Bug 110258 - CAN-2003-0789/CAN-2003-0542 Apache updates
Summary: CAN-2003-0789/CAN-2003-0542 Apache updates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: httpd
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL: http://www.apache.org/dist/httpd/Anno...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-11-17 17:32 UTC by Matthew Crawford
Modified: 2007-04-18 16:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-12-19 13:26:33 UTC
Embargoed:

Attachments (Terms of Use)

Description Matthew Crawford 2003-11-17 17:32:48 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)

Description of problem:
Apache reports that both CVE CAN-2003-078 and CAN-2003-0542 needs to 
be patched for any version previous to 2.0.48. 

See http://www.apache.org/dist/httpd/Announcement2.html

mod_cgid mishandling of CGI redirect paths could result in CGI output 
going to the wrong client when a threaded MPM is used.
[CAN-2003-0789]

mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not 
properly handle CGI redirect paths, which could cause Apache to send 
the output of a CGI program to the wrong client.

------------------------------

A buffer overflow could occur in mod_alias and mod_rewrite when a 
regular expression with more than 9 captures is configured.
[CAN-2003-0542]

Multiple stack-based buffer overflows in (1) mod_alias and (2) 
mod_rewrite for Apache could allow attackers to can create 
configuration files to cause a denial of service (crash) or execute 
arbitrary code via a regular expression with more than 9 captures.

Version-Release number of selected component (if applicable):
Anything before 2.0.48

How reproducible:
Always

Steps to Reproduce:
1. Have a version of apache before 2.0.48
2.
3.
    

Additional info:
Comment 1 Joe Orton 2003-11-18 14:30:09 UTC 
An erratum update will be available soon to fix this issue, test
packages are available here: http://people.redhat.com/jorton/9-httpd/
Comment 2 Mark J. Cox 2003-11-25 16:15:29 UTC 
Note: CAN-2003-0789 not CAN-2003-078
Comment 3 Barry K. Nathan 2003-12-15 09:01:59 UTC 
Joe Orton's packages actually did "eat [my] server" in a sense (but
that's OK):

# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: Syntax error on line 349 of /etc/httpd/conf/httpd.conf:
Multiple <LocationMatch> arguments not (yet) supported.
                                                           [FAILED]

Using the httpd.conf from 2.0.40-21.5 instead of the one that comes
with 2.0.40-21.7 allows httpd to actually start and (as far as I can
tell) work...
Comment 4 Joe Orton 2003-12-15 09:10:08 UTC 
Oh, yes, the -21.7 packages are buggy... I'm just uploading -21.8
which don't have that problem.
Comment 5 Barry K. Nathan 2003-12-15 13:06:16 UTC 
I've verified that -21.8 isn't obviously buggy (that is, it seems to
run OK). I haven't pounded -21.8 hard, however, because the server on
which I tried -21.7 has just been migrated to Fedora Core.
Comment 6 Mark J. Cox 2003-12-19 13:26:33 UTC 
See RHSA-2003-320 for RHL9
Note You need to log in before you can comment on or make changes to this bug.