Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 45206

Summary: security vulnerabilities in Apache 2.0.48
Product: Gentoo Security Reporter: gen2daniel <gen2daniel>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: m.debruijne, vorlon, web-apps
Priority: Highest Keywords: SECURITY
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.apacheweek.com/features/security-20
Whiteboard:
Package list:
Runtime testing required: ---

Description gen2daniel 2004-03-20 04:27:44 UTC
Fixed in Apache httpd 2.0.49

    listening socket starvation CAN-2004-0174

    A starvation issue on listening sockets occurs when a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux.
    Affects: 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35

    mod_ssl memory leak CAN-2004-0113

    A memory leak in mod_ssl allows a remote denial of service attack against an SSL-enabled server by sending plain HTTP requests to the SSL port.
    Affects: 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35

    Error log escape filtering CAN-2003-0020

    Apache does not filter terminal escape sequences from error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
    Affects: 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35
Comment 1 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-03-20 09:31:52 UTC
Would someone in this herd put together an ebuild for 2.0.49? Thanks.
Comment 2 Aida Escriva-Sammer (RETIRED) gentoo-dev 2004-03-22 09:35:20 UTC
Would someone give either some sort of status or acknowledgment of this bug? 
Comment 3 solar (RETIRED) gentoo-dev 2004-03-22 09:57:34 UTC
If >=48 hrs we can bump it.

tseng@g.o said he will test/see if 
apache-2.0.48-r4.ebuild can be bumped cleanly to 2.0.49

I'll ask him to post his comments to this bug #
Comment 4 Brandon Hale (RETIRED) gentoo-dev 2004-03-22 10:03:06 UTC
There are distro specific patches here .... apache-2.0.48-export.diff does not apply.

  apache-2.0.48-r3.ebuild, files/apache-2.0.48-export.diff:
  Added export patch to fix compilation on some boxes. #32588.
  Reported by marco@md2.ath.cx. Pointer from Chris Nott.

The second patch, apache-2.0.48-gentoo.diff applies w/ some offsets and likely needs cleaned up. Where is the webapps herd?
Comment 5 Brandon Hale (RETIRED) gentoo-dev 2004-03-22 10:37:02 UTC
Apache otherwise builds with this ebuild, but the patches definately need cleaned up.
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-03-22 11:12:37 UTC
Sorry.  Been laid up this last weekend.  Bug wouldn't have made it through my bugzilla filter anyway, sorry.

I'm doing the version bump as we speak, and I'll update this bug once it's done.

Best regards,
Stu
Comment 7 Stuart Herbert (RETIRED) gentoo-dev 2004-03-22 13:19:22 UTC
Okay, apache-2.0.49 is now in the tree.  Over to you guys to do whatever it is you need to do ;-)

Best regards,
Stu
Comment 8 Tim Yamin (RETIRED) gentoo-dev 2004-03-22 13:29:31 UTC
Arch-Maintainers: Can you please test out net-www/apache-2.0.49 and mark it stable so this is ready for a GLSA release. Thanks in advance; and thanks for updating this Stuart.
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-03-22 20:34:25 UTC
Stable on sparc.
Comment 10 Jon Portnoy (RETIRED) gentoo-dev 2004-03-22 20:52:56 UTC
And amd64.
Comment 11 solar (RETIRED) gentoo-dev 2004-03-23 09:27:39 UTC
Thank you for testing and marking stable on sparc & amd64.

How about the rest of you arch maintainers. Whats going on here?

Current status is.
KEYWORDS="~x86 ~ppc ~alpha ~hppa ~mips sparc amd64"
Comment 12 Luca Barbato gentoo-dev 2004-03-23 10:13:13 UTC
building on ppc right now.
Comment 13 Ciaran McCreesh 2004-03-23 10:51:34 UTC
There is no stable apache on mips, so surely .49 can remain ~mips'ed?
Comment 14 Aron Griffis (RETIRED) gentoo-dev 2004-03-23 16:23:14 UTC
all set on alpha and ia64.
remaining are x86, hppa and mips (though it sounds like mips might not matter since there's no stable version in portage)
Comment 15 Brandon Hale (RETIRED) gentoo-dev 2004-03-23 17:34:15 UTC
Stable on x86, KEYWORDS updated.
Comment 16 Stuart Herbert (RETIRED) gentoo-dev 2004-03-23 22:53:54 UTC
Hrm ... if you take a look at 45418, you'll see that at least one user is unable to compile apache-2.0.49 on x86.

Best regards,
Stu
Comment 17 solar (RETIRED) gentoo-dev 2004-03-24 11:10:36 UTC
Re #16
Do you think that should hold us up from sending out the GLSA today?
Comment 18 Stuart Herbert (RETIRED) gentoo-dev 2004-03-24 12:41:03 UTC
Having thought about it ... send out the GLSA.

Best regards,
Stu
Comment 19 Andrew Ross (RETIRED) gentoo-dev 2004-03-25 16:46:14 UTC
I think there's a mistake in the GLSA (at least in the copy sent to gentoo-account and posted to the forums - http://forums.gentoo.org/viewtopic.php?t=153486).

[begin quote]
# If you are migrating from Apache 2.0.48-r1 or earlier versions,
# it is important that the following directories are removed.
# The following commands should cause no data loss since these
# are symbolic links.

# rm /etc/apache2/lib /etc/apache2/logs /etc/apache2/modules
# rm /etc/apache2/modules
[end quote]

Shouldn't that last line be "rm /etc/apache2/extramodules" instead?
Comment 20 Andrew Ross (RETIRED) gentoo-dev 2004-03-25 16:47:54 UTC
sorry, meant to type "gentoo-announce" - not "gentoo-account" (I have the same problem trying to type "myself" - somehow it always comes out as "mysql"!)
Comment 21 solar (RETIRED) gentoo-dev 2004-03-25 16:57:11 UTC
portage updated, GLSA sent, Closing bug.

If you have problems with apache or any of it's runtime behaviors 
and or install problems please search and file a new bug if needed.