Re: Time for 2.2?
>> Just to prevent any misunderstandings: are we talking about a 2.2 >> *alpha* or *beta* release here, or what will it be called? If it's in >> any way marked as *unstable*, then a clear +1 from my side. The recent >> changes are definitely worth to get tested in the wild, IMHO. > The alphas/betas will be called 2.1.x. 2.2.0 wouldn't be released until > 2.1.x releases were declared stable. So, basically, yes. +1 from me Kess
Re: Possible security flaw! (Format BUG)
On Sun, Aug 31, 2003 at 06:24:04AM -0300, Ranier Vilela wrote: > Hello All, > I tested the source code of httpd-2.0.47, with tool pscan (format bug > scanner) and possible > security flaws is found! > Please, anybody can check if this is real problem of security? This kind of vulnerability is only exposed when there is a format string under the control of an unauthorized user. It looked like all the format strings in your patches were literals and aren't controlled by users, so they wouldn't be exploitable.
[Fwd: Possible security flaw! (Format BUG)]
Sorry, the mpm_common.c.diff was empty.
--- mpm_common.c2003-08-31 06:06:25.0 -0300
+++ mpm_common_old.c2003-08-31 05:57:14.0 -0300
@@ -808,7 +808,7 @@
if (!strcmp(dash_k_arg, "restart")) {
if (!running) {
-printf("%s\n", "httpd not running, trying to start");
+printf("httpd not running, trying to start\n");
}
else {
*exit_status = send_signal(otherpid, SIGHUP);
@@ -818,7 +818,7 @@
if (!strcmp(dash_k_arg, "graceful")) {
if (!running) {
-printf("%s\n", "httpd not running, trying to start");
+printf("httpd not running, trying to start\n");
}
else {
*exit_status = send_signal(otherpid, SIGUSR1);
Possible security flaw! (Format BUG)
Hello All, I tested the source code of httpd-2.0.47, with tool pscan (format bug scanner) and possible security flaws is found! Please, anybody can check if this is real problem of security? Thanks. Ranier Vilela RC Software Ltda. [EMAIL PROTECTED] pscan]# ./pscan -vv -w -p wu-ftpd.pscan /usr/src/httpd-2.0.47/server/*.c Scanning /usr/src/httpd-2.0.47/server/buildmark.c ... Scanning /usr/src/httpd-2.0.47/server/config.c ... /usr/src/httpd-2.0.47/server/config.c:434 FUNC printf format string with 1 parameters: OK /usr/src/httpd-2.0.47/server/config.c:1485 FUNC fprintf format string with 2 parameters: OK /usr/src/httpd-2.0.47/server/config.c:1491 FUNC fprintf format string with 2 parameters: OK /usr/src/httpd-2.0.47/server/config.c:1497 FUNC fprintf format string with 2 parameters: OK /usr/src/httpd-2.0.47/server/config.c:1511 FUNC fprintf format string with 3 parameters: OK /usr/src/httpd-2.0.47/server/config.c:1894 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1898 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1901 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1904 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1911 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1914 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1917 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1920 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1924 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1926 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1931 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1933 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1938 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1940 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1945 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1947 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1952 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1954 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1959 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1973 FUNC printf format string with 2 parameters: OK /usr/src/httpd-2.0.47/server/config.c:1976 FUNC printf format string with 1 parameters: OK /usr/src/httpd-2.0.47/server/config.c:1988 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/config.c:1990 FUNC printf format string with 1 parameters: OK Scanning /usr/src/httpd-2.0.47/server/connection.c ... Scanning /usr/src/httpd-2.0.47/server/core.c ... Scanning /usr/src/httpd-2.0.47/server/error_bucket.c ... Scanning /usr/src/httpd-2.0.47/server/exports.c ... Scanning /usr/src/httpd-2.0.47/server/gen_test_char.c ... /usr/src/httpd-2.0.47/server/gen_test_char.c:83 FUNC printf format string with 5 parameters: OK /usr/src/httpd-2.0.47/server/gen_test_char.c:105 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/gen_test_char.c:150 FUNC printf format string with 2 parameters: OK /usr/src/httpd-2.0.47/server/gen_test_char.c:153 FUNC printf Last argument is variable or reference: BAD Scanning /usr/src/httpd-2.0.47/server/listen.c ... Scanning /usr/src/httpd-2.0.47/server/log.c ... /usr/src/httpd-2.0.47/server/log.c:559 FUNC syslog format string with 1 parameters: OK Scanning /usr/src/httpd-2.0.47/server/main.c ... /usr/src/httpd-2.0.47/server/main.c:91 FUNC printf format string with 1 parameters: OK /usr/src/httpd-2.0.47/server/main.c:92 FUNC printf format string with 1 parameters: OK /usr/src/httpd-2.0.47/server/main.c:93 FUNC printf format string with 2 parameters: OK /usr/src/httpd-2.0.47/server/main.c:101 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/main.c:103 FUNC printf format string with 1 parameters: OK /usr/src/httpd-2.0.47/server/main.c:107 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/main.c:111 FUNC printf format string with 1 parameters: OK /usr/src/httpd-2.0.47/server/main.c:115 FUNC printf Last argument is variable or reference: BAD /usr/src/httpd-2.0.47/server/main.c:
Re: Time for 2.2?
Seems like a plan. Do we then migrate from 2.0 to 2.2 for our *stable* tree? Some extra clarification might be nice... david - Original Message - From: "Justin Erenkrantz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 31, 2003 5:48 PM Subject: Time for 2.2? > Looking at nd's recent mod_rewrite and mod_include changes including the aaa > rewrite (and some other changes and new modules that just weren't backported), > I'm starting to think this is about the 'right feel' for a 2.2 release. 2.1 > has essentially been open since last September. > > So, I think we should start producing 2.1 unstable releases with a goal of > producing a stable 2.2 release in a few months. > > The one issue I'd like resolved before starting a 2.1 release cycle is > figuring out if we can axe ap_*_client_block (as this is a major API change). > I think Sander's mentioned something about changing how authorization hooks > are called, but I don't know if he's prepared to do it 'soon.' > > Thoughts? -- justin >
[Patch] remove unneccessary IPv6 autoconf-fu
"Listen 80" just works now, using v4-only, v6-only, mapped address or non-mapped addresses. Index: configure.in === RCS file: /home/cvspublic/httpd-2.0/configure.in,v retrieving revision 1.254 diff -u -u -r1.254 configure.in --- configure.in21 Jul 2003 14:48:01 - 1.254 +++ configure.in1 Sep 2003 15:20:21 - @@ -360,16 +360,9 @@ esac ]) -if test $v4mapped = "yes" -o $ac_cv_define_APR_HAVE_IPV6 = "no"; then -nonssl_listen_stmt_1="" -nonssl_listen_stmt_2="Listen @@Port@@" -if test $ac_cv_define_APR_HAVE_IPV6 = "yes"; then -AC_DEFINE(AP_ENABLE_V4_MAPPED, 1, - [Allow IPv4 connections on IPv6 listening sockets]) -fi -else -nonssl_listen_stmt_1="Listen 0.0.0.0:@@Port@@" -nonssl_listen_stmt_2="Listen [[::]]:@@Port@@" +if test $v4mapped = "yes" -a $ac_cv_define_APR_HAVE_IPV6 = "yes"; then +AC_DEFINE(AP_ENABLE_V4_MAPPED, 1, + [Allow IPv4 connections on IPv6 listening sockets]) fi AC_ARG_ENABLE(maintainer-mode,APACHE_HELP_STRING(--enable-maintainer-mode,Turn on debugging and compile time warnings), Index: docs/conf/httpd-std.conf.in === RCS file: /home/cvspublic/httpd-2.0/docs/conf/httpd-std.conf.in,v retrieving revision 1.54 diff -u -u -r1.54 httpd-std.conf.in --- docs/conf/httpd-std.conf.in 29 Jul 2003 20:17:07 - 1.54 +++ docs/conf/httpd-std.conf.in 1 Sep 2003 15:20:21 - @@ -214,8 +214,7 @@ # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # #Listen 12.34.56.78:80 [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ +Listen @@Port@@ # # Dynamic Shared Object (DSO) Support -- Colm MacCárthaighPublic Key: [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.stdlib.net/
A complementary tool for managing httpd requirements?
All, I've been lurking on this list for a couple of weeks to try to understand how requirements for current or future versions of requirements for the httpd product are "managed" by the team. My observation, although it may not be a complete view is that the following mechanisms drive httpd work: (1) email discussions; (2) defects in bugzilla. Maybe you guys feel these mechanisms are sufficient and they work for you. If so, that's great. However, if there are some "pains" associated with them, I'd like to see if I can help. I'm researching requirements management; in particular, I'm proposing a "lightweight" way to manage requirements, much in the same way we manage source code (I'm a developer too, although not on httpd). I think it is applicable for open source development projects. Would you guys be interested in hearing more? If not, please disregard the rest of the note...otherwise, I'm sure your first question would be: "how can it help us." Here's how I think that "lightweight requirements" could help: (1) the requirement files (in RML [1], an XML variant) would be managed alongside your source code, in the same streams of development. Thus, the "up to date" requirements would be accessible by all; (2) the attributes that you find helpful in managing your releases could be tagged on the requirements. For example: estimates of how long the developer thinks it will take, the priority that the team lead assigns the requirement, and an estimate of how long it actually took to implement the requirement. (3) any associations that you find helpful in managing your releases could be embodied in the requirements. For example: requirements could be linked with any automated test cases that "verify" the requirements and if defects are found (and entered in bugzilla), the requirement could be linked to its related defect(s); (4) by keeping the requirement files up to date (with as little information as you actually use), you could use them to generate "reports" for you. For example, using XSLT you could generate an HTML page which identifies the requirements implemented in a certain release, as well as any other "important information" (like the estimates, priority, and known defects). I could go on, but I don't want to waste your time if you're not interested... [1] http://reqs.comlab.ox.ac.uk:8080/reqs Cheers -- Steve Bannerman [EMAIL PROTECTED] 44.(0)1865.273866
[patch] resend seg-fault in listen.c
*mutters something about not liking being responsible for a segfault* On Tue, Aug 26, 2003 at 12:22:32AM +0100, Colm MacCarthaigh wrote: > Setting lr to NULL causes a seg-fault if the port was already > in use, and didnt do what it was intended to anyway since the > for loop terminates on lr == NULL. Index: server/listen.c === RCS file: /home/cvspublic/httpd-2.0/server/listen.c,v retrieving revision 1.91 diff -u -r1.91 listen.c --- server/listen.c 25 Aug 2003 16:00:49 - 1.91 +++ server/listen.c 25 Aug 2003 23:18:54 - @@ -395,8 +395,13 @@ ap_listeners = lr->next; } -/* So that previous becomes NULL in the next iteration */ -lr = NULL; + /* Allthough we've removed ourselves from the list, + * we need to make sure that the next iteration won't + * consider "previous" a working IPv6 '::' socket. + * Changing the family is enough to make sure the + * conditions before make_sock() fail. + */ +lr->bind_addr->family = AF_INET; continue; } -- Colm MacCárthaighPublic Key: [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.stdlib.net/
[Patch] Allow SuexecUserGroup in
Patch attachted arose in two parts; originally it was a trivial patch to allow SuexecUserGroup directives in blocks, because a few people needed it, not least a large client ;) It effectively means it's possible to execute different parts of a [virtual] host as different users. The problem then of course is what to do about disabling this for sub-directories, and the question of letting the site admin over-ride suexec generally (like mod_userdir) ... which led to extending the hook itself. This arose pretty much as the result of PR9038 (see the text). The change to the hook (allow a module to defer to the next one, or kill the ugid lookup there and then) make the get_identity hook more useful to modules in general. If I can get a non-I'm-crazy response, I'm contemplating a patch to mod_rewrite to allow setting the suexec user/group, this will solve some very complicated mapping problems we're having on a > 2000 user system (using suexec for each, right now we have to symlink everyones public_html from an NFS /home, uggh). This (mod_rewrite stuff) would also help solve the mass vhosting suexec problems somewhat, or at least make it a lot easier. Back to this patch though, things this patch allows; SuexecUserGroup vuser vgroup DocumentRoot /www/foo/ ... SuexecUserGroup baruser bargroup SuexecUserGroup none Can also do things like; Userdir public_html SuexecUserGroup none Basically allow the site admin full control over where runs as who. This would also close the ancient PR2760 (from the old bugdb), and also in the STATUS file that can be removed anyway; 921 , suexec now checks cwd first, and has a dedicated logfile 1120, this is covered by the patch proposed by me much much further up the STATUS 1905, this has been possible since 2.0 2360, this is basically the perchild mpm I suspect 2573 and 1268 can be removed, but can't find the bug text. Now, back to PR1120. Is anyone intrested to see "#exec cmd" working for suexec ? I may clean up the 15-month old dodgy-patch of mine properly. -- Colm MacCárthaighPublic Key: [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.stdlib.net/ Index: docs/manual/mod/mod_suexec.html.en === RCS file: /home/cvspublic/httpd-2.0/docs/manual/mod/mod_suexec.html.en,v retrieving revision 1.17 diff -u -u -r1.17 mod_suexec.html.en --- docs/manual/mod/mod_suexec.html.en 29 May 2003 16:13:26 - 1.17 +++ docs/manual/mod/mod_suexec.html.en 31 Aug 2003 23:43:37 - @@ -49,7 +49,7 @@ Description:User and group permissions for CGI programs Syntax:SuexecUserGroup User Group -Context:server config, virtual host +Context:server config, virtual host, directory Status:Extension Module:mod_suexec Compatibility:SuexecUserGroup is only available in 2.0 and @@ -64,6 +64,24 @@ Example SuexecUserGroup nobody nogroup + + +When given the single argument none within a +directory context the use of suexec will be disabled. + +Example + ++ +SuexecUserGroup nobody nogroup + + + ++ +SuexecUserGroup none + + Index: docs/manual/mod/mod_suexec.xml === RCS file: /home/cvspublic/httpd-2.0/docs/manual/mod/mod_suexec.xml,v retrieving revision 1.7 diff -u -u -r1.7 mod_suexec.xml --- docs/manual/mod/mod_suexec.xml 11 Apr 2003 01:25:53 - 1.7 +++ docs/manual/mod/mod_suexec.xml 31 Aug 2003 23:43:37 - @@ -26,7 +26,7 @@ User and group permissions for CGI programs SuexecUserGroup User Group server config -virtual host +virtual host directory SuexecUserGroup is only available in 2.0 and later. @@ -40,6 +40,24 @@ Example SuexecUserGroup nobody nogroup + + +When given the single argument none within a +directory context the use of suexec will be disabled. + + +Example + + +SuexecUserGroup nobody nogroup + + + ++ +SuexecUserGroup none + + Index: docs/manual/mod/quickreference.html.en === RCS file: /home/cvspublic/httpd-2.0/docs/manual/mod/quickreference.html.en,v retrieving revision 1.95 diff -u -u -r1.95 quickreference.html.en --- docs/manual/mod/quickreference.html.en 29 Aug 2003 00:32:16 - 1.95 +++ docs/manual/mod/quickreference.html.en 31 Aug 2003 23:43:37 - @@ -663,7 +663,7 @@ Certificate verification StartServers numbersMNumber of child server processes created at startup StartThreads numbersMNumber of threads created on startup -SuexecUserGroup User GroupsvEUser and group permissions for CGI programs +SuexecUserGroup U
