Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109895 - net-www/{apache-1|mod_ssl}version bump apache-1.3.34 and mod_ssl-2.8.25-1.3.34
Summary: net-www/{apache-1|mod_ssl}version bump apache-1.3.34 and mod_ssl-2.8.25-1.3.34
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.apache.org/dist/httpd/Anno...
Whiteboard: B4? [noglsa] jaervosz
Keywords:
: 113977 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-10-20 00:35 UTC by Andreas Korthaus
Modified: 2019-12-01 21:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Korthaus 2005-10-20 00:35:53 UTC 
Apache 1.3.34 Major changes

Security vulnerabilities

The main security vulnerabilities addressed in 1.3.34 are:

    * If a request contains both Transfer-Encoding and Content-Length headers,
remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks.
    * Added TraceEnable [on|off|extended] per-server directive to alter the
behavior of the TRACE method.

New features

New features that relate to specific platforms:

    * None

New features that relate to specific platforms:

    * None

Bugs fixed

The following bugs were found in Apache 1.3.33 (or earlier) and have been fixed
in Apache 1.3.34:

    * hsregex: Fix potential core dumping on 64 bit machines, such as AMD64. PR
31858.
    * mod_digest: Fix another nonce string calculation issue.

CHANGES: http://www.apache.org/dist/httpd/CHANGES_1.3
Announcement: http://www.apache.org/dist/httpd/Announcement1.3.html

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2005-11-29 20:35:04 UTC 
*** Bug 113977 has been marked as a duplicate of this bug. ***
Comment 2 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-12-10 19:20:20 UTC 
New versions in CVS.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-11 13:18:17 UTC 
Arches please test and mark stable: 
 
apache-1.3.34 
mod_ssl-2.8.25
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-12 08:08:12 UTC 
sparc stable.
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-12 12:33:27 UTC 
ppc, hppa done.
Comment 6 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-12-13 15:13:51 UTC 
as kloeri just pointed out to me, we are still supporting the old-style apache
configuration for the time being.

I'm going to do the following:
apache-1.3.34 will get moved to apache-1.3.34-r10
mod_ssl-2.8.25 will get moved to mod_ssl-2.8.25-r10

I will add the following for the old-style configuration:
apache-1.3.34-r1
mod_ssl-2.8.25-r1

Please hold off on marking stable until I've gotten this taken care of.
Comment 7 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-12-13 20:50:09 UTC 
Revisions for old-style and new-style are in the tree.

new-style:
apache-1.3.34-r10
mod_ssl-2.8.25-r10

old-style:
apache-1.3.34-r1
mod_ssl-2.8.25-r1

The GLSA if issued will need to provide upgrade instructions for both old-style
and new-style.

Previous versions:
old-style is any version of apache lower then 1.3.33-r10 and mod_ssl-2.8.24
new-style is any version of apache 1.3.33-r10 and above and mod_ssl-2.8.24-r1
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2005-12-14 16:22:53 UTC 
Stable on alpha, ia64 and x86.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-19 09:59:38 UTC 
re-cc'ing previously stabled arches to mark the new ebuild revisions stable because of the old/new-style config system (see comment #6 and #7).
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-12-19 11:26:49 UTC 
You missed the Ccs...
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-19 12:04:22 UTC 
Stable on ppc and hppa.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-19 12:44:59 UTC 
sparc stable.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 02:44:10 UTC 
amd64 done, ppc64 was forgotten
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2005-12-21 10:22:38 UTC 
stable on ppc64
Comment 15 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-21 12:21:21 UTC 
Ready for GLSA vote. Tend to say no here.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-21 13:30:39 UTC 
I tend to vote NO too.
Comment 17 Danny van Dyk (RETIRED) gentoo-dev 2005-12-21 18:29:22 UTC 
I'm sorry guys, somehow my post about stabilizing didn't reach bugzilla :-/
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-12-23 00:25:30 UTC 
Voting no and closing.