The security issue is a buffer overflow which can be triggered by getting
mod_proxy to connect to a remote server which returns an invalid
(negative)  Content-Length.  This results in a memcpy to the heap with a 
large length value, which will in most cases cause the Apache child to 
crash.  This does not represent a significant Denial of Service attack as 
requests will continue to be handled by other Apache child processes.

Under some circumstances it may be possible to exploit this issue to cause 
arbitrary code execution.   However an attacker would need to get an
Apache installation that was configured as a proxy to connect to
a malicious site.



------- Additional Comments From marcdeslauriers 2004-06-10 12:24:32 ----

Additional info:

http://www.guninski.com/modproxy1.html
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=108687304202140

Only affects Apache httpd 1.3.25 to 1.3.31, so rh73 is vulnerable.




------- Additional Comments From marcdeslauriers 2004-06-10 12:28:34 ----

Humm...this may not be exploitable on Linux...maybe we should wait to see what
the other vendors decide to do...



------- Additional Comments From dom 2004-06-11 00:32:07 ----

Here's an SRPM, just in case:

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/apache-1.3.27-5.legacy.src.rpm

test RPMS:

http://www-astro.physics.ox.ac.uk/~dom/legacy/i386/apache-1.3.27-5.legacy.i386.rpm
http://www-astro.physics.ox.ac.uk/~dom/legacy/i386/apache-devel-1.3.27-5.legacy.i386.rpm
http://www-astro.physics.ox.ac.uk/~dom/legacy/i386/apache-manual-1.3.27-5.legacy.i386.rpm



------- Additional Comments From marcdeslauriers 2004-06-11 13:51:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did some QA on Dominic's package:

6fb30e3b88a375ff3af0210590fa198d15297d38  apache-1.3.27-5.legacy.src.rpm

* Source matches previous apache release
* Patch matches upstream
* Spec file looks good
* Builds OK
* Installs OK
* Works OK

+ PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAykTpLMAs/0C4zNoRAm5YAKCbrmM0AZXA4tXBJXoNV/+FKyv2EACgl1Td
VeooMIOYi5qKEvT/JYt/4Xc=
=vPaL
-----END PGP SIGNATURE-----




------- Additional Comments From cra 2004-07-01 10:49:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Second QA on Dominic's package:

6fb30e3b88a375ff3af0210590fa198d15297d38  apache-1.3.27-5.legacy.src.rpm

* Only difference from previous release is the patch for CAN-2004-0492
* Builds OK
* Installs OK
* Works OK (basic testing with self-signed testcert)

+ PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFA5HiFw2eg+Um7WIYRArq6AKCdsXGP5fppwEOPGvpBoWA5R12FPwCeKoaz
PRlXEIW8SY05Xf+hC2RBSvY=
=zBxp
-----END PGP SIGNATURE-----




------- Additional Comments From michal 2004-07-11 17:00:39 ----

Created an attachment (id=766)
spec file used to recompile sources from apache-1.3.27-8.ent.src.rpm

Just a note that apache-1.3.27-8.ent.src.rpm includes the following
(quotes from changelog with bug number references to 
https://bugzilla.redhat.com/bugzilla):

- mod_proxy: add security fix for Content-Length handling (CVE CAN-2004-0492)
- mod_proxy: fix redundant reverse DNS lookups (#122637)
- enable prctl/PR_SET_DUMPABLE if CoreDumpDirectory is used (Jeff Trawick)
- add fix for #98343
- avoid segfaults for timeouts on SSL connections

I attach a spec file used to recompile these sources on RH7.3. I did not
turn on mod_auth_digest as it was absent in the original; also an alternate
web server with a different stack size was left out.



------- Additional Comments From marcdeslauriers 2004-09-12 08:01:35 ----

There are already two QA's done on Dominic's package.

I think this should go to updates-testing even though the rhel package fixed a
couple of non-security issues. If people have been running apache on rh7.3 for
this long with those bugs, they are either not affected by them or they are
running their own version of apache.



------- Additional Comments From marcdeslauriers 2004-09-17 12:06:07 ----

Created an attachment (id=850)
Advisory draft text

Here is a draft of the advisory draft



------- Additional Comments From marcdeslauriers 2004-09-17 12:12:45 ----

Forget the advisory draft in this bug.

This bug should be released at the same time and using the same draft text that
will be in bug 1888



------- Additional Comments From dom 2004-09-29 01:11:16 ----

Personally I would rather have the advisories separate. They are different
source packages and different issues, I don't see the reason behind having them
bundled together.



------- Additional Comments From marcdeslauriers 2004-09-29 13:41:58 ----

Created an attachment (id=865)
Apache advisory draft

OK, here is the advisory text for apache only



------- Additional Comments From marcdeslauriers 2004-09-29 15:07:39 ----

pushed to updates-testing



------- Additional Comments From cra 2004-10-02 16:43:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA/Verify rh73 packages:

2e1f8e6bafbbbe02ac26ccc98b73631e62c889ce  apache-1.3.27-5.legacy.i386.rpm
27a716974163c739784e09992f1d84a1996041d9  apache-devel-1.3.27-5.legacy.i386.rpm
ab688996e12f0364a50b58c2b120d933b403ce6b  apache-manual-1.3.27-5.legacy.i386.rpm
e2fadeb9a430a5dbda28076cd850180fbb95c2b8  apache-1.3.27-5.legacy.src.rpm

- - good sigs from 1024D/731002FA 2004-01-19 Fedora Legacy
(http://www.fedoralegacy.org) <secnotice>
- - good sha1sums
- - verified that these patches apply, as mentioned in changelog:

        Patch13: apache_1.3.31-CAN-2004-0492.patch

- - rpm-build-compare.sh shows no unintended changes between these pkgs
  and 1.3.27-4 except the following:

        Missing these auto-requires from /usr/bin/dbmmanage perl script:
        perl(AnyDBM_File)
        perl(Fcntl)
        perl(strict)

  (shouldn't be a problem, those modules come with our perl, and we
   already require /usr/bin/perl)

- - installs ok
- - tested with bz #1888 mod_ssl-2.8.12-6.legacy test update
- - works ok (http test page, https test page, virtual hosts for a few domains)

++VERIFY

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBX2bYw2eg+Um7WIYRAqUeAJsFHNBl9nYBljiMbzQqojHRjxS3AwCgjdke
iyvLlSN77Hso57rR9Y9Sz0E=
=7lh+
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-10-13 09:07:56 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Binaries:
2e1f8e6bafbbbe02ac26ccc98b73631e62c889ce  apache-1.3.27-5.legacy.i386.rpm
27a716974163c739784e09992f1d84a1996041d9  apache-devel-1.3.27-5.legacy.i386.rpm
ab688996e12f0364a50b58c2b120d933b403ce6b  apache-manual-1.3.27-5.legacy.i386.rpm 
Source:
e2fadeb9a430a5dbda28076cd850180fbb95c2b8  apache-1.3.27-5.legacy.src.rpm
 
 - source builds fine
 - binaries fuzzily match source build and redhat's apache-1.3.27-4
 - package installs and starts up fine
 - tested with perl/cgi, php and tomcat extensions; all seem fine
 
++VERIFY RH73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBbXzpyQ+yTHz+jJkRApPQAJ96JJqPidnx04Uio27gWICZ3zv6OgCeLSVF
xhFCRtdSzKGTWZF27zNwnCA=
=oVVP
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-13 12:55:30 ----

Pushed to official updates.



------- Bug moved to this database by dkl 2005-03-30 18:25 -------

This bug previously known as bug 1737 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1737
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
spec file used to recompile sources from apache-1.3.27-8.ent.src.rpm
https://bugzilla.fedora.us/attachment.cgi?action=view&id=766
Advisory draft text
https://bugzilla.fedora.us/attachment.cgi?action=view&id=850
Apache advisory draft
https://bugzilla.fedora.us/attachment.cgi?action=view&id=865

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.