[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#489899: marked as done (apache2-utils htpasswd bogus compromised md5 factor)

Your message dated Mon, 08 Sep 2008 07:52:21 +0000
with message-id <E1KcbXp-0005WI-PL@ries.debian.org>
and subject line Bug#489899: fixed in apache2 2.2.3-4+etch6
has caused the Debian Bug report #489899,
regarding apache2-utils htpasswd bogus compromised md5 factor
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

489899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489899
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2-utils
Version: 2.2.3-4+etch4
Severity: normal

Version 2.2.3-4+etch4 of apache2-utils contains an `htpasswd`
that does this:

  hedges@foo:~$ htpasswd -mbn foo bar

  hedges@foo:~$ htpasswd -mbn foo bar

  hedges@foo:~$ htpasswd -mbn foo bar

The 8-byte factor always ends in '...' or '/..'.

Does this restrict the hash space so it can be more easily cracked?

The new version in lenny (2.2.9-2) does not have this problem.  
The 8-byte factor in $1 of / \$apr1\$ (.*?) \$ .* /mxs seems 
totally random in newer versions.


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages apache2-utils depends on:
ii  lib 1.2.7-8.2                            The Apache Portable Runtime Librar
ii  lib 1.2.7+dfsg-2                         The Apache Portable Runtime Utilit
ii  lib 2.7-10                               GNU C Library: Shared libraries
ii  lib 4.4.20-8                             Berkeley v4.4 Database Libraries [
ii  lib 1.95.8-3.4                           XML parsing C library - runtime li
ii  lib 2.1.30-13.3                          OpenLDAP libraries
ii  lib 6.7+7.4-4                            Perl 5 Compatible Regular Expressi
ii  lib 8.1.11-0etch1                        PostgreSQL C client library
ii  lib 3.3.8-1.1                            SQLite 3 shared library
ii  lib 0.9.8g-10.1                          SSL shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library

apache2-utils recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.2.3-4+etch6

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

  to pool/main/a/apache2/apache2-doc_2.2.3-4+etch6_all.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch6_i386.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch6_all.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch6_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch6_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch6_i386.deb
  to pool/main/a/apache2/apache2-src_2.2.3-4+etch6_all.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch6_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.3-4+etch6_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch6_i386.deb
  to pool/main/a/apache2/apache2_2.2.3-4+etch6.diff.gz
  to pool/main/a/apache2/apache2_2.2.3-4+etch6.dsc
  to pool/main/a/apache2/apache2_2.2.3-4+etch6_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 489899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Sat, 06 Sep 2008 11:35:16 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-4+etch6
Distribution: stable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
 apache2    - Next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD 2.1
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 apache2.2-common - Next generation, scalable, extendable web server
Closes: 470652 489899
 apache2 (2.2.3-4+etch6) stable; urgency=low
   * Fix CVE-2007-6388: XSS in mod_status
   * Fix CVE-2008-2939: XSS in mod_proxy_ftp
   * Fix CVE-2008-2364: DoS in mod_proxy_http
   * Fix salt generation weakness in htpasswd (Closes: #489899)
   * Fix processes hanging on graceful restart or shutdown with prefork MPM.
   * mod_cache: Handle If-Range correctly if the cached resource was stale.
     This fixes problems when using apt with mod_cache (closes: #470652).
 ab86afc4f0f8b720558639e52265a5d3 1068 web optional apache2_2.2.3-4+etch6.dsc
 35d05e9ae19aff4303af57be8ba15ad1 117297 web optional apache2_2.2.3-4+etch6.diff.gz
 a05c4e70529b939789863251aee40404 963004 web optional apache2.2-common_2.2.3-4+etch6_i386.deb
 41bb8337693eaa7f7d0ad79d0828085d 424706 web optional apache2-mpm-worker_2.2.3-4+etch6_i386.deb
 05cbd6dacc7faeda6cdb74f091aba723 420754 web optional apache2-mpm-prefork_2.2.3-4+etch6_i386.deb
 ddf0c7d5baad24fc0518865c66a12c5a 425124 web optional apache2-mpm-event_2.2.3-4+etch6_i386.deb
 3ae1121effa67c06264efdfb119e3e94 343510 web optional apache2-utils_2.2.3-4+etch6_i386.deb
 b990cadc094cd47bd35e9bb99e1f4b06 409148 devel optional apache2-prefork-dev_2.2.3-4+etch6_i386.deb
 245b4acc5cc3f6f1d9de38979d6f6868 409900 devel optional apache2-threaded-dev_2.2.3-4+etch6_i386.deb
 d045d1fcda9c9da3eaaf8fc4cea2990d 275480 web optional apache2-mpm-perchild_2.2.3-4+etch6_all.deb
 9c0c4e8267e2666528467593f4dd3426 41306 web optional apache2_2.2.3-4+etch6_all.deb
 6d73f26c66b5018dc7ba6dd34831706a 2246566 doc optional apache2-doc_2.2.3-4+etch6_all.deb
 d3ce986aaafd5eda8f0964e74ce58fcb 6668346 devel extra apache2-src_2.2.3-4+etch6_all.deb

Version: GnuPG v1.4.9 (GNU/Linux)


--- End Message ---

Reply to: