Bug 132741 - CAN-2004-0747, 0748, 0751, 0809
Summary: CAN-2004-0747, 0748, 0751, 0809
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
(Show other bugs)
Version: 1
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL: http://www.httpd.org
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-09-16 16:11 UTC by Gilbert Sebenste
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-08 20:57:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Gilbert Sebenste 2004-09-16 16:11:04 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; 
Q312461; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

Description of problem:
Urgent security release needed before FC1 goes buh-bye next week.

Please see:

http://httpd.apache.org/

For appropriate patches. Thank you!

Version-Release number of selected component (if applicable):
Apache 2.0.50

How reproducible:
Always

Steps to Reproduce:
1. See the above pages.

    

Actual Results:  Security breaches are possible.

Expected Results:  No security leaks!

Additional info:

None.

Comment 1 Joe Orton 2004-09-16 16:19:55 UTC
apr-util updates to fix CAN-2004-0786 were issued yesterday.  httpd
updates are being prepared.

Comment 2 Gilbert Sebenste 2004-09-16 16:27:41 UTC
Thank you! Will look forward to seeing them. Thanks much, and
keep up the great work!

Comment 3 Joe Orton 2004-09-17 16:30:55 UTC
Update are now available for FC1 from the testing repos:

http://www.redhat.com/archives/fedora-test-list/2004-September/msg00609.html

please post any feedback from testing these to this bug report.


Comment 4 Gilbert Sebenste 2004-09-17 16:41:29 UTC
So far, so good! Just slapped them on 4 machines...no errors.
Thank you!

Comment 5 Joe Orton 2004-09-17 16:47:57 UTC
Thanks.  Please leave this open until the updates are shipped to final.

Comment 6 Tomas Janousek 2004-09-18 12:04:29 UTC
A few hours after update, http authentiaction in .htaccess did not
work and search engine crawler bots were able to get to admin parts of
our web and delete some items from database... But I don't know how to
reproduce.

Comment 7 Joe Orton 2004-09-18 14:27:03 UTC
What is the configuration in said .htaccess file?  We need to
determine whether that was a real bug and whether it was related to
the 2.0.51 update.

Comment 8 Tomas Janousek 2004-09-18 14:31:17 UTC
It was:

AuthName "[somewhat]"
AuthUserFile /var/www/[somewhat]/html/admin/.htpasswd
AuthType Basic
Require valid-user

I noticed, that it does it exactly after one hour of running.

Comment 9 Joe Orton 2004-09-18 14:43:38 UTC
And you checked, no username was logged in access_log for the accesses
by the crawler?

Comment 10 Tomas Janousek 2004-09-18 14:46:25 UTC
I tested if I can reproduce it, so I did a "while :; do wget -O
/dev/null http://[somewhat]/admin/; sleep 1; done" and it stopped
returning 401 after exactly one hour and no username was logged.

Comment 11 Joe Orton 2004-09-18 15:05:24 UTC
"one hour" sounds like a possible caching issue.  Do you have
mod_mem_cache or any other caching configured for this site?

Comment 12 Tomas Janousek 2004-09-18 15:07:46 UTC
I did not touch any configuration relating mod_*cache, so if it's not
enabled by default, I don't have it enabled.

Comment 13 Joe Orton 2004-09-18 17:40:12 UTC
Are you using the prefork MPM, not worker?  I can't reproduce any
problems from a similar setup running for several hours.

Can you:

1) attach your complete httpd.conf and any other changed conf.d/*.conf
files.

2) downgrade again to the 2.0.50 packages and check that the problem
is not reproducible there.




Comment 14 Joe Orton 2004-09-21 09:10:16 UTC
Tomas' bug was confirmed as a Satisfy handling regression in 2.0.51.

But now this update will have to be issued via Fedora Legacy, so I'll
try and co-ordinate with them.

Comment 15 Tomas Janousek 2004-09-21 17:37:30 UTC
Thx, is it also ok in Fedora Core 2? (I'm now upgrading mashines)

Comment 16 Joe Orton 2004-09-21 20:24:33 UTC
Updates which include all the above fixes will be issued for FC2 soon.
 The FC2 2.0.51 updates have not been pushed to live, so the FC2 httpd
is vulnerable to all the CAN numbers in the Summary, but not the
Satisfy regression.

Comment 17 Tomas Janousek 2004-09-22 13:38:32 UTC
I'm afraid, but it's vulnerable to the satisfy regression (or
something with same effects) too :(

Comment 19 Joe Orton 2004-12-08 20:57:56 UTC
The fix for FC2 was FEDORA-2004-313:

http://www.redhat.com/archives/fedora-announce-list/2004-September/msg00029.html

fixes for FC1 must now be handled by the Fedora Legacy team.


Note You need to log in before you can comment on or make changes to this bug.