Re: Apache 1.3.31

To: Kasper Schoonman <kasper@netcompany.nl>
Cc: debian-apache@lists.debian.org
Subject: Re: Apache 1.3.31
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Date: Thu, 13 May 2004 09:34:08 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.58.0405130932390.16590@trider-g7.ext.fabbione.net>
In-reply-to: <AC10D704-A497-11D8-96F8-0003930D1392@netcompany.nl>
References: <[🔎] 0F6C234C-A45B-11D8-96F8-0003930D1392@netcompany.nl> <[🔎] Pine.LNX.4.58.0405130634190.16590@trider-g7.ext.fabbione.net> <AC10D704-A497-11D8-96F8-0003930D1392@netcompany.nl>

On Thu, 13 May 2004, Kasper Schoonman wrote:

> Dear Fabio,
>
> I read those things on the Apache website:
>
> Security vulnerabilities
>
>   The main security vulnerabilities addressed in 1.3.31 are:
> 	? 	 o CAN-2003-0987 (cve.mitre.org)
>   In mod_digest, verify whether the nonce returned in the client
> response is one we issued ourselves. This problem does not affect
> mod_auth_digest.
> 	? 	 CAN-2003-0020 (cve.mitre.org)
>   Escape arbitrary data before writing into the errorlog.
> 	? 	 CAN-2004-0174 (cve.mitre.org)
>   Fix starvation issue on listening sockets where a short-lived
> connection on a rarely-accessed listening socket will cause a  child to
> hold the accept mutex and block out new connections until  another
> connection arrives on that rarely-accessed listening socket.
> 	? 	 CAN-2003-0993 (cve.mitre.org)
>   Fix parsing of Allow/Deny rules using IP addresses without a  netmask;
> issue is only known to affect big-endian 64-bit  platforms

And these have been all fixed in apache 1.3.29 in debian since a while.

>
> New features
>
>   New features that relate to specific platforms:
> 	? 	 Linux 2.4+: If Apache is started as root and you
> codeCoreDumpDirectory,  coredumps are enabled via the prctl() syscall.
>
>   New features that relate to specific platforms:
> 	? 	 Add mod_whatkilledus and mod_backtrace (experimental) for
> reporting diagnostic information after a child process crash.
> 	? 	Add fatal exception hook for running diagnostic code after a  crash.
> 	? 	 Forensic logging module added (mod_log_forensic)
> 	? 	'%X' is now accepted as an alias for '%c' in the  LogFormat
> directive. This allows you to configure logging  to still log the
> connection status even with mod_ssl

These are all wishlists.

> Bugs fixed
>
>   The following bugs were found in Apache 1.3.29 (or earlier) and have
> been fixed in  Apache 1.3.31:
> 	? 	 Fix memory corruption problem with ap_custom_response() function.
> The core per-dir config would later point to request pool data  that
> would be reused for different purposes on different requests.
> 	? 	mod_usertrack no longer inspects the Cookie2 header for  the cookie
> name. It also no longer overwrites other cookies.
> 	? 	Fix bug causing core dump when using CookieTracking without
> specifying a CookieName directly.
> 	? 	UseCanonicalName off was ignoring the client provided  port
> information.

These bugs will be fixed when 1.3.31 will be uploaded.

Main point is that there are no security holes in apache 1.3.29 shipped in
debian. New upstream releases are wishlist.

Thanks
Fabio

-- 
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.

Reply to:

References:
- Apache 1.3.31
  - From: Kasper Schoonman <kasper@netcompany.nl>
- Re: Apache 1.3.31
  - From: Fabio Massimo Di Nitto <fabbione@fabbione.net>

Prev by Date: Re: Bug#248730: Error: dynamic loading not available in this perl
Next by Date: Re: apache2 ssl problem
Previous by thread: Re: Apache 1.3.31
Next by thread: Bug#248730: Error: dynamic loading not available in this perl
Index(es):
- Date
- Thread