Bug 157701

Summary: CAN-2005-1268,1344,2088 Apache issues
Product: [Retired] Fedora Legacy Reporter: John Dalbec <jpdalbec>
Component: apacheAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas, sheltren
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://www.securityfocus.com/advisories/8539
Whiteboard: LEGACY, rh73, rh90, 1, 2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-10 23:50:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Dalbec 2005-05-13 21:11:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

Description of problem:
05.19.37 CVE: CAN-2005-1344
Platform: Cross Platform
Title: Apache htdigest Realm Command Line Argument Buffer Overflow
Description: A buffer overflow issue exists in the htdigest utility
included with Apache. By supplying an overly long realm value to the
command line options of htdigest, it is possible to trigger an
overflow condition. All current versions are affected.
Ref: http://www.securityfocus.com/advisories/8539 

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:

Comment 1 Marc Deslauriers 2005-07-31 16:05:47 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

7.3:
a1d0d55a090a2bd2bf9fe9be28431d0582004eab  apache-1.3.27-7.legacy.i386.rpm
bb59178e84e097cd8032b00dcb752c3b996d7be5  apache-1.3.27-7.legacy.src.rpm
00054168bef20f7c213eb85093a64282c7b9f675  apache-devel-1.3.27-7.legacy.i386.rpm
2ade5bfb6407d13ea5ca2530e537f3585de5650d  apache-manual-1.3.27-7.legacy.i386.rpm

Changelog:
* Sun Jul 31 2005 Marc Deslauriers <marcdeslauriers> 1.3.27-7.legacy
- - Added security patch for CAN-2005-1344

9:
c15d60f36709930fdc58f02a3a18d6516967e4ef  httpd-2.0.40-21.18.legacy.i386.rpm
8b892301d6ffb959b9d8534ed9bd1eca7d765815  httpd-2.0.40-21.18.legacy.src.rpm
a138a96af8e42e5669a160a5ea3861dfc344b113  httpd-devel-2.0.40-21.18.legacy.i386.rpm
b3a187b1f33bc662e5efcaec8b34ddcc394f259c  httpd-manual-2.0.40-21.18.legacy.i386.rpm
40b565df6443e633e298cd033ed8b92ce8bd3f27  mod_ssl-2.0.40-21.18.legacy.i386.rpm

Changelog:
* Sun Jul 31 2005 Marc Deslauriers <marcdeslauriers>
2.0.40-21.18.legacy
- - Added security patches for CAN-2005-1268, CAN-2005-1344
  and CAN-2005-2088

fc1:
cb3f528ee8fcf9d542bf49e6f666bf8cc5dca48a  httpd-2.0.51-1.7.legacy.i386.rpm
29246dca5624ad5bfbaf4db544d4e2139c2e51b4  httpd-2.0.51-1.7.legacy.src.rpm
0213cf17caef9680bdcd69d44302fd74840abe4c  httpd-devel-2.0.51-1.7.legacy.i386.rpm
a0839076de099dcede954e38a8d6ff52c428b427  httpd-manual-2.0.51-1.7.legacy.i386.rpm
418ccfd71df20a30c1033444d51ca926ee4137bd  mod_ssl-2.0.51-1.7.legacy.i386.rpm

Changelog:
* Sat Jul 30 2005 Marc Deslauriers <marcdeslauriers> 2.0.51-1.7.legacy
- - Added security patches for CAN-2005-1268, CAN-2005-1344
  and CAN-2005-2088

fc2:
cc5a520d6242884643f93ac545cae744b7e5f338  httpd-2.0.51-2.9.1.legacy.i386.rpm
2d9e9302ebb88bf034af8ec46a441863148fc045  httpd-2.0.51-2.9.1.legacy.src.rpm
99955bfc7a45a78dcb2c461741ad3d103c785f71  httpd-devel-2.0.51-2.9.1.legacy.i386.rpm
42cb140dee9088de9e1f91048d0306a05487b873  httpd-manual-2.0.51-2.9.1.legacy.i386.rpm
f70e06ec6b93280803b334706fed3ebec88c3479  mod_ssl-2.0.51-2.9.1.legacy.i386.rpm

Changelog:
* Sat Jul 30 2005 Marc Deslauriers <marcdeslauriers>
2.0.51-2.9.1.legacy
- - Added security patches for CAN-2005-1268, CAN-2005-1344
  and CAN-2005-2088

http://www.infostrategique.com/linuxrpms/legacy/7.3/apache-1.3.27-7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.18.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/httpd-2.0.51-1.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/httpd-2.0.51-2.9.1.legacy.src.rpm

Binaries available at same location.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC7Pa7LMAs/0C4zNoRAtrSAJ0WtY9dbZbAcfbtaERyDdiDK75acwCgpqTD
oCVMogZKUvRlsAzNE8Z9m+8=
=3wZ5
-----END PGP SIGNATURE-----


Comment 2 Pekka Savola 2005-08-01 07:23:27 UTC
Note: there was a problem #152884 on apache startup initscript issues.  Do we
want to include it or not?  (Personally, I don't have much preference one way or
the other.)

Comment 3 Pekka Savola 2005-08-01 07:24:20 UTC
If not...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - two patches from RHEL, one from Debian.

Note: I didn't make careful analysis whether CAN-2005-2088 applies to
1.3.27; it does to 1.3.29, but as RHEL21 hasn't been patched, I guess it's
OK..

+PUBLISH RHL73, RHL9, FC1, FC2

bb59178e84e097cd8032b00dcb752c3b996d7be5  apache-1.3.27-7.legacy.src.rpm
8b892301d6ffb959b9d8534ed9bd1eca7d765815  httpd-2.0.40-21.18.legacy.src.rpm
29246dca5624ad5bfbaf4db544d4e2139c2e51b4  httpd-2.0.51-1.7.legacy.src.rpm
2d9e9302ebb88bf034af8ec46a441863148fc045  httpd-2.0.51-2.9.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC7c0UGHbTkzxSL7QRAmYnAKDWS0MIr4cm2bdBrTY55LtmdREWVgCg1rUU
J7QR8NZAP6tvpuUeHr6bfDA=
=54Cj
-----END PGP SIGNATURE-----



Comment 4 Marc Deslauriers 2005-08-01 20:10:05 UTC
I closed 152884, the changes were not appropriate for FL.

Looks like there is a CAN-2005-2088 for 1.3...thanks for noticing.

http://mail-archives.apache.org/mod_mbox/httpd-cvs/200507.mbox/%3C20050714051918.97561.qmail@minotaur.apache.org%3E


Comment 5 Marc Deslauriers 2005-08-01 20:36:31 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh73 that contain a CAN-2005-2088 fix:

92944856d6460f7be0d3ed5db67e82aff08c9916  apache-1.3.27-8.legacy.i386.rpm
66f36c4a37f0becc0c523199f0b77dc1f4ed3a68  apache-1.3.27-8.legacy.src.rpm
4c35effd7678c59c3759dacf3800018c1fc5174e  apache-devel-1.3.27-8.legacy.i386.rpm
d917cdd2768046691abf0e1e0958642d6fce70ae  apache-manual-1.3.27-8.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/apache-1.3.27-8.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC7ofqLMAs/0C4zNoRAlTHAJ9bEMUNDDeLrrjwdWFxZ+9yJs/+8wCgsgKE
9EmzS0qRzqRfpyi/oKEG1LQ=
=OQo9
-----END PGP SIGNATURE-----


Comment 6 Pekka Savola 2005-08-02 06:30:00 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity good
 - patch verified to come from the upstream svn

+PUBLISH RHL73

66f36c4a37f0becc0c523199f0b77dc1f4ed3a68  apache-1.3.27-8.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC7xLBGHbTkzxSL7QRAuEeAKCIQEyjMMfSHvLhZLPPtEDZPlMxPgCfW92C
uNv2iJSZuRxc9bSpmCjgQgs=
=Gx6I
-----END PGP SIGNATURE-----

Comment 7 Marc Deslauriers 2005-08-02 23:34:40 UTC
Packages were built for updates-testing

Comment 8 Pekka Savola 2005-08-03 15:24:38 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73: signature OK, upgrades OK, seems to work OK.
+VERIFY RHL73

Note: apache doesn't seem to do condrestart on update, but the latest Fedora
CVS doesn't do that either so I guess that's intentional.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC8OEyGHbTkzxSL7QRAuymAJkBuWP6o3gIW7ix5tADrUw37z7m+QCeMfAE
aW7S37nJqBwb2BDcYii+IwM=
=iQD9
-----END PGP SIGNATURE-----

Comment 9 Gilbert Sebenste 2005-08-03 15:30:21 UTC
+VERIFY for FC1 on my end. I don't know how to do a Gnu GPG signature,
but I hope this helps.



Comment 10 Gilbert Sebenste 2005-08-03 15:31:32 UTC
+PUBLISH for FC1. :-)

Comment 11 Tom Yates 2005-08-04 09:11:05 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
cb1ae0ad7739bf0cd3eb7c56a8ba96a5bc7825e3 httpd-2.0.40-21.18.legacy.i386.rpm
f34762e151a8cbbe4dcf926c66dce6392dbac970 mod_ssl-2.0.40-21.18.legacy.i386.rpm
 
installed.  httpd restarts OK, main server works ok, namevirtualhost
servers work OK, https works OK (with self-signed certificate).  php
works OK.
 
i don't use htdigest so i'm afraid i can't test the chunk of code that's
actually been changed.  sorry.
 
that given:
+VERIFY RH9
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFC8I0SePtvKV31zw4RAprJAKCFxdZ37eZYDwXlU76BFc40i9JS+gCg222Z
cEC8lqHwUjJOhyFSUx06Ir4=
=13XU
-----END PGP SIGNATURE-----

Comment 12 Pekka Savola 2005-08-04 20:40:56 UTC
I'll count Gilbert's unsigned message as a VERIFY, as we'd get to the same
timeout in any case..

Comment 13 Jeff Sheltren 2005-08-06 05:47:55 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify for FC2 rpms:

6cf82576642dbb991a3253f4c2ef4ca485d7eea4  httpd-2.0.51-2.9.2.legacy.i386.rpm
e8ff1c406b0dd81c2e8f987df5b33dd6e56111e9  httpd-devel-2.0.51-2.9.2.legacy.i386.rpm
d432195a04f5423c0ca82c4fb99eff2a4efa04ee  httpd-manual-2.0.51-2.9.2.legacy.i386.rpm

Signatures OK
Packages install OK
httpd runs like normal, htdigest works as well

FC2 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC9E8JKe7MLJjUbNMRAj/NAJ9Lkgypo33ktFI/xrCBg1eWNdb3hgCcCC38
1m9nasYLdy8ug2Vhkk0D2QU=
=UMoJ
-----END PGP SIGNATURE-----

Comment 14 Marc Deslauriers 2005-08-10 23:50:46 UTC
Packages were released.