Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64145 - net-www/apache-2: More vulnerabilities fixed in 2.0.51
Summary: net-www/apache-2: More vulnerabilities fixed in 2.0.51
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.apacheweek.com/features/se...
Whiteboard: A3 [stable] vorlon
Keywords:
Depends on: 62626
Blocks:
  Show dependency tree
 
Reported: 2004-09-15 09:19 UTC by Sune Kloppenborg Jeppesen
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-09-15 09:19:47 UTC
IPv6 URI parsing can cause crash CAN-2004-0786 

Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. One some BSD systems it is believed this flaw may be able to lead to remote code execution. 

Affects: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35

 

Environment variable expansion flaw CAN-2004-0747 

The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain the privileges of a httpd child if a server can be forced to parse a carefully crafted .htaccess file written by a local user. 

Affects: 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35

---

Patches are here:

http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-15 09:25:27 UTC
No, not again...
Stuart : a 2.0.51 ebuild would be nice :)
Comment 2 Stuart Herbert (RETIRED) gentoo-dev 2004-09-15 15:42:39 UTC
Done.  Might as well combine this w/ 62626 tbh now.

Best regards,
Stu
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-16 00:49:48 UTC
stable marking being handled in bug #62626
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 13:59:11 UTC
GLSA 200409-21