Bug#489899: marked as done (apache2-utils htpasswd bogus compromised md5 factor)
Your message dated Mon, 08 Sep 2008 07:52:21 +0000
with message-id <E1KcbXp-0005WI-PL@ries.debian.org>
and subject line Bug#489899: fixed in apache2 2.2.3-4+etch6
has caused the Debian Bug report #489899,
regarding apache2-utils htpasswd bogus compromised md5 factor
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
489899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489899
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2-utils htpasswd bogus compromised md5 factor
- From: Mark Hedges <hedges@gombor.com>
- Date: Tue, 08 Jul 2008 08:30:41 -0700
- Message-id: <20080708153041.27578.10640.reportbug@li16-163.members.linode.com>
Package: apache2-utils
Version: 2.2.3-4+etch4
Severity: normal
Version 2.2.3-4+etch4 of apache2-utils contains an `htpasswd`
that does this:
hedges@foo:~$ htpasswd -mbn foo bar
foo:$apr1$.C9HN...$VJYoF1cM6sqQkjgiltBWA1
hedges@foo:~$ htpasswd -mbn foo bar
foo:$apr1$efQG5/..$nBF0.shj9dPcq9ES/5X4c1
hedges@foo:~$ htpasswd -mbn foo bar
foo:$apr1$/lc/X...$9BYnNWXTOxIgtkwNbY5O4/
The 8-byte factor always ends in '...' or '/..'.
Does this restrict the hash space so it can be more easily cracked?
The new version in lenny (2.2.9-2) does not have this problem.
The 8-byte factor in $1 of / \$apr1\$ (.*?) \$ .* /mxs seems
totally random in newer versions.
Mark
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.17-linode43
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages apache2-utils depends on:
ii lib 1.2.7-8.2 The Apache Portable Runtime Librar
ii lib 1.2.7+dfsg-2 The Apache Portable Runtime Utilit
ii lib 2.7-10 GNU C Library: Shared libraries
ii lib 4.4.20-8 Berkeley v4.4 Database Libraries [
ii lib 1.95.8-3.4 XML parsing C library - runtime li
ii lib 2.1.30-13.3 OpenLDAP libraries
ii lib 6.7+7.4-4 Perl 5 Compatible Regular Expressi
ii lib 8.1.11-0etch1 PostgreSQL C client library
ii lib 3.3.8-1.1 SQLite 3 shared library
ii lib 0.9.8g-10.1 SSL shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library
apache2-utils recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: 489899-close@bugs.debian.org
- Subject: Bug#489899: fixed in apache2 2.2.3-4+etch6
- From: Stefan Fritsch <sf@debian.org>
- Date: Mon, 08 Sep 2008 07:52:21 +0000
- Message-id: <E1KcbXp-0005WI-PL@ries.debian.org>
Source: apache2
Source-Version: 2.2.3-4+etch6
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-doc_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2-doc_2.2.3-4+etch6_all.deb
apache2-mpm-event_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch6_i386.deb
apache2-mpm-perchild_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch6_all.deb
apache2-mpm-prefork_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch6_i386.deb
apache2-mpm-worker_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch6_i386.deb
apache2-prefork-dev_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch6_i386.deb
apache2-src_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2-src_2.2.3-4+etch6_all.deb
apache2-threaded-dev_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch6_i386.deb
apache2-utils_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.3-4+etch6_i386.deb
apache2.2-common_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch6_i386.deb
apache2_2.2.3-4+etch6.diff.gz
to pool/main/a/apache2/apache2_2.2.3-4+etch6.diff.gz
apache2_2.2.3-4+etch6.dsc
to pool/main/a/apache2/apache2_2.2.3-4+etch6.dsc
apache2_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2_2.2.3-4+etch6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 489899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 06 Sep 2008 11:35:16 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch6
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
apache2 - Next generation, scalable, extendable web server
apache2-doc - documentation for apache2
apache2-mpm-event - Event driven model for Apache HTTPD 2.1
apache2-mpm-perchild - Transitional package - please remove
apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
apache2-prefork-dev - development headers for apache2
apache2-src - Apache source code
apache2-threaded-dev - development headers for apache2
apache2-utils - utility programs for webservers
apache2.2-common - Next generation, scalable, extendable web server
Closes: 470652 489899
Changes:
apache2 (2.2.3-4+etch6) stable; urgency=low
.
* Fix CVE-2007-6388: XSS in mod_status
* Fix CVE-2008-2939: XSS in mod_proxy_ftp
* Fix CVE-2008-2364: DoS in mod_proxy_http
* Fix salt generation weakness in htpasswd (Closes: #489899)
* Fix processes hanging on graceful restart or shutdown with prefork MPM.
* mod_cache: Handle If-Range correctly if the cached resource was stale.
This fixes problems when using apt with mod_cache (closes: #470652).
Files:
ab86afc4f0f8b720558639e52265a5d3 1068 web optional apache2_2.2.3-4+etch6.dsc
35d05e9ae19aff4303af57be8ba15ad1 117297 web optional apache2_2.2.3-4+etch6.diff.gz
a05c4e70529b939789863251aee40404 963004 web optional apache2.2-common_2.2.3-4+etch6_i386.deb
41bb8337693eaa7f7d0ad79d0828085d 424706 web optional apache2-mpm-worker_2.2.3-4+etch6_i386.deb
05cbd6dacc7faeda6cdb74f091aba723 420754 web optional apache2-mpm-prefork_2.2.3-4+etch6_i386.deb
ddf0c7d5baad24fc0518865c66a12c5a 425124 web optional apache2-mpm-event_2.2.3-4+etch6_i386.deb
3ae1121effa67c06264efdfb119e3e94 343510 web optional apache2-utils_2.2.3-4+etch6_i386.deb
b990cadc094cd47bd35e9bb99e1f4b06 409148 devel optional apache2-prefork-dev_2.2.3-4+etch6_i386.deb
245b4acc5cc3f6f1d9de38979d6f6868 409900 devel optional apache2-threaded-dev_2.2.3-4+etch6_i386.deb
d045d1fcda9c9da3eaaf8fc4cea2990d 275480 web optional apache2-mpm-perchild_2.2.3-4+etch6_all.deb
9c0c4e8267e2666528467593f4dd3426 41306 web optional apache2_2.2.3-4+etch6_all.deb
6d73f26c66b5018dc7ba6dd34831706a 2246566 doc optional apache2-doc_2.2.3-4+etch6_all.deb
d3ce986aaafd5eda8f0964e74ce58fcb 6668346 devel extra apache2-src_2.2.3-4+etch6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIwpLVbxelr8HyTqQRAiqXAJ0f//gFRnk/uZ/fAwuVt34vD6qc6ACgrilb
ybc90kUIuCc/G1yQNhxBvYI=
=LyLy
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: