Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 64804 - net-www/apache-2.0.51: Merging of the Satisfy Directive
Summary: net-www/apache-2.0.51: Merging of the Satisfy Directive
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: A3 [stable] krispy
Keywords:
: 66551 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-09-20 15:49 UTC by Paul Querna
Modified: 2011-10-30 22:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
net-www/apache/files/patches/2.0.51-r1/00_satisfy_merge.patch (00_satisfy_merge.patch,742 bytes, patch)
2004-09-20 15:52 UTC, Paul Querna
no flags Details | Diff
apache-2.0.51-r1.ebuild (apache-2.0.51-r1.ebuild,12.58 KB, text/plain)
2004-09-20 15:59 UTC, Paul Querna
no flags Details
Patch for 2.0.51 -> r1 (apache-2.0.51-r1.patch,731 bytes, patch)
2004-09-20 16:13 UTC, Paul Querna
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Querna 2004-09-20 15:49:13 UTC
CAN-2004-0811

Fix merging of the Satisfy directive, which was applied to 
the surrounding context and could allow access despite configured
authentication.

Fixed in Apache CVS:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/core.c?r1=1.285&r2=1.286

Apache PR #31315:
http://issues.apache.org/bugzilla/show_bug.cgi?id=31315

Updated Apache-2.0.51 ebuild coming in a minute.
Comment 1 Paul Querna 2004-09-20 15:52:43 UTC
Created attachment 40040 [details, diff]
net-www/apache/files/patches/2.0.51-r1/00_satisfy_merge.patch

Fixes Merging of Satisfy Directives.
Comment 2 Paul Querna 2004-09-20 15:59:03 UTC
Created attachment 40041 [details]
apache-2.0.51-r1.ebuild

Applies supplied patch fixing bug.
Comment 3 Paul Querna 2004-09-20 16:13:27 UTC
Created attachment 40043 [details, diff]
Patch for 2.0.51 -> r1

Added a patch for the ebuild, instead of the full thing...
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-09-21 02:34:12 UTC
Apache 2.0.51-r1 is in the tree, and ready for testing on all arches.

Best regards,
Stu
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-21 02:56:40 UTC
arches, please mark stable:

current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"
Comment 6 Jochen Maes (RETIRED) gentoo-dev 2004-09-21 06:54:08 UTC
stable on ppc
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-21 07:39:19 UTC
Sparc stable.
Comment 8 SpanKY gentoo-dev 2004-09-21 08:46:09 UTC
amd64/arm/hppa/ia64 stable now
Comment 9 Joshua Kinard gentoo-dev 2004-09-22 00:34:38 UTC
Stable on mips.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-22 02:59:33 UTC
Stable on alpha.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-09-22 08:24:29 UTC
Reassigning product/component
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2004-09-23 15:06:55 UTC
Stable on x86
Comment 13 Dan Margolis (RETIRED) gentoo-dev 2004-09-23 22:04:07 UTC
GLSA 200409-33
Comment 14 Dan Margolis (RETIRED) gentoo-dev 2004-10-06 12:42:42 UTC
*** Bug 66551 has been marked as a duplicate of this bug. ***
Comment 15 Tom Gall (RETIRED) gentoo-dev 2004-10-09 11:52:27 UTC
done via superceded 2.0.52 which is marked stable on ppc64