Description of problem: The httpd 2.0.49 release fixes security problems described in CAN-2004-0174, CAN-2003-0020 and CAN-2004-0113. It also contains bug fixes and some new features. Version-Release number of selected component (if applicable): httpd-2.0.48-18 Actual results: Patch4: can be removed, because it's already in httpd 2.0.49 Patch21: can be removed, because it's already in httpd 2.0.49 Patch25: can maybe removed, I'm not sure and no C expert Patch28: can be removed, because it's already in httpd 2.0.49 Patch29: can be removed, because it's already in httpd 2.0.49 Patch30: can be removed, because it's already in httpd 2.0.49 Patch31: can be removed, because it's already in httpd 2.0.49 Patch32: can be removed, because it's already in httpd 2.0.49 Patch33: can be removed, because it's already in httpd 2.0.49 Patch34: can be removed, because it's already in httpd 2.0.49 Patch36: can be removed, because it's already in httpd 2.0.49 Patch37: can be removed, because it's already in httpd 2.0.49 Patch38: can be removed, because it's already in httpd 2.0.49 Patch39: has to re-enable (attached httpd-2.0.49-proxy11.patch) Patch41: has to re-enable (attached httpd-2.0.49-worker.patch) Patch42: can be removed, because it's already in httpd 2.0.49 Patch74: can be removed, because it's already in httpd 2.0.49 Patch78: can be removed, because it's already in httpd 2.0.49 Patch84: has to re-enable (attached httpd-2.0.49-abench.patch) Patch86: has to re-enable (attached httpd-2.0.49-sslheader.patch) Patch120: can be removed, because it's already in httpd 2.0.49 Patch170: can be removed, because it's already in httpd 2.0.49 Expected results: Please update to 2.0.49 and do the patch changes. The patches were adapted after best knowledge and conscience. httpd 2.0.49 with my re-enabled patches is working fine, here. Additional info: Fedora Core 1, Red Hat Linux 9, Red Hat Linux Enterprise Server etc. aren't patched, too. Maybe Fedora Core 1 is upgraded to 2.0.49? The other versions get a backport of the three CAN reports listed at the top?!
Created attachment 98709 [details] Re-enabled abench patch for 2.0.49
Created attachment 98710 [details] Re-enabled proxy11 patch for 2.0.49
Created attachment 98711 [details] Re-enabled sslheader patch for 2.0.49
Created attachment 98712 [details] Re-enabled worker patch for 2.0.49
Thanks for your work Robert: next time if you want to save duplication of effort, check with me first, as I'd already done all the patch merging! Yes, FC1 will get an update to 2.0.49 soon.
Okay, I'll keep it in mind, but it wasn't a lot of work for me ;-) If you publish a testing version of 2.0.49, could you also please publish the fitting SRPM additionally to the binary RPMs? Thanks.
How far away is "soon" now on 2004/05/07? One and a half month left after the commend by Joe Orton is very long for a, while meanwhile the fix for RH9 was published a week ago on 30. April.
I want to do httpd-2.0.49 and php-4.3.6 updates at the same time for FC1; this triggered a bug which was tracked down last week, so the updates can proceed now.
Hi guys, We run Fedora Core 1 on some webservers that make use of mod_ssl and seem to have been caught out by the latest apache issue: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106 and: http://www.apacheweek.com/features/security-20 On the morning this was discovered it would _seem_ that our webserver was hit by this same issue (thought I can't be 100% sure). I notice Redhat have released updates for RH9, but Fedora have done a fix for FC1. Just wondering if we have a fix coming along?
httpd-2.0.49-1.1 has been pushed to testing; please post results of testing here.
Joe, Running it now on FC1, fully patched. No problems to report. Gilbert Sebenste Northern Illinois University
This one and the other RPM in Fedora Development are working both for me; so httpd-2.0.49-3 is running since Sun April 25 here without any problem.
Since Fedora Core 2 is now using httpd-2.0.49-4 without issues, any chance of this being released to Fedora Core 1?
Thanks to those who posted feedback, this will be pushed live this week. Jon: the best way to accelerate updates in "testing" is to test the RPMs, and post the feedback of testing here; this increases the confidence that the test updates are OK.
Thanks for getting this fixed! I'm new at this "active involvement" thing, so be patient with me! ;)
2.0.49 update released for FC1. Thanks to all. http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00024.html