The security issue is a buffer overflow which can be triggered by getting mod_proxy to connect to a remote server which returns an invalid (negative) Content-Length. This results in a memcpy to the heap with a large length value, which will in most cases cause the Apache child to crash. This does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. Under some circumstances it may be possible to exploit this issue to cause arbitrary code execution. However an attacker would need to get an Apache installation that was configured as a proxy to connect to a malicious site. ------- Additional Comments From marcdeslauriers 2004-06-10 12:24:32 ---- Additional info: http://www.guninski.com/modproxy1.html http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=108687304202140 Only affects Apache httpd 1.3.25 to 1.3.31, so rh73 is vulnerable. ------- Additional Comments From marcdeslauriers 2004-06-10 12:28:34 ---- Humm...this may not be exploitable on Linux...maybe we should wait to see what the other vendors decide to do... ------- Additional Comments From dom 2004-06-11 00:32:07 ---- Here's an SRPM, just in case: http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/apache-1.3.27-5.legacy.src.rpm test RPMS: http://www-astro.physics.ox.ac.uk/~dom/legacy/i386/apache-1.3.27-5.legacy.i386.rpm http://www-astro.physics.ox.ac.uk/~dom/legacy/i386/apache-devel-1.3.27-5.legacy.i386.rpm http://www-astro.physics.ox.ac.uk/~dom/legacy/i386/apache-manual-1.3.27-5.legacy.i386.rpm ------- Additional Comments From marcdeslauriers 2004-06-11 13:51:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did some QA on Dominic's package: 6fb30e3b88a375ff3af0210590fa198d15297d38 apache-1.3.27-5.legacy.src.rpm * Source matches previous apache release * Patch matches upstream * Spec file looks good * Builds OK * Installs OK * Works OK + PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAykTpLMAs/0C4zNoRAm5YAKCbrmM0AZXA4tXBJXoNV/+FKyv2EACgl1Td VeooMIOYi5qKEvT/JYt/4Xc= =vPaL -----END PGP SIGNATURE----- ------- Additional Comments From cra 2004-07-01 10:49:42 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Second QA on Dominic's package: 6fb30e3b88a375ff3af0210590fa198d15297d38 apache-1.3.27-5.legacy.src.rpm * Only difference from previous release is the patch for CAN-2004-0492 * Builds OK * Installs OK * Works OK (basic testing with self-signed testcert) + PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFA5HiFw2eg+Um7WIYRArq6AKCdsXGP5fppwEOPGvpBoWA5R12FPwCeKoaz PRlXEIW8SY05Xf+hC2RBSvY= =zBxp -----END PGP SIGNATURE----- ------- Additional Comments From michal 2004-07-11 17:00:39 ---- Created an attachment (id=766) spec file used to recompile sources from apache-1.3.27-8.ent.src.rpm Just a note that apache-1.3.27-8.ent.src.rpm includes the following (quotes from changelog with bug number references to https://bugzilla.redhat.com/bugzilla): - mod_proxy: add security fix for Content-Length handling (CVE CAN-2004-0492) - mod_proxy: fix redundant reverse DNS lookups (#122637) - enable prctl/PR_SET_DUMPABLE if CoreDumpDirectory is used (Jeff Trawick) - add fix for #98343 - avoid segfaults for timeouts on SSL connections I attach a spec file used to recompile these sources on RH7.3. I did not turn on mod_auth_digest as it was absent in the original; also an alternate web server with a different stack size was left out. ------- Additional Comments From marcdeslauriers 2004-09-12 08:01:35 ---- There are already two QA's done on Dominic's package. I think this should go to updates-testing even though the rhel package fixed a couple of non-security issues. If people have been running apache on rh7.3 for this long with those bugs, they are either not affected by them or they are running their own version of apache. ------- Additional Comments From marcdeslauriers 2004-09-17 12:06:07 ---- Created an attachment (id=850) Advisory draft text Here is a draft of the advisory draft ------- Additional Comments From marcdeslauriers 2004-09-17 12:12:45 ---- Forget the advisory draft in this bug. This bug should be released at the same time and using the same draft text that will be in bug 1888 ------- Additional Comments From dom 2004-09-29 01:11:16 ---- Personally I would rather have the advisories separate. They are different source packages and different issues, I don't see the reason behind having them bundled together. ------- Additional Comments From marcdeslauriers 2004-09-29 13:41:58 ---- Created an attachment (id=865) Apache advisory draft OK, here is the advisory text for apache only ------- Additional Comments From marcdeslauriers 2004-09-29 15:07:39 ---- pushed to updates-testing ------- Additional Comments From cra 2004-10-02 16:43:11 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA/Verify rh73 packages: 2e1f8e6bafbbbe02ac26ccc98b73631e62c889ce apache-1.3.27-5.legacy.i386.rpm 27a716974163c739784e09992f1d84a1996041d9 apache-devel-1.3.27-5.legacy.i386.rpm ab688996e12f0364a50b58c2b120d933b403ce6b apache-manual-1.3.27-5.legacy.i386.rpm e2fadeb9a430a5dbda28076cd850180fbb95c2b8 apache-1.3.27-5.legacy.src.rpm - - good sigs from 1024D/731002FA 2004-01-19 Fedora Legacy (http://www.fedoralegacy.org) <secnotice> - - good sha1sums - - verified that these patches apply, as mentioned in changelog: Patch13: apache_1.3.31-CAN-2004-0492.patch - - rpm-build-compare.sh shows no unintended changes between these pkgs and 1.3.27-4 except the following: Missing these auto-requires from /usr/bin/dbmmanage perl script: perl(AnyDBM_File) perl(Fcntl) perl(strict) (shouldn't be a problem, those modules come with our perl, and we already require /usr/bin/perl) - - installs ok - - tested with bz #1888 mod_ssl-2.8.12-6.legacy test update - - works ok (http test page, https test page, virtual hosts for a few domains) ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBX2bYw2eg+Um7WIYRAqUeAJsFHNBl9nYBljiMbzQqojHRjxS3AwCgjdke iyvLlSN77Hso57rR9Y9Sz0E= =7lh+ -----END PGP SIGNATURE----- ------- Additional Comments From ckelley 2004-10-13 09:07:56 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Binaries: 2e1f8e6bafbbbe02ac26ccc98b73631e62c889ce apache-1.3.27-5.legacy.i386.rpm 27a716974163c739784e09992f1d84a1996041d9 apache-devel-1.3.27-5.legacy.i386.rpm ab688996e12f0364a50b58c2b120d933b403ce6b apache-manual-1.3.27-5.legacy.i386.rpm Source: e2fadeb9a430a5dbda28076cd850180fbb95c2b8 apache-1.3.27-5.legacy.src.rpm - source builds fine - binaries fuzzily match source build and redhat's apache-1.3.27-4 - package installs and starts up fine - tested with perl/cgi, php and tomcat extensions; all seem fine ++VERIFY RH73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBbXzpyQ+yTHz+jJkRApPQAJ96JJqPidnx04Uio27gWICZ3zv6OgCeLSVF xhFCRtdSzKGTWZF27zNwnCA= =oVVP -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-13 12:55:30 ---- Pushed to official updates. ------- Bug moved to this database by dkl 2005-03-30 18:25 ------- This bug previously known as bug 1737 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1737 Originally filed under the Fedora Legacy product and Package request component. Attachments: spec file used to recompile sources from apache-1.3.27-8.ent.src.rpm https://bugzilla.fedora.us/attachment.cgi?action=view&id=766 Advisory draft text https://bugzilla.fedora.us/attachment.cgi?action=view&id=850 Apache advisory draft https://bugzilla.fedora.us/attachment.cgi?action=view&id=865 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.