Bug 118798 - httpd-2.0.49 update for CAN-2004-0174 and CAN-2003-0020 fixes
httpd-2.0.49 update for CAN-2004-0174 and CAN-2003-0020 fixes
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
http://www.apache.org/dist/httpd/Anno...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-20 09:51 EST by Robert Scheck
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: 2.0.49-1.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-26 07:17:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Re-enabled abench patch for 2.0.49 (5.63 KB, patch)
2004-03-20 09:53 EST, Robert Scheck
no flags Details | Diff
Re-enabled proxy11 patch for 2.0.49 (2.78 KB, patch)
2004-03-20 09:54 EST, Robert Scheck
no flags Details | Diff
Re-enabled sslheader patch for 2.0.49 (57.29 KB, patch)
2004-03-20 09:54 EST, Robert Scheck
no flags Details | Diff
Re-enabled worker patch for 2.0.49 (1.06 KB, patch)
2004-03-20 09:55 EST, Robert Scheck
no flags Details | Diff

  None (edit)
Description Robert Scheck 2004-03-20 09:51:54 EST
Description of problem:
The httpd 2.0.49 release fixes security problems described in 
CAN-2004-0174, CAN-2003-0020 and CAN-2004-0113. It also contains 
bug fixes and some new features.

Version-Release number of selected component (if applicable):
httpd-2.0.48-18

Actual results:
Patch4:   can be removed, because it's already in httpd 2.0.49
Patch21:  can be removed, because it's already in httpd 2.0.49
Patch25:  can maybe removed, I'm not sure and no C expert
Patch28:  can be removed, because it's already in httpd 2.0.49
Patch29:  can be removed, because it's already in httpd 2.0.49
Patch30:  can be removed, because it's already in httpd 2.0.49
Patch31:  can be removed, because it's already in httpd 2.0.49
Patch32:  can be removed, because it's already in httpd 2.0.49
Patch33:  can be removed, because it's already in httpd 2.0.49
Patch34:  can be removed, because it's already in httpd 2.0.49
Patch36:  can be removed, because it's already in httpd 2.0.49
Patch37:  can be removed, because it's already in httpd 2.0.49
Patch38:  can be removed, because it's already in httpd 2.0.49
Patch39:  has to re-enable (attached httpd-2.0.49-proxy11.patch)
Patch41:  has to re-enable (attached httpd-2.0.49-worker.patch)
Patch42:  can be removed, because it's already in httpd 2.0.49
Patch74:  can be removed, because it's already in httpd 2.0.49
Patch78:  can be removed, because it's already in httpd 2.0.49
Patch84:  has to re-enable (attached httpd-2.0.49-abench.patch)
Patch86:  has to re-enable (attached httpd-2.0.49-sslheader.patch)
Patch120: can be removed, because it's already in httpd 2.0.49
Patch170: can be removed, because it's already in httpd 2.0.49

Expected results:
Please update to 2.0.49 and do the patch changes. The patches were 
adapted after best knowledge and conscience. httpd 2.0.49 with my 
re-enabled patches is working fine, here.

Additional info:
Fedora Core 1, Red Hat Linux 9, Red Hat Linux Enterprise Server etc.
aren't patched, too. Maybe Fedora Core 1 is upgraded to 2.0.49? The
other versions get a backport of the three CAN reports listed at the 
top?!
Comment 1 Robert Scheck 2004-03-20 09:53:20 EST
Created attachment 98709 [details]
Re-enabled abench patch for 2.0.49
Comment 2 Robert Scheck 2004-03-20 09:54:09 EST
Created attachment 98710 [details]
Re-enabled proxy11 patch for 2.0.49
Comment 3 Robert Scheck 2004-03-20 09:54:49 EST
Created attachment 98711 [details]
Re-enabled sslheader patch for 2.0.49
Comment 4 Robert Scheck 2004-03-20 09:55:12 EST
Created attachment 98712 [details]
Re-enabled worker patch for 2.0.49
Comment 5 Joe Orton 2004-03-24 15:31:14 EST
Thanks for your work Robert: next time if you want to save duplication
of effort, check with me first, as I'd already done all the patch merging!

Yes, FC1 will get an update to 2.0.49 soon.
Comment 6 Robert Scheck 2004-03-24 15:39:43 EST
Okay, I'll keep it in mind, but it wasn't a lot of work for me ;-)

If you publish a testing version of 2.0.49, could you also please
publish the fitting SRPM additionally to the binary RPMs? Thanks.
Comment 7 Alexander Dalloz 2004-05-07 10:31:42 EDT
How far away is "soon" now on 2004/05/07?

One and a half month left after the commend by Joe Orton is very long
for a, while meanwhile the fix for RH9 was published a week ago on 30.
April.
Comment 8 Joe Orton 2004-05-07 10:33:50 EDT
I want to do httpd-2.0.49 and php-4.3.6 updates at the same time for
FC1; this triggered a bug which was tracked down last week, so the
updates can proceed now.
Comment 9 Jon Fanti 2004-05-07 10:37:54 EDT
Hi guys,

We run Fedora Core 1 on some webservers that make use of mod_ssl and 
seem to 
have been caught out by the latest apache issue: 

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106

and:

http://www.apacheweek.com/features/security-20

On the morning this was discovered it would _seem_ that our webserver 
was hit by 
this same issue (thought I can't be 100% sure). I notice Redhat have 
released 
updates for RH9, but Fedora have done a fix for FC1. Just wondering 
if we have a fix coming along?
Comment 10 Joe Orton 2004-05-10 16:07:10 EDT
httpd-2.0.49-1.1 has been pushed to testing; please post results of
testing here.
Comment 11 Gilbert Sebenste 2004-05-11 17:04:41 EDT
Joe,

Running it now on FC1, fully patched. No problems to report.

Gilbert Sebenste
Northern Illinois University
Comment 12 Robert Scheck 2004-05-11 18:05:54 EDT
This one and the other RPM in Fedora Development are working both for
me; so httpd-2.0.49-3 is running since Sun April 25 here without any
problem.
Comment 13 Jon Fanti 2004-05-22 18:29:27 EDT
Since Fedora Core 2 is now using httpd-2.0.49-4 without issues, any
chance of this being released to Fedora Core 1? 
Comment 14 Joe Orton 2004-05-23 15:03:51 EDT
Thanks to those who posted feedback, this will be pushed live this week.

Jon: the best way to accelerate updates in "testing" is to test the
RPMs, and post the feedback of testing here; this increases the
confidence that the test updates are OK.
Comment 15 Jon Fanti 2004-05-24 05:49:14 EDT
Thanks for getting this fixed! I'm new at this "active involvement" 
thing, so be patient with me! ;)
Comment 16 Joe Orton 2004-05-26 07:17:34 EDT
2.0.49 update released for FC1.  Thanks to all.

http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00024.html

Note You need to log in before you can comment on or make changes to this bug.