CAN-2004-0786 is an issue in the apr-util library in the parsing of IPv6 literal addresses, and results in a negative length argument being passed to a memcpy call. This is not known to allow arbitrary code execution. CAN-2004-0747 is a buffer overflow in the parsing of configuration directives (including .htaccess files), which allows possible privilege escalation. CAN-2004-0751 is an issue in mod_ssl where a request proxied to a malicious remote SSL server (for instance using SSLProxyEngine On) could force a memcpy call with a negative length parameter. CAN-2004-0747 and CAN-2004-0786 are embargoed until September 15th, 2004 at 14:00 BST. CAN-2004-0751 was reported via the upstream bugzilla database.
Additionally: An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0809 to this issue.
Remove embargo
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-463.html