From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
Q312461; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Description of problem:
Urgent security release needed before FC1 goes buh-bye next week.
For appropriate patches. Thank you!
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. See the above pages.
Actual Results: Security breaches are possible.
Expected Results: No security leaks!
apr-util updates to fix CAN-2004-0786 were issued yesterday. httpd
updates are being prepared.
Thank you! Will look forward to seeing them. Thanks much, and
keep up the great work!
Update are now available for FC1 from the testing repos:
please post any feedback from testing these to this bug report.
So far, so good! Just slapped them on 4 machines...no errors.
Thanks. Please leave this open until the updates are shipped to final.
A few hours after update, http authentiaction in .htaccess did not
work and search engine crawler bots were able to get to admin parts of
our web and delete some items from database... But I don't know how to
What is the configuration in said .htaccess file? We need to
determine whether that was a real bug and whether it was related to
the 2.0.51 update.
I noticed, that it does it exactly after one hour of running.
And you checked, no username was logged in access_log for the accesses
by the crawler?
I tested if I can reproduce it, so I did a "while :; do wget -O
/dev/null http://[somewhat]/admin/; sleep 1; done" and it stopped
returning 401 after exactly one hour and no username was logged.
"one hour" sounds like a possible caching issue. Do you have
mod_mem_cache or any other caching configured for this site?
I did not touch any configuration relating mod_*cache, so if it's not
enabled by default, I don't have it enabled.
Are you using the prefork MPM, not worker? I can't reproduce any
problems from a similar setup running for several hours.
1) attach your complete httpd.conf and any other changed conf.d/*.conf
2) downgrade again to the 2.0.50 packages and check that the problem
is not reproducible there.
Tomas' bug was confirmed as a Satisfy handling regression in 2.0.51.
But now this update will have to be issued via Fedora Legacy, so I'll
try and co-ordinate with them.
Thx, is it also ok in Fedora Core 2? (I'm now upgrading mashines)
Updates which include all the above fixes will be issued for FC2 soon.
The FC2 2.0.51 updates have not been pushed to live, so the FC2 httpd
is vulnerable to all the CAN numbers in the Summary, but not the
I'm afraid, but it's vulnerable to the satisfy regression (or
something with same effects) too :(
The fix for FC2 was FEDORA-2004-313:
fixes for FC1 must now be handled by the Fedora Legacy team.