Summary: | net-www/apache <=2.0.50: input filter bug in mod_ssl | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | apache-bugs, cycloon, hanno, lyz27, magnet, robbat2, zul |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://rhn.redhat.com/errata/RHSA-2004-349.html | ||
Whiteboard: | A3 [glsa] vorlon | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 63948, 64145 |
Description
Matthias Geerdsen (RETIRED)
2004-09-02 07:48:18 UTC
*** Bug 62623 has been marked as a duplicate of this bug. *** Zul: this one if for you. 2.0.50-r1 is needed :) zul is not responding, please bump. Please assign Apache security bugs to the apache herd next time ;-) Best regards, Stu Thanks to ferringb's help to work around a repoman bug, apache-2.0.50-r1 is now in the tree, and ready for the arch teams to do their stuff. Best regards, Stu Arches please mark apache-2.0.50-r1 stable sparc stable. ppc stable x86 stable Stable on alpha. amd64/arm/hppa/ia64 stable now ... was there a particular reason 2.0.50-r1 didnt have ~ KEYWORDS in them ? i would have noticed the upgrade on all my machines a lot earlier if it had ... Stable on mips. This only fixed CAN-2004-0748 afaik. There is still CAN-2004-0751 as mentioned in the debian changelog and this Secunia advisory: http://secunia.com/advisories/12434/ Debian seems to patch CAN-2004-0751 with "diff -u -r1.125 -r1.126" as proposed in http://issues.apache.org/bugzilla/show_bug.cgi?id=30134 apache-bugs please confirm that CAN-2004-0751 is also fixed or apply patches. Secunia propose these two patches to fix the issues: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.121&r2=1.122 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126 *** Bug 63605 has been marked as a duplicate of this bug. *** Patches updated; added to apache-2.0.50-r2. Best regards, Stu arches, please mark apache-2.0.50-r2 stable current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64" Sparc stable. stable on ppc Stable on hppa. Stable on amd64 Arches: due to bug 63948, we'll have to issue a new rev for Apache2, so you can stop testing the current one... Sorry about that. 2.0.50-r3 is in... that version should be marked stable to also fix bug 63948 Sparc done with -r3. stable on ppc. stable on amd64. Apache herd: i get 13 file.size complaints from repoman FYI ! You've got around 450kB uncompressed patches in the tree ! (and that's only the sum of those files which are larger than 20kb) Stable on hppa. x86 and amd64 please mark apache-2.0.50-r3 stable x86, please also mark net-www/mod_dav-1.0.3-r2 stable for bug #63948, so that an GLSA for these issues can be sent, since this bug was opened 2004-09-02 --- status apache-2.0.50-r2 : current KEYWORDS="~alpha ~amd64 arm hppa ia64 ~mips ppc ~ppc64 sparc ~x86" target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc s390 x86" --- btw net-www/mod_dav-1.0.3-r2 is marked ~amd64 which just got introduced in this revision -r3 is stable on amd64. apache-2.0.51 is now in the tree. We need another round of stable marking, and I suggest the GLSA goes out suggesting everyone goes from .50 straight to .51. Best regards, Stu Welcome to a new round of stable marking... Thanks to bug #64145 it's time for a run on apache-2.0.51. current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc s390 x86" Better hurry before the next one comes... ;-) stable on ppc Stable on x86. Kugelfang reports that -51 doesn't start on amd64, but he's had no time to investigate why. So atm we don't know whether it's a config problem or a code problem. Best regards, Stu apache-2.0.51 sparc stable. x86 has both apache 2.0.51 and mod_dav 1.0.3-r2 stable.. Kugelfang marked 2.0.51 on amd64, this is GLSA-ready GLSA 200409-21 alpha arm hppa ia64 mips ppc64 s390 : please mark stable to benefit from GLSA Forced quick stablilisation on hppa ... ppc64 stable. Stable on alpha. mips stable. |