This is discussed in RHSA-2004-157 (RHSA-2004:157-06) for Red Hat Enterprise
Linux 2.1AS and RHSA-2004-158 (RHSA-2004:158-04) for Red Hat 9. Red Hat 7.2
through 8.0 are also vulnerable.

BTW, Red Hat updated even RHEL 2.1's cadaver (as well as Red Hat 9's) to 0.22.0,
which is the version shipped with Fedora Core. (As an aside, Fedora Core does
not need a cadaver update because in that distribution cadaver links to neon
dynamically and neon was updated.)

I would argue that in this case we should recompile the newer package, since Red
Hat also seems to think that's OK. But that's just my opinion.



------- Additional Comments From skvidal.edu 2004-04-30 21:47:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Built 0.22 for rhl7.3
had to remove krb5-devel during build or it pulls in krb5/gssapi dep
package functions normally - I don't have a dav server to test against
but all the deps and auto-generated deps match EL and 0.19 from 7.3 stock
 
0bf22ef6b899fe743e43dfef2af358f9  cadaver-0.22.0-1.legacy.i386.rpm
fc025b0f5c438b9e37f7b2a0b5249fbd  cadaver-0.22.0-1.legacy.src.rpm
 
http://linux.duke.edu/~skvidal/RPMS/legacy/cadaver/
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAk1YS1Aj3x2mIbMcRAmmeAJ0bhxCZBRAzCQ0Yx9pt94agtdhU2wCfTa3s
cJCPREq8GUq02q2ikGBJM5o=
=2JJT
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-05-06 19:47:11 ----

missing buildreq libtool zlib-devel.  Will add for final build.



------- Additional Comments From jonny.strom 2004-05-20 02:49:35 ----

There is a new issue with cadaver CAN-2004-0398 in rh72, rh73, rh80, rh9:

Stefan Esser discovered a flaw in the neon library which allows a heap
buffer overflow in a date parsing routine. An attacker could create
a malicious WebDAV server in such a way as to allow arbitrary code
execution on the client should a user connect to it using cadaver.


https://rhn.redhat.com/errata/RHSA-2004-191.html
http://www.debian.org/security/2004/dsa-507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398



------- Additional Comments From marcdeslauriers 2004-06-01 16:59:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are rpms for 7.3 that fix CAN-2004-0398.
I have upgraded to 0.22.1 as that is what Red Hat did with RHEL 2.1.

Changelog:
* Tue Jun 01 2004 Marc Deslauriers <marcdeslauriers> 0.22.1-1.legacy
- - Bump to 0.22.1
- - Added patch for CAN-2004-0398
- - Added libtool and zlib-devel prereq
- - Added krb5-devel buildconflict

e7e7b22e18b69eaeca71a3b690773393fac9c92e  cadaver-0.22.1-1.legacy.i386.rpm
813013753010c7d897fd69d5992cd3d513265b96  cadaver-0.22.1-1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/cadaver-0.22.1-1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cadaver-0.22.1-1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAvUJ+LMAs/0C4zNoRAnYWAKCUVqH/7hBtbmsyVaBT3uiQYnwc2gCgmISS
H+EudKLu08h3mTKRJtb+VTQ=
=YpV/
-----END PGP SIGNATURE-----




------- Additional Comments From skvidal.edu 2004-06-01 17:01:22 ----

krb5-devel buildconflict? why is it a buildconflict -it should be a buildrequire




------- Additional Comments From marcdeslauriers 2004-06-02 02:01:55 ----

Because krb5-devel pulls in krb5 as dependencies, which the original package
didn't have. You said so yourself earlier in this bug. I added it as a
buildconflict just to remember to uninstall krb5-devel before building it.



------- Additional Comments From marcdeslauriers 2004-06-02 17:30:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Wed Jun 02 2004 Marc Deslauriers <marcdeslauriers> 0.22.1-2.legacy
 
- - Bump to 0.22.1
- - Added patch for CAN-2004-0398
- - Added libtool and zlib-devel prereq

krb5 dependencies are in the original rh9 package, so we don't need a
buildconflicts like the rh7.3 version.

e91951bd02892a4d19a9709f682abd70d896e7e6  cadaver-0.22.1-2.legacy.i386.rpm
269aee014a2ea8405d30a0d9db2a3a1268e2e5e6  cadaver-0.22.1-2.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/cadaver-0.22.1-2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cadaver-0.22.1-2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAvpsgLMAs/0C4zNoRAjvzAKC6wtgShy15qSlraw30uhlOmvPnCACeNhmW
fhxEW/kSTA/7gj5r863Jxq4=
=iFYO
-----END PGP SIGNATURE-----




------- Additional Comments From jonny.strom 2004-06-05 02:29:26 ----

I did QA for the rh9 package:

SHA1 ok.
Installs ok.
Did basic fucntionallity testing and it works as expected.

I wote for publish.




------- Additional Comments From jkeating 2004-06-16 16:16:48 ----

Pushed to updates-testing:

  http://download.fedoralegacy.org/redhat/

46931edc0f4e8ad25c994891938c103a45f28982
7.3/updates-testing/SRPMS/cadaver-0.22.1-1.legacy.src.rpm
0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4
7.3/updates-testing/i386/cadaver-0.22.1-1.legacy.i386.rpm

6cc852676c85e9cc3dc8e472676185cdffabf09f
9/updates-testing/SRPMS/cadaver-0.22.1-3.legacy.src.rpm
1a9d4e010885e902b2a6a994cfee5744b7f4afba
9/updates-testing/i386/cadaver-0.22.1-3.legacy.i386.rpm



------- Additional Comments From dom 2004-09-08 13:24:34 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1a9d4e010885e902b2a6a994cfee5744b7f4afba  i386/cadaver-0.22.1-3.legacy.i386.rpm
6cc852676c85e9cc3dc8e472676185cdffabf09f  SRPMS/cadaver-0.22.1-3.legacy.src.rpm

for RH9:
- - installs
- - runs
- - builds from source

++VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBP5SGYzuFKFF44qURAsY+AJ4yFK9UuZRSXHePNS7jnbhoFN6UKwCgiGKW
R3QZya9XKTk6g7MoLRivtfc=
=9ZQe
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-09 05:56:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
46931edc0f4e8ad25c994891938c103a45f28982  cadaver-0.22.1-1.legacy.src.rpm
0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4  cadaver-0.22.1-1.legacy.i386.rpm
 
Package builds and installs just fine on RH73
 
VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBQH0xyQ+yTHz+jJkRAmufAJ0ccKOs9Xw525pOmL2sH5nQ+UBtcACeO8h1
xh6oLiSBdgEVXiQKHGfx2cc=
=+V7o
-----END PGP SIGNATURE-----




------- Additional Comments From mule 2004-09-09 07:45:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
1a9d4e010885e902b2a6a994cfee5744b7f4afba  cadaver-0.22.1-3.legacy.i386.rpm
6cc852676c85e9cc3dc8e472676185cdffabf09f  cadaver-0.22.1-3.legacy.src.rpm
 
Red Hat 9:
* installs
* builds
 
VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBQJZ1TsaUa9pp4VIRAs9BAKC0RFqOeljEhsZn/bDTHW7DTbIGSwCg6L5F
8/OeT64f3Saec6YKqSeUcCU=
=BzMa
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-09-28 12:14:52 ----

http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1552-cadaver-draft.txt



------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1552 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1552
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.