> which wasn't handled / isn't currently fixed.
>>
>> Some details are here:
>> https://github.com/hannob/apache-uaf
>>
>> If this is true there will be exploits soon. Is there anything planned?
>> Does 2.4.38 fix those issues?
>>
>> Greets,
>> Stefan
>>
> 
> Hi Stefan, and good morning.
> 
> I figured I should write something to calm people that might be concerned.
> 
> I will reply in length in a while (coffee is needed first), it takes 
> time to write a proper response that explains our processes and 
> considerations with issues like this, especially when people start 
> hyping the matter. Such is social media, I guess.
> 
> Until then, I will say quickly that we do not at present consider this 
> something you should be alarmed about. Boring elaboration to follow in a 
> while when I have compiled it :)
> 
> With regards,
> Daniel, speaking as just a normal committer.

Here's the response we have compiled from Daniel, Stefan and others:

https://bz.apache.org/bugzilla/show_bug.cgi?id=63098

Regards,

Rainer

Re: Apache 0-day / apache-uaf / use after free bugs

Posted by Daniel Gruno <hu...@apache.org>.

On 1/22/19 8:09 AM, Stefan Priebe - Profihost AG wrote:
> Hi,
> 
> in twitter and other social media channels they're talking about a
> current apache 0 day:
> https://twitter.com/i/web/status/1087593706444730369
> 
> which wasn't handled / isn't currently fixed.
> 
> Some details are here:
> https://github.com/hannob/apache-uaf
> 
> If this is true there will be exploits soon. Is there anything planned?
> Does 2.4.38 fix those issues?
> 
> Greets,
> Stefan
> 

Hi Stefan, and good morning.

I figured I should write something to calm people that might be concerned.

I will reply in length in a while (coffee is needed first), it takes 
time to write a proper response that explains our processes and 
considerations with issues like this, especially when people start 
hyping the matter. Such is social media, I guess.

Until then, I will say quickly that we do not at present consider this 
something you should be alarmed about. Boring elaboration to follow in a 
while when I have compiled it :)

With regards,
Daniel, speaking as just a normal committer.