From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC) Description of problem: Apache reports that both CVE CAN-2003-078 and CAN-2003-0542 needs to be patched for any version previous to 2.0.48. See http://www.apache.org/dist/httpd/Announcement2.html mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. [CAN-2003-0789] mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not properly handle CGI redirect paths, which could cause Apache to send the output of a CGI program to the wrong client. ------------------------------ A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. [CAN-2003-0542] Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache could allow attackers to can create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Version-Release number of selected component (if applicable): Anything before 2.0.48 How reproducible: Always Steps to Reproduce: 1. Have a version of apache before 2.0.48 2. 3. Additional info:
An erratum update will be available soon to fix this issue, test packages are available here: http://people.redhat.com/jorton/9-httpd/
Note: CAN-2003-0789 not CAN-2003-078
Joe Orton's packages actually did "eat [my] server" in a sense (but that's OK): # service httpd restart Stopping httpd: [ OK ] Starting httpd: Syntax error on line 349 of /etc/httpd/conf/httpd.conf: Multiple <LocationMatch> arguments not (yet) supported. [FAILED] Using the httpd.conf from 2.0.40-21.5 instead of the one that comes with 2.0.40-21.7 allows httpd to actually start and (as far as I can tell) work...
Oh, yes, the -21.7 packages are buggy... I'm just uploading -21.8 which don't have that problem.
I've verified that -21.8 isn't obviously buggy (that is, it seems to run OK). I haven't pounded -21.8 hard, however, because the server on which I tried -21.7 has just been migrated to Fedora Core.
See RHSA-2003-320 for RHL9