Discussion:
Bug#894713: stretch-pu: Pre-approval of package apache2/2.4.25-3+deb9u5
(too old to reply)
Stefan Fritsch
2018-04-03 12:07:33 UTC
Permalink
Package: release.debian.org
Severity: normal
Tags: stretch
User: ***@packages.debian.org
Usertags: pu

Hi,

I would like to do an upgrade of apache2 in stretch that upgrades the
complete mod_http2 and mod_proxy_http2 modules from the versions from
2.4.25 to the versions from 2.4.33.

The reason is that the fix for CVE-2018-1302 [1] is difficult to
backport because it concerns a complex life-time issue of data
structures, the relevant code has changed greatly between 2.4.25 and
2.4.33, and I am not familiar with the internals of mod_http2. There
are other random segfaults [2] and other bugs [3] in stretch's mod_http2
that are reportedly fixed by newer mod_http2. Therefore, upgrading the
whole thing seems like the best solution to me. Do you agree with this
approach?

The diff is not reviewable (58 files changed, 5533 insertions, 4182
deletions), but it only touches the http2 modules.

I may also include a few other small bug fixes. I will prepare the
updated package and send the detailed information after the pending DSA
for some other issues has been released (2.4.25-3+deb9u4).

Cheers,
Stefan

[1] http://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1302
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873945
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850947
Stefan Fritsch
2018-05-13 17:15:22 UTC
Permalink
Hi,
Post by Stefan Fritsch
I would like to do an upgrade of apache2 in stretch that upgrades the
complete mod_http2 and mod_proxy_http2 modules from the versions from
2.4.25 to the versions from 2.4.33.
The reason is that the fix for CVE-2018-1302 [1] is difficult to
backport because it concerns a complex life-time issue of data
structures, the relevant code has changed greatly between 2.4.25 and
2.4.33, and I am not familiar with the internals of mod_http2. There
are other random segfaults [2] and other bugs [3] in stretch's mod_http2
that are reportedly fixed by newer mod_http2. Therefore, upgrading the
whole thing seems like the best solution to me. Do you agree with this
approach?
I have now prepared updated packages. The changelog diff is:

apache2 (2.4.25-3+deb9u5) stretch; urgency=medium

* Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This
fixes
- CVE-2018-1302: mod_http2: Potential crash w/ mod_http2
- Segfaults in mod_http2 (Closes: #873945)
- mod_http2 issue with option "Indexes" and directive "HeaderName"
(Closes: #850947)
* mod_http2: Avoid high memory usage with large files, causing crashes on
32bit archs. Closes: #897218
* Make the apache-htcacheclean init script actually look into
/etc/default/apache-htcacheclean for its config. Closes: #898563

-- Stefan Fritsch <***@debian.org> Sun, 13 May 2018 17:43:20 +0200

A partial debdiff without the mod_http2-upgrade-to-2.4.33.diff file is
attached. The full debdiff is available at [1] (probably too large for mailing
lists). The diffstat of the mod_http2-upgrade-to-2.4.33.diff file is included
below [2].

Cheers,
Stefan

[1] https://www.sfritsch.de/~stf/apache2_2.4.25-3+deb9u5~test1/
apache2_2.4.25-3+deb9u5.debdiff

[2]
configure | 2
modules/http2/NWGNUmod_http2 | 2
modules/http2/config2.m4 | 23
modules/http2/h2.h | 46 -
modules/http2/h2_alt_svc.c | 13
modules/http2/h2_alt_svc.h | 13
modules/http2/h2_bucket_beam.c | 892 ++++++++++++----------
modules/http2/h2_bucket_beam.h | 147 ++-
modules/http2/h2_bucket_eoc.c | 110 --
modules/http2/h2_bucket_eoc.h | 32
modules/http2/h2_bucket_eos.c | 18
modules/http2/h2_bucket_eos.h | 13
modules/http2/h2_config.c | 38
modules/http2/h2_config.h | 15
modules/http2/h2_conn.c | 156 ++-
modules/http2/h2_conn.h | 16
modules/http2/h2_conn_io.c | 138 +--
modules/http2/h2_conn_io.h | 27
modules/http2/h2_ctx.c | 15
modules/http2/h2_ctx.h | 13
modules/http2/h2_filter.c | 165 ++--
modules/http2/h2_filter.h | 26
modules/http2/h2_from_h1.c | 54 -
modules/http2/h2_from_h1.h | 13
modules/http2/h2_h2.c | 25
modules/http2/h2_h2.h | 13
modules/http2/h2_headers.c | 31
modules/http2/h2_headers.h | 19
modules/http2/h2_mplx.c | 1551 ++++++++++++++++
+----------------------
modules/http2/h2_mplx.h | 84 --
modules/http2/h2_ngn_shed.c | 30
modules/http2/h2_ngn_shed.h | 13
modules/http2/h2_private.h | 13
modules/http2/h2_proxy_session.c | 94 +-
modules/http2/h2_proxy_session.h | 23
modules/http2/h2_proxy_util.c | 296 +++++++
modules/http2/h2_proxy_util.h | 64 +
modules/http2/h2_push.c | 20
modules/http2/h2_push.h | 14
modules/http2/h2_request.c | 34
modules/http2/h2_request.h | 13
modules/http2/h2_session.c | 1432 +++++++++++++++++-------------------
modules/http2/h2_session.h | 76 -
modules/http2/h2_stream.c | 1208 ++++++++++++++++++------------
modules/http2/h2_stream.h | 179 ++--
modules/http2/h2_switch.c | 29
modules/http2/h2_switch.h | 13
modules/http2/h2_task.c | 250 +++---
modules/http2/h2_task.h | 26
modules/http2/h2_util.c | 1017 ++++++++++++++++++++-----
modules/http2/h2_util.h | 188 ++++
modules/http2/h2_version.h | 33
modules/http2/h2_worker.c | 103 --
modules/http2/h2_worker.h | 135 ---
modules/http2/h2_workers.c | 587 ++++++--------
modules/http2/h2_workers.h | 82 --
modules/http2/mod_http2.c | 37
modules/http2/mod_http2.dep | 118 --
modules/http2/mod_http2.dsp | 8
modules/http2/mod_http2.h | 13
modules/http2/mod_http2.mak | 18
modules/http2/mod_proxy_http2.c | 208 ++---
modules/http2/mod_proxy_http2.h | 13
63 files changed, 5534 insertions(+), 4563 deletions(-)
Stefan Fritsch
2018-05-20 16:32:55 UTC
Permalink
Hi,
Post by Stefan Fritsch
I would like to do an upgrade of apache2 in stretch that upgrades the
complete mod_http2 and mod_proxy_http2 modules from the versions from
2.4.25 to the versions from 2.4.33.
The reason is that the fix for CVE-2018-1302 [1] is difficult to
backport because it concerns a complex life-time issue of data
structures, the relevant code has changed greatly between 2.4.25 and
2.4.33, and I am not familiar with the internals of mod_http2. There
are other random segfaults [2] and other bugs [3] in stretch's mod_http2
that are reportedly fixed by newer mod_http2. Therefore, upgrading the
whole thing seems like the best solution to me. Do you agree with this
approach?
There is one complication: It turns out that in newer versions of apache2,
mod_http2 does no longer support being used with mpm_prefork but only with
mpm_worker and mpm_event. If loaded together with mpm_prefork, mod_http2 will
log a message and refuse to serve HTTP/2, but HTTP/1.x continues to work.

As I don't see any other way to fix the open issues, I would still like to go
ahead. But I will prepare a new package/diff with a NEWS.Debian entry that
informs about this change.

Cheers,
Stefan
Stefan Fritsch
2018-06-02 08:29:53 UTC
Permalink
Post by Stefan Fritsch
As I don't see any other way to fix the open issues, I would still like to
go ahead. But I will prepare a new package/diff with a NEWS.Debian entry
that informs about this change.
The new debdiff is attached. the NEWS part is also below.

Cheers,
Stefan

--- apache2-2.4.25/debian/apache2.NEWS 2018-03-30 17:07:14.000000000 +0200
+++ apache2-2.4.25/debian/apache2.NEWS 2018-06-02 10:01:13.000000000 +0200
@@ -1,3 +1,12 @@
+apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
+
+ * This package upgrades mod_http2 to the version from apache2 2.4.33. This
+ fixes a lot of bugs and some security issues, but it also removes the
+ support for using HTTP/2 when running with mpm_prefork. HTTP/2 support
+ is only provided when running with mpm_event or mpm_worker.
+
+ -- Stefan Fritsch <***@debian.org> Sat, 02 Jun 2018 09:51:46 +0200
Adam D. Barratt
2018-06-24 17:00:22 UTC
Permalink
Post by Stefan Fritsch
+apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
+
+  * This package upgrades mod_http2 to the version from apache2
2.4.33. This
+    fixes a lot of bugs and some security issues, but it also
removes the
+    support for using HTTP/2 when running with mpm_prefork. HTTP/2
support
+    is only provided when running with mpm_event or mpm_worker.
+
Do we have any idea how common such a configuration is? (Or, indeed,
how common the use of HTTP/2 with stretch's apache is.)

Regards,

Adam
Stefan Fritsch
2018-06-25 17:52:42 UTC
Permalink
Post by Adam D. Barratt
Post by Stefan Fritsch
+apache2 (2.4.25-3+deb9u5) stretch; urgency=medium
+
+ * This package upgrades mod_http2 to the version from apache2 2.4.33. This
+ fixes a lot of bugs and some security issues, but it also removes the
+ support for using HTTP/2 when running with mpm_prefork. HTTP/2 support
+ is only provided when running with mpm_event or mpm_worker.
+
Do we have any idea how common such a configuration is? (Or, indeed,
how common the use of HTTP/2 with stretch's apache is.)
Unfortunately not. I guess there are still a fair number of mpm_prefork users
because of mod_php. But I don't know how many enable mod_http2 (it's not
enabled by default). But I expect that there are extremely few users who
actually depend on HTTP/2 working. For the vast majority, it's only a nice to
have feature.

Cheers,
Stefan
Debian Bug Tracking System
2018-07-02 16:45:05 UTC
Permalink
tags -1 + pending
Bug #894713 [release.debian.org] stretch-pu: Pre-approval of package apache2/2.4.25-3+deb9u5
Added tag(s) pending.
--
894713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894713
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2018-07-02 16:45:13 UTC
Permalink
tags -1 + pending
Bug #894713 [release.debian.org] stretch-pu: Pre-approval of package apache2/2.4.25-3+deb9u5
Ignoring request to alter tags of bug #894713 to the same tags previously set
--
894713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894713
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Continue reading on narkive:
Loading...