Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 64804

Summary: net-www/apache-2.0.51: Merging of the Satisfy Directive
Product: Gentoo Security Reporter: Paul Querna <pquerna>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: apache-bugs, pvdabeel
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0811
Whiteboard: A3 [stable] krispy
Package list:
Runtime testing required: ---
Attachments:
Description Flags
net-www/apache/files/patches/2.0.51-r1/00_satisfy_merge.patch
none
apache-2.0.51-r1.ebuild
none
Patch for 2.0.51 -> r1 none

Description Paul Querna 2004-09-20 15:49:13 UTC 
CAN-2004-0811

Fix merging of the Satisfy directive, which was applied to 
the surrounding context and could allow access despite configured
authentication.

Fixed in Apache CVS:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/core.c?r1=1.285&r2=1.286

Apache PR #31315:
http://issues.apache.org/bugzilla/show_bug.cgi?id=31315

Updated Apache-2.0.51 ebuild coming in a minute.
Comment 1 Paul Querna 2004-09-20 15:52:43 UTC 
Created attachment 40040 [details, diff]
net-www/apache/files/patches/2.0.51-r1/00_satisfy_merge.patch

Fixes Merging of Satisfy Directives.
Comment 2 Paul Querna 2004-09-20 15:59:03 UTC 
Created attachment 40041 [details]
apache-2.0.51-r1.ebuild

Applies supplied patch fixing bug.
Comment 3 Paul Querna 2004-09-20 16:13:27 UTC 
Created attachment 40043 [details, diff]
Patch for 2.0.51 -> r1

Added a patch for the ebuild, instead of the full thing...
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-09-21 02:34:12 UTC 
Apache 2.0.51-r1 is in the tree, and ready for testing on all arches.

Best regards,
Stu
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-21 02:56:40 UTC 
arches, please mark stable:

current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"
Comment 6 Jochen Maes (RETIRED) gentoo-dev 2004-09-21 06:54:08 UTC 
stable on ppc
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-21 07:39:19 UTC 
Sparc stable.
Comment 8 SpanKY gentoo-dev 2004-09-21 08:46:09 UTC 
amd64/arm/hppa/ia64 stable now
Comment 9 Joshua Kinard gentoo-dev 2004-09-22 00:34:38 UTC 
Stable on mips.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-22 02:59:33 UTC 
Stable on alpha.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-09-22 08:24:29 UTC 
Reassigning product/component
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2004-09-23 15:06:55 UTC 
Stable on x86
Comment 13 Dan Margolis (RETIRED) gentoo-dev 2004-09-23 22:04:07 UTC 
GLSA 200409-33
Comment 14 Dan Margolis (RETIRED) gentoo-dev 2004-10-06 12:42:42 UTC 
*** Bug 66551 has been marked as a duplicate of this bug. ***
Comment 15 Tom Gall (RETIRED) gentoo-dev 2004-10-09 11:52:27 UTC 
done via superceded 2.0.52 which is marked stable on ppc64