Bug 132741 - CAN-2004-0747, 0748, 0751, 0809
CAN-2004-0747, 0748, 0751, 0809
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-09-16 12:11 EDT by Gilbert Sebenste
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-08 15:57:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gilbert Sebenste 2004-09-16 12:11:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; 
Q312461; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

Description of problem:
Urgent security release needed before FC1 goes buh-bye next week.

Please see:


For appropriate patches. Thank you!

Version-Release number of selected component (if applicable):
Apache 2.0.50

How reproducible:

Steps to Reproduce:
1. See the above pages.


Actual Results:  Security breaches are possible.

Expected Results:  No security leaks!

Additional info:

Comment 1 Joe Orton 2004-09-16 12:19:55 EDT
apr-util updates to fix CAN-2004-0786 were issued yesterday.  httpd
updates are being prepared.
Comment 2 Gilbert Sebenste 2004-09-16 12:27:41 EDT
Thank you! Will look forward to seeing them. Thanks much, and
keep up the great work!
Comment 3 Joe Orton 2004-09-17 12:30:55 EDT
Update are now available for FC1 from the testing repos:


please post any feedback from testing these to this bug report.
Comment 4 Gilbert Sebenste 2004-09-17 12:41:29 EDT
So far, so good! Just slapped them on 4 machines...no errors.
Thank you!
Comment 5 Joe Orton 2004-09-17 12:47:57 EDT
Thanks.  Please leave this open until the updates are shipped to final.
Comment 6 Tomas Janousek 2004-09-18 08:04:29 EDT
A few hours after update, http authentiaction in .htaccess did not
work and search engine crawler bots were able to get to admin parts of
our web and delete some items from database... But I don't know how to
Comment 7 Joe Orton 2004-09-18 10:27:03 EDT
What is the configuration in said .htaccess file?  We need to
determine whether that was a real bug and whether it was related to
the 2.0.51 update.
Comment 8 Tomas Janousek 2004-09-18 10:31:17 EDT
It was:

AuthName "[somewhat]"
AuthUserFile /var/www/[somewhat]/html/admin/.htpasswd
AuthType Basic
Require valid-user

I noticed, that it does it exactly after one hour of running.
Comment 9 Joe Orton 2004-09-18 10:43:38 EDT
And you checked, no username was logged in access_log for the accesses
by the crawler?
Comment 10 Tomas Janousek 2004-09-18 10:46:25 EDT
I tested if I can reproduce it, so I did a "while :; do wget -O
/dev/null http://[somewhat]/admin/; sleep 1; done" and it stopped
returning 401 after exactly one hour and no username was logged.
Comment 11 Joe Orton 2004-09-18 11:05:24 EDT
"one hour" sounds like a possible caching issue.  Do you have
mod_mem_cache or any other caching configured for this site?
Comment 12 Tomas Janousek 2004-09-18 11:07:46 EDT
I did not touch any configuration relating mod_*cache, so if it's not
enabled by default, I don't have it enabled.
Comment 13 Joe Orton 2004-09-18 13:40:12 EDT
Are you using the prefork MPM, not worker?  I can't reproduce any
problems from a similar setup running for several hours.

Can you:

1) attach your complete httpd.conf and any other changed conf.d/*.conf

2) downgrade again to the 2.0.50 packages and check that the problem
is not reproducible there.

Comment 14 Joe Orton 2004-09-21 05:10:16 EDT
Tomas' bug was confirmed as a Satisfy handling regression in 2.0.51.

But now this update will have to be issued via Fedora Legacy, so I'll
try and co-ordinate with them.
Comment 15 Tomas Janousek 2004-09-21 13:37:30 EDT
Thx, is it also ok in Fedora Core 2? (I'm now upgrading mashines)
Comment 16 Joe Orton 2004-09-21 16:24:33 EDT
Updates which include all the above fixes will be issued for FC2 soon.
 The FC2 2.0.51 updates have not been pushed to live, so the FC2 httpd
is vulnerable to all the CAN numbers in the Summary, but not the
Satisfy regression.
Comment 17 Tomas Janousek 2004-09-22 09:38:32 EDT
I'm afraid, but it's vulnerable to the satisfy regression (or
something with same effects) too :(
Comment 19 Joe Orton 2004-12-08 15:57:56 EST
The fix for FC2 was FEDORA-2004-313:


fixes for FC1 must now be handled by the Fedora Legacy team.

Note You need to log in before you can comment on or make changes to this bug.