http://www.apacheweek.com/features/security-20

An issue was discovered in the mod_dav module which could be triggered for a
location where WebDAV authoring access has been configured. A malicious remote
client which is authorized to use the LOCK method could force an httpd child
process to crash by sending a particular sequence of LOCK requests. This issue
does not allow execution of arbitrary code. and will only result in a denial of
service where a threaded process model is in use.

Affects: 2.0.35 - 50

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809



------- Additional Comments From marcdeslauriers 2004-09-15 15:18:10 ----

There are a few more in httpd, we might as well lump them all in together:

IPv6 URI parsing can cause crash  CAN-2004-0786

Testing using the Codenomicon HTTP Test Tool performed by the Apache Software
Foundation security group and Red Hat uncovered an input validation issue in the
IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a
request including a carefully crafted URI, an httpd child process could be made
to crash. One some BSD systems it is believed this flaw may be able to lead to
remote code execution.

Environment variable expansion flaw CAN-2004-0747

The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
expansion of environment variables during configuration file parsing. This issue
could allow a local user to gain the privileges of a httpd child if a server can
be forced to parse a carefully crafted .htaccess file written by a local user.

WebDAV remote crash CAN-2004-0809

An issue was discovered in the mod_dav module which could be triggered for a
location where WebDAV authoring access has been configured. A malicious remote
client which is authorized to use the LOCK method could force an httpd child
process to crash by sending a particular sequence of LOCK requests. This issue
does not allow execution of arbitrary code. and will only result in a denial of
service where a threaded process model is in use.

See:

https://rhn.redhat.com/errata/RHSA-2004-463.html

CAN-2004-0751 referenced in Red Hat's advisory doesn't seem to apply to the
version of httpd in rh9.



------- Additional Comments From marcdeslauriers 2004-09-15 15:21:44 ----

See bug 1708. 



------- Additional Comments From fedora-legacy-bugzilla-2004 2004-09-15 16:18:30 ----

Some patches for 2.0.50 are in the following URL.

http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/



------- Additional Comments From marcdeslauriers 2004-09-15 16:56:44 ----

Looking through the code for apache 2.0.40, I can't seem to figure out how it
could be vulnerable to CAN-2004-0786. The code in question doesn't appear to do
IPv6 parsing and I'm not sure the test URLs in the patch would cause it to
crash. The apache security alerts page here:
http://www.apacheweek.com/features/security-20
does say that 2.0.40 is vulnerable though.

On top of that, the page says CAN-2004-0751 shouldn't apply to 2.0.40, but it
appears to me that it should.

Can someone check this out?



------- Additional Comments From fedora-legacy-bugzilla-2004 2004-09-15 17:17:53 ----

> On top of that, the page says CAN-2004-0751 shouldn't apply to 2.0.40,
> but it appears to me that it should.

I think so, too.  2.0.40 has a very similar code.






------- Additional Comments From marcdeslauriers 2004-09-16 14:57:39 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated rpms for rh9:

CAN-2004-0786 doesn't seem to apply for 2.0.40.
CAN-2004-0751 looks like it does apply, so I put it in.

Changelog:
* Thu Sep 16 2004 Marc Deslauriers <marcdeslauriers>
2.0.40-21.14.legacy
- - add security fixes for CVE CAN-2004-0747, CAN-2004-0751, CAN-2004-0809

d7bbb1d6140d5fc918f62a8d646055be2d55ffeb  httpd-2.0.40-21.14.legacy.i386.rpm
fa6f690b793de20bda48bab7262b474e76b5acd3  httpd-2.0.40-21.14.legacy.src.rpm
6adf5eac2cd4450da6f0d7ab7a3654e874d7f118  httpd-devel-2.0.40-21.14.legacy.i386.rpm
68b67b9d2236801627b2c64a1a69a2e87b4a859f  httpd-manual-2.0.40-21.14.legacy.i386.rpm
e11ba6d7f7b90dd211726550595095449e81e191  mod_ssl-2.0.40-21.14.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.14.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-devel-2.0.40-21.14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-manual-2.0.40-21.14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mod_ssl-2.0.40-21.14.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBSjaWLMAs/0C4zNoRAngbAJwLfWwrZhqcxAmFxkfliJLnux2PIwCgv0jG
YaMcti+h1TOcj2IMREMxHFI=
=dvLw
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-22 17:42:56 ----

Argh...looks like an updated httpd for fc1 never made it out of updates-testing.
I guess we're going to have to release it.

While we're at it, we must patch the version in updated-testing for CAN-2004-0811.

I wonder if we're just better off to patch the 2.0.50 version that is in the
updates-released folder for fc1 instead of using the 2.0.51 in updates-testing,
as  I seem to recall people having problems with it...any comments?



------- Additional Comments From tometzky.pl 2004-09-24 04:29:09 ----

Created an attachment (id=859)
Spec patch adding CAN-2004-0811 to httpd.spec-2.0.51-1.1

Whe I added patch for CAN-2004-0811 to httpd-2.0.51-1.1 from FC
updates-testing (changes to spec file attached) I got the following warnings
in error-log when starting httpd:
| PHP Warning:	Function registration failed - duplicate name -
| ldap_connect in Unknown on line 0
| PHP Warning:	Function registration failed - duplicate name -
| ldap_close in Unknown on line 0
| PHP Warning:	Function registration failed - duplicate name -
| ldap_bind in Unknown on line 0
| PHP Warning:	Function registration failed - duplicate name -
| ldap_unbind in Unknown on line 0
[snip other ldap_* warnings]
| PHP Warning:	ldap:  Unable to register functions, unable to load
| in Unknown on line 0

Serving pages and PHP seems to work - I don't know if ldap in PHP works and I
don't know how to check, but in phpinfo() there is:
| ldap
| LDAP Support	enabled
| RCS Version	$Id: ldap.c,v 1.130.2.10 2004/06/01 21:05:33 iliaa Exp $
| Total Links	0/unlimited
| API Version	2004
| Vendor Name	OpenLDAP
| Vendor Version	20122 

I didn't check httpd-2.0.51-1.1 for this. My system is i386, FC1 upgraded from
RH8.




------- Additional Comments From tometzky.pl 2004-09-24 04:44:32 ----

Apropos #8
Forget it - my fault. I have forgotten to
# mv /etc/php.ini.rpmnew /etc/php.ini
after php upgrade.

My httpd-2.0.51-1.2 seems to work fine now.




------- Additional Comments From marcdeslauriers 2004-09-24 12:36:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated httpd packages to QA for FC1:
Please QA so we can release this ASAP.

Changelog:
* Fri Sep 24 2004 Marc Deslauriers <marcdeslauriers> 2.0.51-1.2.legacy
- - fix 2.0.51 regression in Satisfy merging (CAN-2004-0811)
- - ap_rgetline_core fix from Rici Lake
 
* Wed Sep 15 2004 Joe Orton <jorton> 2.0.51-1.1
- - update to 2.0.51, including security fixes for:
 * core: CAN-2004-0747
 * mod_dav_fs: CAN-2004-0809
 * mod_ssl: CAN-2004-0751, CAN-2004-0748

Note to mach builders:
This spec file detects if a pie-enables gcc is installed and turns on pie at
compile-time. We must check if this works in mach or not.

73b70a544afd2cc74f4f188c762267f23c4b1dd8  httpd-2.0.51-1.2.legacy.i386.rpm
4d0905646a9b947815887482c41bfe4986888871  httpd-2.0.51-1.2.legacy.src.rpm
cbb2ae2de9e83c8eb1703857d4ee8020a94264f6  httpd-devel-2.0.51-1.2.legacy.i386.rpm
388b5483ebb03d41b7c0b488bde21d2714c917ea  httpd-manual-2.0.51-1.2.legacy.i386.rpm
3c580789929a5ddec1623a09444e26ec38536400  mod_ssl-2.0.51-1.2.legacy.i386.rpm
6cfebc18e601bdf90b5d4eb90747affd5fd3808c 
redhat-config-nfs-1.1.3-2.legacy.noarch.rpm
1f0816df60b01039c6bcbafa3b331abf30d420ce  redhat-config-nfs-1.1.3-2.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/httpd-2.0.51-1.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/httpd-2.0.51-1.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/httpd-devel-2.0.51-1.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/httpd-manual-2.0.51-1.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mod_ssl-2.0.51-1.2.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBVKFyLMAs/0C4zNoRAvOfAJ9jA5IbytDVri0Ibz25v/mL5YgRNwCfaG3x
VLak3MmSYUB+saq3E/CNf8o=
=PPBC
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-09-25 04:34:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

4d0905646a9b947815887482c41bfe4986888871  httpd-2.0.51-1.2.legacy.src.rpm

- - spec file looks good
- - builds ok
- - installs ok
- - works ok
- - source files identical to httpd-2.0.51-1.1 from updates testing
- - patches straight out of apache cvs

looks ready to me, tho i did not build in mach.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBVYGMtU2XAt1OWnsRAhkBAKDASl/mIRatoS8B86SZY9d6G6CEEwCgsTnp
NqSpblcE+cTUavl5kaXklRk=
=zMd3
-----END PGP SIGNATURE-----



------- Additional Comments From sheltren.edu 2004-09-28 10:34:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

d7bbb1d6140d5fc918f62a8d646055be2d55ffeb  httpd-2.0.40-21.14.legacy.i386.rpm
fa6f690b793de20bda48bab7262b474e76b5acd3  httpd-2.0.40-21.14.legacy.src.rpm
6adf5eac2cd4450da6f0d7ab7a3654e874d7f118  httpd-devel-2.0.40-21.14.legacy.i386.rpm
68b67b9d2236801627b2c64a1a69a2e87b4a859f  httpd-manual-2.0.40-21.14.legacy.i386.rpm
e11ba6d7f7b90dd211726550595095449e81e191  mod_ssl-2.0.40-21.14.legacy.i386.rpm

Tested RH 9 packages (as listed above):

Source RPM builds OK & new patches are applied 
Packages install OK
http/https tested OK
spec file looks OK

Publish++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWcqvKe7MLJjUbNMRAghzAJ4lB/zHaYsqidlCctuUkAS5dS7KpwCgsqfR
a8r5meqHcsBLQjAxWsgVXVw=
=48Mb
-----END PGP SIGNATURE-----



------- Additional Comments From cra 2004-10-02 12:23:51 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA on rh90 packages:

d7bbb1d6140d5fc918f62a8d646055be2d55ffeb  httpd-2.0.40-21.14.legacy.i386.rpm
fa6f690b793de20bda48bab7262b474e76b5acd3  httpd-2.0.40-21.14.legacy.src.rpm
6adf5eac2cd4450da6f0d7ab7a3654e874d7f118  httpd-devel-2.0.40-21.14.legacy.i386.rpm
68b67b9d2236801627b2c64a1a69a2e87b4a859f  httpd-manual-2.0.40-21.14.legacy.i386.rpm
e11ba6d7f7b90dd211726550595095449e81e191  mod_ssl-2.0.40-21.14.legacy.i386.rpm

- - good sig from 1024D/40B8CCDA 2004-04-28 Marc Deslauriers
<marcdeslauriers>
- - verified that CVE CAN-2004-0748 patch does not apply to httpd 2.0.40
- - verified that these patches apply, as mentioned in changelog:

        Patch75: httpd-2.0.40-CAN-2004-0488.patch
        Patch76: httpd-2.0.40-CAN-2004-0493.patch
        Patch77: httpd-2.0.40-CAN-2004-0747.patch
        Patch78: httpd-2.0.40-CAN-2004-0751.patch
        Patch79: httpd-2.0.46-CAN-2004-0809.patch

- - rpm-build-compare.sh shows no unintended changes between these pkgs and
2.0.40-21.11.
- - builds ok
- - installs ok
- - works ok (http test page, https test page)

++PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBXyoBw2eg+Um7WIYRAr46AJ4/4dbfqSjs9Ox7dAsknEk5E76XAACfXkmB
q6Or+aMfDje8dWcXq4KfKCc=
=hiiC
-----END PGP SIGNATURE-----




------- Additional Comments From cra 2004-10-02 13:27:26 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA on fc1 packages:

73b70a544afd2cc74f4f188c762267f23c4b1dd8  httpd-2.0.51-1.2.legacy.i386.rpm
4d0905646a9b947815887482c41bfe4986888871  httpd-2.0.51-1.2.legacy.src.rpm
cbb2ae2de9e83c8eb1703857d4ee8020a94264f6  httpd-devel-2.0.51-1.2.legacy.i386.rpm
388b5483ebb03d41b7c0b488bde21d2714c917ea  httpd-manual-2.0.51-1.2.legacy.i386.rpm
3c580789929a5ddec1623a09444e26ec38536400  mod_ssl-2.0.51-1.2.legacy.i386.rpm

- - good sigs from 1024D/40B8CCDA 2004-04-28 Marc Deslauriers
<marcdeslauriers>
- - good sha1sums
- - verified that these patches apply, as mentioned in changelog:

        Patch34: httpd-2.0.51-rgetline.patch
        Patch150: httpd-2.0.51-CAN-2004-0811.patch

- - rpm-build-compare.sh shows no unintended changes between these pkgs and
2.0.51-1.1.

++PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBXzkZw2eg+Um7WIYRAmlnAJ98TnLQ2Dzn4p5xP8AU6fDu4nVxdwCfYzVq
mrj6ym4jad1gEI2r1pklIm8=
=M700
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-02 14:49:28 ----

pushed to updates-testing



------- Additional Comments From cra 2004-10-02 19:50:27 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Testing rh90 packages:

61997e8996a1b23033ae454de71a9e91b055d1a8  httpd-2.0.40-21.15.legacy.i386.rpm
cf9f084087b218e92a0bfab70b3a609ab1d5000e  httpd-devel-2.0.40-21.15.legacy.i386.rpm
d066d847375e027c357b4d5d63da29e1b586c4eb  httpd-manual-2.0.40-21.15.legacy.i386.rpm
8f33bda286bf7ffd5bf3d50a7a31a0e90fa5b9ee  mod_ssl-2.0.40-21.15.legacy.i386.rpm
5937d27e764a0175af86f7e9932a8eca2c959641  httpd-2.0.40-21.15.legacy.src.rpm

- - good sig from 1024D/731002FA 2004-01-19 Fedora Legacy
(http://www.fedoralegacy.org) <secnotice>
- - good sha1sums
- - rpm-build-compare.sh shows many extra symbols
- - binaries are not stripped in 21.15.legacy as they were in 21.14.legacy

The mach build environment might be missing requirements of
/usr/lib/rpm/find-debuginfo.sh, such as eu-strip from the elfutils
package.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBX5KWw2eg+Um7WIYRAq7zAJ41p1LKc4Q90OTw6k221qW0XomSDACfdu6O
GaNEMNkzf822O3aAXcHcaLQ=
=aykj
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-03 05:00:42 ----

New packages were built to fix the stripped-binaries issue and will be pushed to
updates-testing at next sync.



------- Additional Comments From troels 2004-10-03 22:55:08 ----

2.0.51-1.4's "httpd-2.0.51-ssl50to51.patch" is different from the corresponding
patch in the httpd update for FC2 (2.0.51-2.7). I wonder if the difference is
important? Where did the patch for fedoralegacy's package come from?



------- Additional Comments From marcdeslauriers 2004-10-04 02:02:01 ----

It's Red Hat's patch. It came from the updated httpd package for FC1 that never
got out of updates-testing.

Original is available here:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/1/SRPMS/

I'll take a look at it tonight.



------- Additional Comments From marcdeslauriers 2004-10-04 11:54:04 ----

I took a look at the difference between the fc1 and fc2 patches, and the only
thing the fc2 patch does more is remove a function prototype that is no longer
needed and was forgot. This doesn't have any impact on the fc1 packages, it
probably just generates a compiler warning when built.



------- Additional Comments From madhatter 2004-10-06 10:16:44 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
testing
24afb48553b515210d3169791dcdd7d39a5d48d6 httpd-2.0.40-21.16.legacy.i386.rpm
3983d36be504848260d839f9da54987fd6ec5bc6 mod_ssl-2.0.40-21.16.legacy.i386.rpm
on RH9, with some moderately stiff throughput.  all is well.
 
++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD4DBQFBZFKVePtvKV31zw4RAl6eAKDiD9bI5Ssl300pSxGU//G1BOPTPQCWPT4s
Fqyry/WPoKUtcixh6v9Jug==
=BNas
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-10-08 05:48:50 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                                                             
testing FC1 packages:
                                                                               
                                                                             
09af35f59d8bfd42a4b2988af5ce869e0daf4fcc  httpd-manual-2.0.51-1.4.legacy.i386.rpm
2c125be93507e8ed0e672f0459b06b719678264b  mod_ssl-2.0.51-1.4.legacy.i386.rpm
4e087267eecc22511da946cfa48bbc323eca06c9  httpd-2.0.51-1.4.legacy.i386.rpm
6e93aa37526472d11a8c2f31e58e89b920dac08c  httpd-devel-2.0.51-1.4.legacy.i386.rpm
                                                                               
                                                                             
seems to install and run well.
                                                                               
                                                                             
+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
                                                                               
                                                                             
iD8DBQFBZra+tU2XAt1OWnsRAgfSAJ0VTKSb2pjOATfgiRhVmjmONJfIZACdF+XS
uEXJ6asP7QS3jEhM3vJt/a0=
=XYD4
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-09 10:07:40 ----

Packages were released to updates.




------- Bug moved to this database by dkl 2005-03-30 18:27 -------

This bug previously known as bug 2068 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2068
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Spec patch adding CAN-2004-0811 to httpd.spec-2.0.51-1.1
https://bugzilla.fedora.us/attachment.cgi?action=view&id=859

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.