Cc: [EMAIL PROTECTED] Package: apache Version: 1.3.26-0woody3 Tags: security Severity: grave
I have checked th full bug list also. It does not appear a bug has been filed yet. Therefore I have filed a bug with this email. If you have anything additional to add please wait until it shows up on BTS and send the info to [EMAIL PROTECTED] Thanks On Wed, 29 Oct 2003 at 10:13:57AM -0500, Hideki Yamane wrote: > Hi list, > > Do you know about apache security issue? > > apache 1.3.29 release announcement is here. > http://www.apache.org/dist/httpd/Announcement.txt > > this apache 1.3 release includes security fix. > > > Apache 1.3.29 Major changes > > > > Security vulnerabilities > > > > * CAN-2003-0542 (cve.mitre.org) > > Fix buffer overflows in mod_alias and mod_rewrite which occurred if > > one configured a regular expression with more than 9 captures. My *guess* is Woody is vulnerable to this. > apache 2.0.48 release announcement is here. > http://www.apache.org/dist/httpd/Announcement2.txt > > and apache 2.0.48 also includes security fix. > > > Apache 2.0.48 Major changes > > > > Security vulnerabilities closed since Apache 2.0.47 > > > > *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of > > the AF_UNIX socket used to communicate with the cgid daemon and > > the CGI script. [Jeff Trawick] > > > > *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and > > mod_rewrite which occurred if one configured a regular expression > > with more than 9 captures. [Andre' Malo] I would be less likly to believe woody is vulnerable to these since these seem to be explicitly aimed at 2.0 > and I want to know how it goes in Debian. I cannot find any posts > in BTS and debian-apache lists. > > # and when I posted apache 2.0.47 release announce with vulnerabitliy > issue to BTS, maintainer said "Kindly don't submit "new version" > bugs with in about 10 minutes of the release. It's childish and > unhelpful." > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593&archive=yes > > so I don't want to post it to BTS... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #113: Daemons loose in system.