Bug #255124 “apache's default logging format can be horribly ina...” : Bugs : apache2 package : Ubuntu

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-09-05:

#1

Agrred. Logio is built statically in httpd - so no module needs to be enabled in order to have %O working.

Changed in apache2:
importance:	Undecided → Low
status:	New → Triaged

Revision history for this message

Andreas Olsson (andol) wrote on 2009-08-02:

#2

apache2_2.2.11-7ubuntu2.debdiff Edit (1.3 KiB, text/plain)

Providing a debdiff, in case we want to tackle this issue in Karmic. It contains a modified apache2.conf which defines the log formats vhost_combined, combined and common using %O instead of %b.

Andreas Olsson (andol) on 2009-08-02

Changed in apache2 (Ubuntu):
status:	Triaged → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-08-05:

#3

This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---------------
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

  * Merge from debian unstable, remaining changes:
    - debian/{control,rules}: enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
    - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

  * New upstream release:
    - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
      (The Debian default configuration will be changed to use SNI in a later
      version.)
    - Fixes timefmt config in SSI (closes: #363964).
    - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
      to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
    similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
    sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
    README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
    loaded. Move the config for it from apache2.conf to
    /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
    required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
    versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
    included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
    2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
    (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
    package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
    which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
    MaxClients into the correct order so that Apache does not complain
    (closes: #495656).
    Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
    (closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
    (closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
    (closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
    with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

-- Chuck Short <email address hidden> Tue, 04 Aug 2009 20:04:24 +0100

This bug was fixed in the package apache2 - 2.2.12-1ubuntu1

---------------
apache2 (2.2.12-1ubuntu1) karmic; urgency=low

* Merge from debian unstable, remaining changes:
    - debian/{control,rules}: enable PIE hardening.
    - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles.
    - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch.

apache2 (2.2.12-1) unstable; urgency=low

* New upstream release:
    - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131).
      (The Debian default configuration will be changed to use SNI in a later
      version.)
    - Fixes timefmt config in SSI (closes: #363964).
    - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
      to enable stricter checking of remote server certificates.
  * Make mod_deflate not compress the content for HEAD requests. This is a
    similar issue as CVE-2009-1891.
  * Enable hardening compile options.
  * Switch default LogFormat from %b (size of file sent) to %O (bytes actually
    sent) (closes: #272476 LP: #255124)
  * Add the default LANG=C to /etc/apache2/envvars and document it in
    README.Debian (closes: #511878).
  * Enable localized error pages by default if the necessary modules are
    loaded. Move the config for it from apache2.conf to
    /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the
    required order of the aliases in the comment (closes: #196795).
  * Change default for ServerTokens to 'OS', to not announce the exact module
    versions to the world (LP: #205996)
  * Make a2ensite and friends ignore the same filenames as apache does for
    included config files, even if LANG is not C.
  * Merge source packages apache2 and apache2-mpm-itk (current itk version is
    2.2.11-02). This removes the binNMU mess necessary for every apache2 upload
    (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src
    package, which is no longer necessary.
  * Ship our own version of the magic config file (taken from file 4.17-5etch3)
    which is still compatible with mod_mime_magic (closes: #483111).
  * Add ThreadLimit to the default config and put ThreadsPerChild and
    MaxClients into the correct order so that Apache does not complain
    (closes: #495656).
    Also add a configuration block for the event MPM in apache2.conf.
  * Fix HTTP PUT with mod_dav failing to detect an aborted connection
    (closes: #451563).
  * Change references to httpd.conf in apache2-doc to apache2.conf
    (closes: #465393).
  * Clarify the recommended permissions for SSL certificates in README.Debian
    (closes: #512778).
  * Document in README.Debian how to name files in conf.d to avoid conflicts
    with packages (closes: #493252)
  * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts.
  * Remove other_vhosts_access.log on package purge.

-- Chuck Short <zulcss@ubuntu.com>   Tue, 04 Aug 2009 20:04:24 +0100

Changed in apache2 (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Chuck Short (zulcss) wrote on 2009-08-05:

#4

This is fixed for karmic

Regards
chuck

Ubuntu
apache2 package

apache's default logging format can be horribly inaccurate in terms of data transferred

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntuapache2 package

apache's default logging format can be horribly inaccurate in terms of data transferred

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
apache2 package