[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CAN-2004-0811: Apache 2.0.51 authentication bypass

Please take care of this issue.  This seems to affect the version in
sid as well.  Please mention the CAN from in the changelog when you
prepare an update.

Mark J Cox wrote:
> A number of users have reported that after upgrading to 2.0.51 their
> password protected pages have been served without requiring
> authentication.  This is due to a change made between 2.0.50 and 2.0.51
> which broke the merging of the Satisfy directive.  This affects any
> installation using the "Satisfy" directive, and is CAN-2004-0811.
> If you have issued 2.0.51 updates using the official Apache 2.0.51 tarball
> you are vulnerable to this issue and should apply the patch for
> CAN-2004-0811 below.  The ASF is looking at producing a 2.0.52 within the
> next day or two that includes this fix.
> If you used the patches we supplied for the last security fixes and did a
> backported update then this issue will not affect you.
> http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch
> This issue is public.
> NISCC, please can you forward this message on to the list of folks you 
> notify about Apache issues.
> Thanks, Mark
> -- 
> Mark J Cox / Red Hat Security Response Team



Unix is user friendly ...  It's just picky about its friends.

Please always Cc to me when replying to me on the lists.

Reply to: