From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Description of problem: Urgent security release needed before FC1 goes buh-bye next week. Please see: http://httpd.apache.org/ For appropriate patches. Thank you! Version-Release number of selected component (if applicable): Apache 2.0.50 How reproducible: Always Steps to Reproduce: 1. See the above pages. Actual Results: Security breaches are possible. Expected Results: No security leaks! Additional info: None.
apr-util updates to fix CAN-2004-0786 were issued yesterday. httpd updates are being prepared.
Thank you! Will look forward to seeing them. Thanks much, and keep up the great work!
Update are now available for FC1 from the testing repos: http://www.redhat.com/archives/fedora-test-list/2004-September/msg00609.html please post any feedback from testing these to this bug report.
So far, so good! Just slapped them on 4 machines...no errors. Thank you!
Thanks. Please leave this open until the updates are shipped to final.
A few hours after update, http authentiaction in .htaccess did not work and search engine crawler bots were able to get to admin parts of our web and delete some items from database... But I don't know how to reproduce.
What is the configuration in said .htaccess file? We need to determine whether that was a real bug and whether it was related to the 2.0.51 update.
It was: AuthName "[somewhat]" AuthUserFile /var/www/[somewhat]/html/admin/.htpasswd AuthType Basic Require valid-user I noticed, that it does it exactly after one hour of running.
And you checked, no username was logged in access_log for the accesses by the crawler?
I tested if I can reproduce it, so I did a "while :; do wget -O /dev/null http://[somewhat]/admin/; sleep 1; done" and it stopped returning 401 after exactly one hour and no username was logged.
"one hour" sounds like a possible caching issue. Do you have mod_mem_cache or any other caching configured for this site?
I did not touch any configuration relating mod_*cache, so if it's not enabled by default, I don't have it enabled.
Are you using the prefork MPM, not worker? I can't reproduce any problems from a similar setup running for several hours. Can you: 1) attach your complete httpd.conf and any other changed conf.d/*.conf files. 2) downgrade again to the 2.0.50 packages and check that the problem is not reproducible there.
Tomas' bug was confirmed as a Satisfy handling regression in 2.0.51. But now this update will have to be issued via Fedora Legacy, so I'll try and co-ordinate with them.
Thx, is it also ok in Fedora Core 2? (I'm now upgrading mashines)
Updates which include all the above fixes will be issued for FC2 soon. The FC2 2.0.51 updates have not been pushed to live, so the FC2 httpd is vulnerable to all the CAN numbers in the Summary, but not the Satisfy regression.
I'm afraid, but it's vulnerable to the satisfy regression (or something with same effects) too :(
The fix for FC2 was FEDORA-2004-313: http://www.redhat.com/archives/fedora-announce-list/2004-September/msg00029.html fixes for FC1 must now be handled by the Fedora Legacy team.