Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.

To: debian-apache@lists.debian.org
Subject: Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.
From: Drew Scott Daniels <umdanie8@cc.UManitoba.CA>
Date: Fri, 8 Aug 2003 11:17:49 -0500 (CDT)
Message-id: <[🔎] Pine.GSO.4.40.0308081101550.18970-100000@deneb.cc.umanitoba.ca>
Mail-followup-to: Drew Scott Daniels <umdanie8@cc.umanitoba.ca>, debian-apache@lists.debian.org
In-reply-to: <[🔎] 20030807133525.GA3142@mirror.positive-internet.com>

On Thu, 7 Aug 2003, Thom May wrote:

> * Drew Scott Daniels (umdanie8@cc.UManitoba.CA) wrote :
> > Woody's apache 1.3.x seems to be still vulnerable to bug 167752 [1]. Is
> > this really the case? Fwiw, this *might* be one of the problems which was
> > fixed upstream with 1.3.28 [2]. Have the other potential security bugs
> > fixed in 1.3.28 been checked against apache in woody?
> >
> Woody's 1.3 is the reason that bug is there. Did you bother reading the bug
> report? The problems were fixed in a stable security upload.
> FWIW, these aren't the bugs that were fixed in 1.3.28; since they were
> implemented in an extremely platform dependent way we're working on cleaning
> them up in a cross platform friendly manner.

I didn't reread it recently, sorry. I've read it now. While it was put
into stable and unstable, I'm still not clear as to whether upsteam even
knows about bug 167752.

I see CAN-2003-0460 is Win32 and OS/2 only apparently. It's a logrotate
issue which makes me wonder if Debian even uses an Apache logrotate
(if there is a Linux one) when there's others? Not that it matters much,
both should be secure. (Just thinking aloud fwiw...)

VU#379828 "The server could crash when going into an infinite loop due to
too many subsequent internal redirects and nested subrequests" is a bit
ambiguous. It seems that it may even be bug 167752 or something you're
fixing up. (No comment solicited by me...)

The bug "Eliminated leaks of several file descriptors to child processes,
such as CGI scripts" may be 167752 or something you're fixing up. (Again
no comment solicited...)

The new features I suppose is part of the pain in creating a woody
backport. For others following the quote says:
   The main new features in 1.3.28 (compared to 1.3.27) are:

   * Added new ap_register_cleanup_ex() API function which allows for a
     "magic" cleanup function to be run at register time rather than at
     cleanup time.
   * Improvements to mod_usertrack that allows for a regular (verbose) as
     well as "compact" version of the tracking cookie (the new
     'CookieFormat' directive), and the ability to prepend a string to the
     cookie via the 'CookiePrefix' directive.
   New features that relate to specific platforms:

   * Introduce Win32 .pdb diagnostic symbols into the Apache 1.3 build (as
     created in Apache 2.0.45 and later.) which makes debugging and
     analysis of crash dumps and Dr. Watson logs trivial.
   * AIX: Change the default accept mutex mechanism from pthread back to
     fcntl.

There were also some other bugs listed in
http://www.apache.org/dist/httpd/Announcement.html which probably aren't
good enough for a security update, but might be worth creating a separate
proposed-updates upload. I'm unsure as to whether they may be exploitable
for any malicious purpose.

This seems like quite a messy and painful process. Is there anything I can
help with?

     Drew Daniels

Reply to:

Follow-Ups:
- Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.
  - From: Thom May <thom@debian.org>

References:
- Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.
  - From: Thom May <thom@debian.org>

Prev by Date: I have the same problem.
Next by Date: Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.
Previous by thread: Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.
Next by thread: Re: Apache 1.3.x security bug in woody? CAN-2003-0460 etc.
Index(es):
- Date
- Thread