Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 32271

Summary: New ebuild needed for apache-2.0.48 which has 2 security fixes
Product: Gentoo Security Reporter: Haroon Rafique <corporate_gadfly>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: blocker CC: rajiv, security, web-apps
Priority: High Keywords: SECURITY
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 29893, 32366    
Attachments: apache init patch

Description Haroon Rafique 2003-10-29 07:02:48 UTC
New ebuild needed for apache-2.0.48. Here's the link to the new announced release of 2.0.48:

http://www.apache.org/dist/httpd/Announcement2.html

A couple of security vulnerability fixes and bunch of bug fixes.
Comment 1 Donny Davies (RETIRED) gentoo-dev 2003-10-29 11:16:47 UTC
I will add this tonight.

Stu -- if I add 2.0.48 un-arch-masked into the tree, then we'll be on
the new --datadir from here on.  That's ok with you you?

I would prefer Apache related bugs to be assigned to the Apache
web-apps herd.  If its security related, add security@g.o to the
CC list.

Comment 2 Donny Davies (RETIRED) gentoo-dev 2003-10-29 23:37:01 UTC
Needless to say I didnt check it in yet, but do have it finished over here
and will commit tomorrow; got sidetracked by a segfaulting mod_php.
Comment 3 Stuart Herbert (RETIRED) gentoo-dev 2003-10-30 01:01:08 UTC
Donny - that's okay with me.

Stu
Comment 4 solar (RETIRED) gentoo-dev 2003-10-30 09:46:20 UTC
Donny,

Please reassign back to security@ and change "Product:" to "Gentoo GLSA"
when we are all good to go..

Thanks
Comment 5 Donny Davies (RETIRED) gentoo-dev 2003-10-30 09:54:44 UTC
This is a real song and dance we have going on here.

2.0.48 is 'x86' and in-the-tree.

Comment 6 Kurt Lieber (RETIRED) gentoo-dev 2003-10-30 11:26:42 UTC
Created attachment 19986 [details, diff]
apache init patch
Comment 7 Kurt Lieber (RETIRED) gentoo-dev 2003-10-30 11:27:19 UTC
bah -- the above patch fixes a bug with the init script that causes apache
to fail to start with the following error:

env: start-stop-daemon: No such file or directory                     [!!]
Comment 8 Kurt Lieber (RETIRED) gentoo-dev 2003-10-30 11:29:30 UTC
marking as blocker.
Comment 9 Donny Davies (RETIRED) gentoo-dev 2003-10-30 11:58:15 UTC
Oops, yes you're right; fixed.


Comment 10 solar (RETIRED) gentoo-dev 2003-10-30 12:26:41 UTC
Donny,

I just did a cvs update and noticed that it's not quite right yet.

env -i /sbin/start-stop-daemon
should be
env -i PATH=$PATH /sbin/start-stop-daemon
Comment 11 Donny Davies (RETIRED) gentoo-dev 2003-10-30 12:42:17 UTC
Is it really broken?  Please update it if you wish, but its "workingforme".
Comment 12 Martin Holzer (RETIRED) gentoo-dev 2003-10-30 12:58:38 UTC
please add

--retry 5 

like in mysql:
start-stop-daemon --stop --retry 5 --quiet
Comment 13 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-10-30 23:26:46 UTC
just fixed the init scripts (with solar's PATH=$PATH) in cvs.
Comment 14 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-10-31 01:13:10 UTC
to-do in comment #12 moved to bug #32366.


GLSA 200310-04 sent as:


---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-04
---------------------------------------------------------------------------

          PACKAGE : net-www/apache
          SUMMARY : buffer overflow
             DATE : Fri Oct 31 07:59:00 UTC 2003
          EXPLOIT : local
VERSIONS AFFECTED : <apache-2.0.48
    FIXED VERSION : >=apache-2.0.48
       GENTOO BUG : http://bugs.gentoo.org/show_bug.cgi?id=32271
              CVE : CAN-2003-0789 CAN-2003-0542

---------------------------------------------------------------------------

Quote from <http://www.apache.org/dist/httpd/Announcement2.html>:

    This version of Apache is principally a bug fix release. A summary of
    the bug fixes is given at the end of this document. Of particular note
    is that 2.0.48 addresses two security vulnerabilities:

    mod_cgid mishandling of CGI redirect paths could result in CGI output
    going to the wrong client when a threaded MPM is used.
    [CAN-2003-0789]
    
    A buffer overflow could occur in mod_alias and mod_rewrite when a
    regular expression with more than 9 captures is configured.
    [CAN-2003-0542]
    
    This release is compatible with modules compiled for 2.0.42 and later
    versions. We consider this release to be the best version of Apache
    available and encourage users of all prior versions to upgrade.


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/apache 2.x upgrade:

emerge sync
emerge '>=net-www/apache-2.0.48'
emerge clean

Please remember to update your config files in /etc/apache2
as --datadir has been changed to /var/www/localhost.

Note that a forthcoming GLSA-200310-03 will address similar issues
in Apache 1.x.


// end