Apache: Apears to be vulnerable to CAN-2003-0542 (WAS: apache security issue (with upstream new release))

To: debian-security@lists.debian.org
Cc: submit@bugs.debian.org
Subject: Apache: Apears to be vulnerable to CAN-2003-0542 (WAS: apache security issue (with upstream new release))
From: Phillip Hofmeister <plhofmei@zionlth.org>
Date: Wed, 29 Oct 2003 17:11:56 -0500
Message-id: <[🔎] 20031029221156.GB17037@zionlth.org>
Mail-followup-to: debian-security@lists.debian.org, submit@bugs.debian.org
In-reply-to: <[🔎] 200310291513.h9TFDcB23039@mms-r00.iijmio.jp>
References: <[🔎] 200310291513.h9TFDcB23039@mms-r00.iijmio.jp>

Cc: security@debian.org
Package: apache
Version: 1.3.26-0woody3
Tags: security
Severity: grave


I have checked th full bug list also.  It does not appear a bug has
been filed yet.  Therefore I have filed a bug with this email.  If you
have anything additional to add please wait until it shows up on BTS and
send the info to bugnumber@bugs.debian.org

Thanks

On Wed, 29 Oct 2003 at 10:13:57AM -0500, Hideki Yamane wrote:
> Hi list,
> 
>  Do you know about apache security issue?
> 
>  apache 1.3.29 release announcement is here.
>  http://www.apache.org/dist/httpd/Announcement.txt
> 
>  this apache 1.3 release includes security fix.
> 
> >                     Apache 1.3.29 Major changes
> >
> >  Security vulnerabilities
> >
> >     * CAN-2003-0542 (cve.mitre.org)
> >       Fix buffer overflows in mod_alias and mod_rewrite which occurred if
> >       one configured a regular expression with more than 9 captures.

My *guess* is Woody is vulnerable to this.

>  apache 2.0.48 release announcement is here.
>  http://www.apache.org/dist/httpd/Announcement2.txt
>  
>  and apache 2.0.48 also includes security fix.
> 
> >                       Apache 2.0.48 Major changes
> >
> >   Security vulnerabilities closed since Apache 2.0.47
> >
> >    *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
> >       the AF_UNIX socket used to communicate with the cgid daemon and
> >       the CGI script.  [Jeff Trawick]
> >
> >    *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
> >       mod_rewrite which occurred if one configured a regular expression
> >       with more than 9 captures.  [Andre' Malo]

I would be less likly to believe woody is vulnerable to these since
these seem to be explicitly aimed at 2.0

>  and I want to know how it goes in Debian. I cannot find any posts
>  in BTS and debian-apache lists.
> 
>  # and when I posted apache 2.0.47 release announce with vulnerabitliy
>    issue to BTS, maintainer said "Kindly don't submit "new version"
>    bugs with in about 10 minutes of the release. It's childish and 
>    unhelpful." 
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593&archive=yes
> 
>    so I don't want to post it to BTS...

-- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #113: Daemons loose in system.

Reply to:

References:
- apache security issue (with upstream new release)
  - From: Hideki Yamane <henrich@iijmio-mail.jp>

Prev by Date: Re: Transparent bridge firewall with bridge-nf
Next by Date: RE: chkrootkit reporting processes hidden
Previous by thread: apache security issue (with upstream new release)
Next by thread: Re: apache security issue (with upstream new release)
Index(es):
- Date
- Thread