[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#230999: marked as done ([CAN-2003-0987] mod_digest for Apache does not properly verify the nonce of a client response by using a AuthNonce secret.)

Your message dated Wed, 21 Apr 2004 18:48:35 +0200 (CEST)
with message-id <Pine.LNX.4.58.0404211847400.26246@trider-g7.ext.fabbione.net>
and subject line Bug#129571: marked as done (apache-ssl: policy 13.1) (fwd)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 3 Feb 2004 21:37:41 +0000
>From ray@xinara.org Tue Feb 03 13:37:41 2004
Return-path: <ray@xinara.org>
Received: from mail.o2w.nl [] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Ao8Em-0002Uh-00; Tue, 03 Feb 2004 13:37:40 -0800
Received: from zensunni.xinara.org (unknown [])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client did not present a certificate)
	by mail.o2w.nl (Postfix) with ESMTP id 4843635AFE
	for <submit@bugs.debian.org>; Tue,  3 Feb 2004 22:37:38 +0100 (CET)
Received: from ray by zensunni.xinara.org with local (Exim 4.30)
	id 1Ao8Ef-0001FU-L3; Tue, 03 Feb 2004 22:37:33 +0100
Date: Tue, 3 Feb 2004 22:37:33 +0100
From: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2003-0987] mod_digest for Apache does not properly verify the nonce of a client response by using a AuthNonce secret.
Message-ID: <20040203213733.GA4791@xinara.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 2.41
Organization: Ray at home
X-System: Debian GNU/Linux testing/unstable, kernel 2.4.25-pre8
User-Agent: Mutt/
Sender: "J.H.M. Dassen (Ray)" <ray@xinara.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_01 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no 

Package: apache
Severity: grave
Tags: security patch

Candidate: CAN-2003-0987
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
Phase: Assigned (20031216)
Category: SF

mod_digest for Apache does not properly verify the nonce of a client
response by using a AuthNonce secret.

Current Votes:
None (candidate not yet proposed)

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.25-pre8
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1
Obsig: developing a new sig

Received: (at 230999-done) by bugs.debian.org; 21 Apr 2004 16:48:38 +0000
>From fabbione@fabbione.net Wed Apr 21 09:48:38 2004
Return-path: <fabbione@fabbione.net>
Received: from port5.ds1-sby.adsl.cybercity.dk (trider-g7.fabbione.net) [] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BGKtp-0006CU-00; Wed, 21 Apr 2004 09:48:37 -0700
Received: from trider-g7.ext.fabbione.net (port5.ds1-sby.adsl.cybercity.dk [])
	by trider-g7.fabbione.net (Postfix) with ESMTP id 4B7EF17
	for <230999-done@bugs.debian.org>; Wed, 21 Apr 2004 18:48:35 +0200 (CEST)
Date: Wed, 21 Apr 2004 18:48:35 +0200 (CEST)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Sender: fabbione@fabbione.net
To: 230999-done@bugs.debian.org
Subject: Bug#129571: marked as done (apache-ssl: policy 13.1) (fwd)
Message-ID: <Pine.LNX.4.58.0404211847400.26246@trider-g7.ext.fabbione.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: 230999-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-CrossAssassin-Score: 1

Sorry for closing it manually. I forgot the Close entry in the changelog.

Source: apache

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

  to pool/main/a/apache/apache-common_1.
  to pool/main/a/apache/apache-dbg_1.
  to pool/main/a/apache/apache-dev_1.
  to pool/main/a/apache/apache-doc_1.
  to pool/main/a/apache/apache-perl_1.
  to pool/main/a/apache/apache-ssl_1.
  to pool/main/a/apache/apache-utils_1.
  to pool/main/a/apache/apache_1.
  to pool/main/a/apache/apache_1.
  to pool/main/a/apache/apache_1.
  to pool/main/a/apache/libapache-mod-perl_1.29.0.2-5_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 129571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Fabio M. Di Nitto <fabbione@fabbione.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Format: 1.7
Date: Wed, 21 Apr 2004 17:37:37 +0200
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Fabio M. Di Nitto <fabbione@fabbione.net>
 apache     - Versatile, high-performance HTTP server
 apache-common - Support files for all Apache webservers
 apache-dbg - Apache webservers (debugging versions)
 apache-dev - Apache webserver development kit
 apache-doc - Apache webserver docs
 apache-perl - Versatile, high-performance HTTP server with Perl support
 apache-ssl - Versatile, high-performance HTTP server with SSL support
 apache-utils - Utility programs for webservers
 libapache-mod-perl - Integration of perl with the Apache web server
Closes: 129571 150621 219112 219694 228791 230167 238607 238624 239378 239416 240440 241760 242270 242367 242985 243108 243354 243487 243866 243918 243993 244191 244857
 apache ( unstable; urgency=low
   * (Fabio M. Di Nitto)
     - Backported CAN-2003-0987 fix from upstream cvs
     - Backported CAN-2004-0174 fix from upstream cvs
     - Added patch 033_-F_NO_SETSID to use setpgrp(2) instead of setsid(2)
       (Closes: #244857)
     - modules-config/apache-modconf now asks to restart only if
       the daemon is running. It reduces of several magnitudes
       the amount of prompts upgrading from woody to sarge and
       it avoids the daemons to be wronly restared during the
       upgrade process that would lead to failures
     - Added simple man page for apache.pem(5) (Closes: #129571)
     - Removed old apache_not_to_run entry from README.Debian
       (Closes: #244191)
     - Create /var/www only if nothing is there
       (Closes: #243866)
     - Added 511_log_files_permission to open all new log files
       with 640 permission (Closes: #243487)
     - Fixed postinst.common to support arbitrary newaliases
       (Closes: #243918)
     - mod_auth_cache should be the first one to be loaded
       (Closes: #243993)
     - suexec enabled by default for a smooth woody to sarge upgrade
       (Closes: #239416)
     - Added notes about mod_perl authentication mechanism to
       README.Debian (Closes: #242985)
     - Enhanced stop procedure while upgrading from woody
       (Closes: #242270)
     - New path to install the place holder from. The old one was not
       Policy compliant
     - Added reportbug notes for apache, apache-perl, apache-ssl and
     - Enforced version depends on ucf and debconf to ensure woody to
       sarge upgrades
     - Removed old entry from init.d scripts (Closes: #242367, #243354)
     - Fixed modules-config/apache-modconf update_config to avoid
       duplicate modules.conf entries (Closes: #238624)
     - Provides: httpd-cgi in reference to #117916
     - Added query option to modules-config/apache-modconf
     - Safer libapache-mod-perl postrm script
     - Renamed modules-config to apache-modconf
       (Closes: #228791, #230167)
     - Removed apache-perl-ctl since noone should be using it anymore
       (See also changelog below)
     - Update apache-perl control file to reflect apache and apache-ssl
       + Priority: optional
       + Suggests: apache-doc
       + Added missing dependecy on logrotate
     - Moved manual in apache-doc where it belongs
     - Reverted patch 508_apxs_in_many_guises and shipped again the 3
       flavours of apxs
     - Added patch ssl/007_ab_ssl to enable SSL support in ab
     - Fixed typo in apache-common.templates
     - Wrapping file names in ucf interaction (Closes: #238607)
     - Updated default configs:
       + Changed default ServerAdmin to webmaster@localhost
       + Removed README.* from IndexIgnore and added proper comments
         (Closes: #219694)
     - Added Greek translation thanks to Konstantinos Margaritis
       (Closes: #240440)
     - Lowered apache-ssl and mod_auth_ssl priority to respect old setups
       and new upstream requirements
       (Closes: #239378)
     - Temporary blacklisted apache_ssl_keynote (#237763)
     - Update German translation thanks to Alwin Meschede (Closes: #241760)
     - Added Polish translatin thanks to Emil Nowak (Closes: #243108)
   * (Matthew Wilcox)
     - Added 031_autoindex_indexes patch from Miquel van Smoorenburg to
       allow IndexOptions +- Indexes to override Options +- Indexes.
       (Closes: #219112)
     - Added 032_autoindex_generator to put a <META NAME="generator"> tag in
       the output from autoindex (Closes: #150621)
 005bc459ffb96df34ec0e54a6de2f9f0 1085 web optional apache_1.
 df3cc73d85c232951ec944a9212dc5e3 392974 web optional apache_1.
 1f5bbdb6838882a31024c1b6b40bded8 1160632 doc optional apache-doc_1.
 581724dd7379be1298a31cab843e1146 326430 devel extra apache-dev_1.
 f79f075fd5dc9fec2c84b77e693e33ed 372742 web optional apache_1.
 e67cb3b6d37ffa2ee40425f36b094aaa 483796 web optional apache-ssl_1.
 453962036d28f4922856866eff9f9d86 491468 web optional apache-perl_1.
 1679d3718d93d3e94ed0f8bbfb194306 9083156 devel extra apache-dbg_1.
 1db37f0d29da6721206b9cffcd5455a7 823736 web optional apache-common_1.
 ac23ab2cefe3b8ba3ad971eb0a4ffd3a 260894 web optional apache-utils_1.
 2dbb433f36c7a91777765c2286f504c1 481844 web optional libapache-mod-perl_1.29.0.2-5_i386.deb

------------ Output from gpg ------------
gpg: Signature made Wed Apr 21 18:02:07 2004 CEST using DSA key ID 44779E18
gpg: Good signature from "Fabio M. Di Nitto <fabbione@debian.org>"
gpg:                 aka "Fabio M. Di Nitto <fabbione@tehsux.net>"
gpg:                 aka "Fabio M. Di Nitto <fabbione@fabbione.net>"
gpg:                 aka "Fabio M. Di Nitto <fabbione@fugedabout.it>"
gpg:                 aka "Fabio M. Di Nitto <fabbione@velopietoso.it>"
gpg:                 aka "Fabio Massimo Di Nitto <fabbione@fabbione.net>"

Reply to: