This is discussed in RHSA-2004-157 (RHSA-2004:157-06) for Red Hat Enterprise Linux 2.1AS and RHSA-2004-158 (RHSA-2004:158-04) for Red Hat 9. Red Hat 7.2 through 8.0 are also vulnerable. BTW, Red Hat updated even RHEL 2.1's cadaver (as well as Red Hat 9's) to 0.22.0, which is the version shipped with Fedora Core. (As an aside, Fedora Core does not need a cadaver update because in that distribution cadaver links to neon dynamically and neon was updated.) I would argue that in this case we should recompile the newer package, since Red Hat also seems to think that's OK. But that's just my opinion. ------- Additional Comments From skvidal.edu 2004-04-30 21:47:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Built 0.22 for rhl7.3 had to remove krb5-devel during build or it pulls in krb5/gssapi dep package functions normally - I don't have a dav server to test against but all the deps and auto-generated deps match EL and 0.19 from 7.3 stock 0bf22ef6b899fe743e43dfef2af358f9 cadaver-0.22.0-1.legacy.i386.rpm fc025b0f5c438b9e37f7b2a0b5249fbd cadaver-0.22.0-1.legacy.src.rpm http://linux.duke.edu/~skvidal/RPMS/legacy/cadaver/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAk1YS1Aj3x2mIbMcRAmmeAJ0bhxCZBRAzCQ0Yx9pt94agtdhU2wCfTa3s cJCPREq8GUq02q2ikGBJM5o= =2JJT -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-05-06 19:47:11 ---- missing buildreq libtool zlib-devel. Will add for final build. ------- Additional Comments From jonny.strom 2004-05-20 02:49:35 ---- There is a new issue with cadaver CAN-2004-0398 in rh72, rh73, rh80, rh9: Stefan Esser discovered a flaw in the neon library which allows a heap buffer overflow in a date parsing routine. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver. https://rhn.redhat.com/errata/RHSA-2004-191.html http://www.debian.org/security/2004/dsa-507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398 ------- Additional Comments From marcdeslauriers 2004-06-01 16:59:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are rpms for 7.3 that fix CAN-2004-0398. I have upgraded to 0.22.1 as that is what Red Hat did with RHEL 2.1. Changelog: * Tue Jun 01 2004 Marc Deslauriers <marcdeslauriers> 0.22.1-1.legacy - - Bump to 0.22.1 - - Added patch for CAN-2004-0398 - - Added libtool and zlib-devel prereq - - Added krb5-devel buildconflict e7e7b22e18b69eaeca71a3b690773393fac9c92e cadaver-0.22.1-1.legacy.i386.rpm 813013753010c7d897fd69d5992cd3d513265b96 cadaver-0.22.1-1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/cadaver-0.22.1-1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/cadaver-0.22.1-1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvUJ+LMAs/0C4zNoRAnYWAKCUVqH/7hBtbmsyVaBT3uiQYnwc2gCgmISS H+EudKLu08h3mTKRJtb+VTQ= =YpV/ -----END PGP SIGNATURE----- ------- Additional Comments From skvidal.edu 2004-06-01 17:01:22 ---- krb5-devel buildconflict? why is it a buildconflict -it should be a buildrequire ------- Additional Comments From marcdeslauriers 2004-06-02 02:01:55 ---- Because krb5-devel pulls in krb5 as dependencies, which the original package didn't have. You said so yourself earlier in this bug. I added it as a buildconflict just to remember to uninstall krb5-devel before building it. ------- Additional Comments From marcdeslauriers 2004-06-02 17:30:22 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are packages for rh9: Changelog: * Wed Jun 02 2004 Marc Deslauriers <marcdeslauriers> 0.22.1-2.legacy - - Bump to 0.22.1 - - Added patch for CAN-2004-0398 - - Added libtool and zlib-devel prereq krb5 dependencies are in the original rh9 package, so we don't need a buildconflicts like the rh7.3 version. e91951bd02892a4d19a9709f682abd70d896e7e6 cadaver-0.22.1-2.legacy.i386.rpm 269aee014a2ea8405d30a0d9db2a3a1268e2e5e6 cadaver-0.22.1-2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/cadaver-0.22.1-2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/cadaver-0.22.1-2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAvpsgLMAs/0C4zNoRAjvzAKC6wtgShy15qSlraw30uhlOmvPnCACeNhmW fhxEW/kSTA/7gj5r863Jxq4= =iFYO -----END PGP SIGNATURE----- ------- Additional Comments From jonny.strom 2004-06-05 02:29:26 ---- I did QA for the rh9 package: SHA1 ok. Installs ok. Did basic fucntionallity testing and it works as expected. I wote for publish. ------- Additional Comments From jkeating 2004-06-16 16:16:48 ---- Pushed to updates-testing: http://download.fedoralegacy.org/redhat/ 46931edc0f4e8ad25c994891938c103a45f28982 7.3/updates-testing/SRPMS/cadaver-0.22.1-1.legacy.src.rpm 0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4 7.3/updates-testing/i386/cadaver-0.22.1-1.legacy.i386.rpm 6cc852676c85e9cc3dc8e472676185cdffabf09f 9/updates-testing/SRPMS/cadaver-0.22.1-3.legacy.src.rpm 1a9d4e010885e902b2a6a994cfee5744b7f4afba 9/updates-testing/i386/cadaver-0.22.1-3.legacy.i386.rpm ------- Additional Comments From dom 2004-09-08 13:24:34 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1a9d4e010885e902b2a6a994cfee5744b7f4afba i386/cadaver-0.22.1-3.legacy.i386.rpm 6cc852676c85e9cc3dc8e472676185cdffabf09f SRPMS/cadaver-0.22.1-3.legacy.src.rpm for RH9: - - installs - - runs - - builds from source ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBP5SGYzuFKFF44qURAsY+AJ4yFK9UuZRSXHePNS7jnbhoFN6UKwCgiGKW R3QZya9XKTk6g7MoLRivtfc= =9ZQe -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-09-09 05:56:45 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 46931edc0f4e8ad25c994891938c103a45f28982 cadaver-0.22.1-1.legacy.src.rpm 0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4 cadaver-0.22.1-1.legacy.i386.rpm Package builds and installs just fine on RH73 VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQH0xyQ+yTHz+jJkRAmufAJ0ccKOs9Xw525pOmL2sH5nQ+UBtcACeO8h1 xh6oLiSBdgEVXiQKHGfx2cc= =+V7o -----END PGP SIGNATURE----- ------- Additional Comments From mule 2004-09-09 07:45:04 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1a9d4e010885e902b2a6a994cfee5744b7f4afba cadaver-0.22.1-3.legacy.i386.rpm 6cc852676c85e9cc3dc8e472676185cdffabf09f cadaver-0.22.1-3.legacy.src.rpm Red Hat 9: * installs * builds VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBQJZ1TsaUa9pp4VIRAs9BAKC0RFqOeljEhsZn/bDTHW7DTbIGSwCg6L5F 8/OeT64f3Saec6YKqSeUcCU= =BzMa -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-09-28 12:14:52 ---- http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/1552-cadaver-draft.txt ------- Bug moved to this database by dkl 2005-03-30 18:24 ------- This bug previously known as bug 1552 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1552 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.