apache2 in trusty-backports is vulnerable to CVE-2016-5387

Bug #1604209 reported by Mike Gerow
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
trusty-backports
Fix Released
Undecided
Unassigned
apache2 (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

The patch is small and easy, will attach a debdiff once I get it together.

Not checking that this is a security vuln because trusty-backports technically doesn't get security attention.

Tags: patch

CVE References

Mathew Hodson (mhodson)
information type: Public → Public Security
Revision history for this message
Mike Gerow (gerow) wrote :

The attached patch addresses the issue for apache2 in trusty-backports.

Revision history for this message
Mike Gerow (gerow) wrote :

Whoops, didn't look at that closely enough :\

Revision history for this message
Mike Gerow (gerow) wrote :

Cleaned up the patch.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "CVE-2016-5387.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Mathew Hodson (mhodson)
Changed in apache2 (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors since this needs to be handled by the backports team.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Ack. Approved by ubuntu-backporters.

Revision history for this message
Philipp Kern (pkern) wrote :

Ok, as it turns out component ownership is also enforced on backports. Unfortunately that means that my MOTU permissions are not sufficient here and this will require a sponsor to upload.

Revision history for this message
Philipp Kern (pkern) wrote :

New debdiff attached that can be uploaded as-is.

Revision history for this message
Robie Basak (racb) wrote :

No action for the main apache2 package. This affects the Trusty backports project only.

Changed in apache2 (Ubuntu):
status: New → Invalid
Revision history for this message
Philipp Kern (pkern) wrote :

Anyone to upload an approved backport to trusty-backports?

Revision history for this message
Mike Gerow (gerow) wrote :

*ping* still looking for someone to upload to trusty-backports.

Revision history for this message
Iain Lane (laney) wrote :

I'll upload this for you if it builds.

Normally we would expect this kind of thing to be fixed by re-backporting from a later release though. If xenial's apache2 works on trusty, it'd be cool to backport that.

Changed in trusty-backports:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.