Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 32194 - apache 1.3.29 fixes security flaw
Summary: apache 1.3.29 fixes security flaw
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://httpd.apache.org/dev/dist/Anno...
Whiteboard:
Keywords: SECURITY
Depends on:
Blocks:
 
Reported: 2003-10-28 08:31 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2003-11-21 00:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-10-28 08:31:04 UTC
from http://httpd.apache.org/dev/dist/Announcement


Apache 1.3.29 Major changes

Security vulnerabilities

* CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
Comment 1 solar (RETIRED) gentoo-dev 2003-10-30 07:19:02 UTC
There's a thread on the mod_ssl user mailing list that suggests the existing
mod_ssl may work with apache 1.3.29

Noted there is mod_ssl 2.8.15 works fine with Apache 1.3.29

http://marc.theaimsgroup.com/?t=106743763400003&r=1&w=2
Comment 2 Martin Holzer (RETIRED) gentoo-dev 2003-10-30 07:34:27 UTC
waiting for tomorrow
2.8.16-apache-1.3.29 will be release
Comment 3 Martin Holzer (RETIRED) gentoo-dev 2003-11-02 10:55:09 UTC
1.3.29 is in cvs
Comment 4 solar (RETIRED) gentoo-dev 2003-11-02 15:18:37 UTC
ok I just bumped the mod_ssl to version mod_ssl-2.8.16 as ~arch

A GLSA can go out for this after some testing has been done. Please test
so it can be marked x86 (not ~arch) ASAP
Comment 5 petre rodan (RETIRED) gentoo-dev 2003-11-05 00:50:20 UTC
I'm not sure this hepls, but
just merged net-www/apache-1.3.29-r1 and net-www/mod_ssl-2.8.16 on 2 internal
servers and on 2 production servers and no poblems were encountered.
new confs were not used during testing.

tested stuff:
mod_php4, mod_ssl, mod_setenvif, mod_auth, mod_access, mod_rewrite, mod_alias,
mod_actions, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_mime, mod_log_config
Comment 6 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-11-21 00:41:17 UTC
GLSA 200310-03 sent ...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03
- ---------------------------------------------------------------------------

          PACKAGE : net-www/apache
          SUMMARY : buffer overflow
             DATE : Tue Oct 28 16:43:46 UTC 2003
          EXPLOIT : local
VERSIONS AFFECTED : <apache-1.3.29
    FIXED VERSION : >=apache-1.3.29
              CVE : CAN-2003-0542 (under review at time of GLSA)

- ---------------------------------------------------------------------------

Quote from <http://httpd.apache.org/dev/dist/Announcement>:

   This version of Apache is principally a bug and security fix release.
   A partial summary of the bug fixes is given at the end of this document.
   A full listing of changes can be found in the CHANGES file.  Of
   particular note is that 1.3.29 addresses and fixes 1 potential
   security issue:

     o CAN-2003-0542 (cve.mitre.org)
       Fix buffer overflows in mod_alias and mod_rewrite which occurred if
       one configured a regular expression with more than 9 captures.

   We consider Apache 1.3.29 to be the best version of Apache 1.3 available
   and we strongly recommend that users of older versions, especially of
   the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
   releases will be made in the 1.2.x family.


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/apache 1.x upgrade:

emerge sync
emerge -pv apache
emerge '>=net-www/apache-1.3.29'
emerge clean
/etc/init.d/apache restart


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk
RyV+5R/BFsdAzsMYZp9dT8A=
=ym4e
-----END PGP SIGNATURE-----