posted to vendor-sec. (it's a public bug -- we're cleared to discuss it openly) ------------------------------------------------------------------ http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183 describes a remotely triggerable NULL pointer dereference in mod_dav. It affects the mod_dav shipped in Apache httpd 2.0 and mod_dav 1.0.x also. Simple segfaults like this are "interesting" if you ship 2.0 with a threaded MPM since in a threaded model a segfault takes out a whole process, and can possibly deny service to the whole server if you use (e.g.) pthread mutexes for accept() serialisation, and kill the process while a thread has the mutex locked. This is assigned CVE CAN-2004-0809. The fix is here: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/fs/lock.c?r1=1.32&r2=1.33
apache guys, please apply patch.
This is related to bug 62626. We should probably only issue one GLSA for both, titled "Apache2, mod_dav: Multiple Denial of Service vulnerabilities".
Okay, apache-2.0.50-r3 is now in the tree to address this vulnerability. Ready for marking stable on arches. Best regards, Stu
Arches called for stable on bug 62626. Stuart : We also need a new net-www/mod_dav version for Apache 1 users... :)
net-www/mod_dav-1.0.3-r1 already has the dp_scan code in place and isn't susceptible to this problem.
My bad, the code was there. Fixed and commited -r2 for mod_dav.
Arches, please test and mark mod_dav-1.0.3-r2 stable.
Sparc stable.
ppc stable
now stable on x86..
waiting for testing and stable marking of apache-2.0.51 on bug #62626 (amd64)
GLSA 200409-21