Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 21839 - Apache 2.0.46 released - Security Bug Fix
Summary: Apache 2.0.46 released - Security Bug Fix
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Highest normal
Assignee: Donny Davies (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-05-28 13:36 UTC by Paul Kronenwetter
Modified: 2003-05-28 19:25 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Potential gentoo-patch for 2.0.46 ebuild. (apache-2.0.46-gentoo.diff,5.79 KB, patch)
2003-05-28 14:16 UTC, Paul Kronenwetter 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Kronenwetter 2003-05-28 13:36:05 UTC 
From Apache Foundation Earlier today:

                     Apache 2.0.46 Released

   The Apache Software Foundation and the Apache HTTP Server Project =
are
   pleased to announce the ninth public release of the Apache 2.0
   HTTP Server.  This Announcement notes the significant changes in
   2.0.46 as compared to 2.0.45.


   This version of Apache is principally a security and bug fix relea=
se.
   A summary of the bug fixes is given at the end of this document.
   Of particular note is that 2.0.46 addresses two security
   vulnerabilities:

   Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash i=
n
   certain circumstances.  This can be triggered remotely through mod=
_dav
   and possibly other mechanisms.  The crash was originally reported =
by
   David Endler <DEndler@iDefense.com> and was researched and fixed b=
y
   Joe Orton <jorton@redhat.com>.  Specific details and an analysis o=
f the
   crash will be published Friday, May 30.  No more specific informat=
ion
   is disclosed at this time, but all Apache 2.0 users are encouraged=
 to
   upgrade now.
   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0245]

   Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
   vulnerable to a denial-of-service attack on the basic authenticati=
on
   module, which was reported by John Hughes <john.hughes@entegrity.c=
om>.
   A bug in the configuration scripts caused the apr_password_validat=
e()
   function to be thread-unsafe on platforms with crypt_r(), includin=
g
   AIX and Linux.  All versions of Apache 2.0 have this thread-safety
   problem on platforms with no crypt_r() and no thread-safe crypt(),
   such as Mac OS X and possibly others.  When using a threaded MPM (=
which
   is not the default on these platforms), this allows remote attacke=
rs
   to create a denial of service which causes valid usernames and
   passwords for Basic Authentication to fail until Apache is restart=
ed.
   We do not believe this bug could allow unauthorized users to gain
   access to protected resources.
   [http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0189]
Comment 1 Paul Kronenwetter 2003-05-28 14:16:47 UTC 
Created attachment 12508 [details, diff]
Potential gentoo-patch for 2.0.46 ebuild.

The ebuild works when renamed to apache2-2.0.46.ebuild but the patch didn't
apply cleanly.	This should be an equivalent patch.

No particular testing of this yet, but it does build and install.
Comment 2 Donny Davies (RETIRED) gentoo-dev 2003-05-28 19:25:27 UTC 
i've already done this.