Bug 110258

Summary:	CAN-2003-0789/CAN-2003-0542 Apache updates
Product:	[Retired] Red Hat Linux	Reporter:	Matthew Crawford <mcrawford>
Component:	httpd	Assignee:	Joe Orton <jorton>
Status:	CLOSED ERRATA	QA Contact:	David Lawrence <dkl>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	9	CC:	barryn
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
URL:	http://www.apache.org/dist/httpd/Announcement2.html
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2003-12-19 13:26:33 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Matthew Crawford 2003-11-17 17:32:48 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)

Description of problem:
Apache reports that both CVE CAN-2003-078 and CAN-2003-0542 needs to 
be patched for any version previous to 2.0.48. 

See http://www.apache.org/dist/httpd/Announcement2.html

mod_cgid mishandling of CGI redirect paths could result in CGI output 
going to the wrong client when a threaded MPM is used.
[CAN-2003-0789]

mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not 
properly handle CGI redirect paths, which could cause Apache to send 
the output of a CGI program to the wrong client.

------------------------------

A buffer overflow could occur in mod_alias and mod_rewrite when a 
regular expression with more than 9 captures is configured.
[CAN-2003-0542]

Multiple stack-based buffer overflows in (1) mod_alias and (2) 
mod_rewrite for Apache could allow attackers to can create 
configuration files to cause a denial of service (crash) or execute 
arbitrary code via a regular expression with more than 9 captures.

Version-Release number of selected component (if applicable):
Anything before 2.0.48

How reproducible:
Always

Steps to Reproduce:
1. Have a version of apache before 2.0.48
2.
3.
    

Additional info:

Comment 1 Joe Orton 2003-11-18 14:30:09 UTC

An erratum update will be available soon to fix this issue, test
packages are available here: http://people.redhat.com/jorton/9-httpd/

Comment 2 Mark J. Cox 2003-11-25 16:15:29 UTC

Note: CAN-2003-0789 not CAN-2003-078

Comment 3 Barry K. Nathan 2003-12-15 09:01:59 UTC

Joe Orton's packages actually did "eat [my] server" in a sense (but
that's OK):

# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: Syntax error on line 349 of /etc/httpd/conf/httpd.conf:
Multiple <LocationMatch> arguments not (yet) supported.
                                                           [FAILED]

Using the httpd.conf from 2.0.40-21.5 instead of the one that comes
with 2.0.40-21.7 allows httpd to actually start and (as far as I can
tell) work...

Comment 4 Joe Orton 2003-12-15 09:10:08 UTC

Oh, yes, the -21.7 packages are buggy... I'm just uploading -21.8
which don't have that problem.

Comment 5 Barry K. Nathan 2003-12-15 13:06:16 UTC

I've verified that -21.8 isn't obviously buggy (that is, it seems to
run OK). I haven't pounded -21.8 hard, however, because the server on
which I tried -21.7 has just been migrated to Fedora Core.

Comment 6 Mark J. Cox 2003-12-19 13:26:33 UTC

See RHSA-2003-320 for RHL9