Re: Patch for fixing CAN-2004-0940 in apache 1.3, update
Hi Joey! Martin Schulze [2004-11-01 20:18 +0100]: Thanks a lot. There's another update in the work that fixes problem with htpasswd. I'm attaching the patch. I haven't received a CVE Id so will forward it when it is there. For sid please let me know which version of Apache that will have both problems fixed. Version apache_1.3.31-8 has this fix and is ready to be uploaded. But I would really like to include the CAN number before I do this. Thanks for the patch and have a nice day! Martin -- Martin Pitt http://www.piware.de Ubuntu Developerhttp://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org signature.asc Description: Digital signature
Re: Patch for fixing CAN-2004-0940 in apache 1.3, update
Hi again,
Martin Pitt [2004-10-29 14:22 +0200]:
I prepared a patch for fixing a mod_include buffer overflow in Ubuntu
and was asked by Fabio to upload a fixed sid version as well
(1.3.31-7).
Please find attached the interdiff that was used for 1.3.31-7; you can
remove the Uploaders: change; the patch patch should give no
problems, just the changelog patch will probably fail due to a
different woody version.
katie rejected my upload because libapache-mod-perl was still the old
version. One has to manually tweak that in debian/rules. I reuploaded
using attached (updated) interdiff. The two new hunks will not apply
to woody, too (since woody has other revision numbers), but at least
you know where to change what :-)
That's what you get by poking in other people's packages...
Happy patching and have a nice day!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developerhttp://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
diff -u apache-1.3.31/debian/changelog apache-1.3.31/debian/changelog
--- apache-1.3.31/debian/changelog
+++ apache-1.3.31/debian/changelog
@@ -1,3 +1,13 @@
+apache (1.3.31-7) unstable; urgency=high
+
+ * SECURITY UPDATE to fix a buffer overflow in mod_include
+ * added patch 000_stolen_from_HEAD_CAN-2004-0940, backported from upstream
+CVS (CAN-2004-0940)
+ * Same security update as for Ubuntu, Fabio asked me to upload and add
+myself to Uploaders.
+
+ -- Martin Pitt [EMAIL PROTECTED] Fri, 29 Oct 2004 10:18:38 +0200
+
apache (1.3.31-6) unstable; urgency=medium
* (Fabio M. Di Nitto)
diff -u apache-1.3.31/debian/control apache-1.3.31/debian/control
--- apache-1.3.31/debian/control
+++ apache-1.3.31/debian/control
@@ -2,7 +2,7 @@
Section: web
Priority: optional
Maintainer: Debian Apache Maintainers debian-apache@lists.debian.org
-Uploaders: Tollef Fog Heen [EMAIL PROTECTED], Thom May [EMAIL PROTECTED],
Fabio M. Di Nitto [EMAIL PROTECTED], Matthew Wilcox [EMAIL PROTECTED],
Amaya Rodrigo Sastre [EMAIL PROTECTED]
+Uploaders: Tollef Fog Heen [EMAIL PROTECTED], Thom May [EMAIL PROTECTED],
Fabio M. Di Nitto [EMAIL PROTECTED], Matthew Wilcox [EMAIL PROTECTED],
Amaya Rodrigo Sastre [EMAIL PROTECTED], Martin Pitt [EMAIL PROTECTED]
Standards-Version: 3.6.1
Build-Depends: debhelper (= 4.1.16), sharutils, libdb4.2-dev (= 4.2.52),
libexpat1-dev, imagemagick, libssl-dev, perl (= 5.8.4-2), libperl-dev (=
5.8.4-2), libwww-perl, libdevel-symdump-perl, libhtml-parser-perl, po-debconf
diff -u apache-1.3.31/debian/rules apache-1.3.31/debian/rules
--- apache-1.3.31/debian/rules
+++ apache-1.3.31/debian/rules
@@ -12,7 +12,7 @@
DEBMAJOR=
APACHE_MAJOR = 1.3.31
-APACHE_MINOR = 6
+APACHE_MINOR = 7
PERL_MAJOR = 1.29
SSL_MAJOR= 1.3.29
SSL_MINOR= 1.53
@@ -753,7 +753,7 @@
dh_shlibdeps -a
dh_gencontrol -a -u-isp
# dh_gencontrol -v -plibapache-mod-perl
-u-v$(PERL_MAJOR)$(DEBMAJOR)-$(APACHE_MINOR)
- dh_gencontrol -v -plibapache-mod-perl -u-v1.29.0.2-13
+ dh_gencontrol -v -plibapache-mod-perl -u-v1.29.0.2-14
dh_md5sums -a
dh_builddeb -a
only in patch2:
unchanged:
--- apache-1.3.31.orig/debian/patches/000_stolen_from_HEAD_CAN-2004-0940
+++ apache-1.3.31/debian/patches/000_stolen_from_HEAD_CAN-2004-0940
@@ -0,0 +1,215 @@
+===
+RCS file: /home/cvspublic/apache-1.3/src/modules/standard/mod_include.c,v
+retrieving revision 1.140
+retrieving revision 1.141
+diff -u -r1.140 -r1.141
+--- build-tree.orig/apache_1.3.31/src/modules/standard/mod_include.c
2004/02/28 22:19:04 1.140
build-tree/apache_1.3.31/src/modules/standard/mod_include.c
2004/10/22 19:31:08 1.141
+@@ -309,9 +309,10 @@
+ * the tag value is html decoded if dodecode is non-zero
+ */
+
+-static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int
dodecode)
++static char *get_tag(request_rec *r, FILE *in, char *tag, int tagbuf_len, int
dodecode)
+ {
+ char *t = tag, *tag_val, c, term;
++pool *p = r-pool;
+
+ /* makes code below a little less cluttered */
+ --tagbuf_len;
+@@ -337,7 +338,7 @@
+
+ /* find end of tag name */
+ while (1) {
+-if (t - tag == tagbuf_len) {
++if (t == tag + tagbuf_len) {
+ *t = '\0';
+ return NULL;
+ }
+@@ -371,16 +372,30 @@
+ term = c;
+ while (1) {
+ GET_CHAR(in, c, NULL, p);
+-if (t - tag == tagbuf_len) {
++if (t == tag + tagbuf_len) {
+ *t = '\0';
++ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
++ mod_include: value length exceeds limit
++ (%d) in %s, tagbuf_len, r-filename);
+ return NULL;
+ }
+-/* Want to accept \ as a valid character within a string. */
++/* Want to accept \ as a valid character within a string. */
+ if (c
Bug#252254: apache2-common: Please clean up after yourself
Package: apache2-common Version: 2.0.49-1 Severity: normal Hi apache team! For testing purposes I just installed apache2-common together with apache2-mpm-worker and purged both packages again. I did not change anything in /etc/apache2/. Despite the purge, the installation left the following files and directories behind: -- snip - # ls -lR /etc/apache2/ /var/log/apache2/ /var/www/ /etc/apache2/: total 5 -rw-r--r--1 root root0 Jun 2 12:43 httpd.conf drwxr-xr-x2 root root 80 Jun 2 13:08 mods-enabled -rw-r--r--1 root root 10 May 31 22:42 ports.conf drwxr-xr-x2 root root 72 May 31 22:42 sites-enabled /etc/apache2/mods-enabled: total 1 lrwxrwxrwx1 root root 30 May 31 23:03 userdir.conf - ../mods-available/userdir.conf /etc/apache2/sites-enabled: total 1 lrwxrwxrwx1 root root 36 May 31 22:42 default - /etc/apache2/sites-available/default /var/log/apache2/: total 204 -rw-r--r--1 root root96496 Jun 2 13:04 access.log -rw-r--r--1 root root 109486 Jun 2 13:00 error.log /var/www/: total 8 -rw-r--r--1 www-data www-data 4698 Dec 9 15:17 index.html -- snip - Leaving /var/www/index.html is still acceptable (however, you could test whether it was modified), but your files from /etc/apache2/ and also /var/log/apache2 (according to Policy 10.8) must be removed. Thanks and have a nice day! Martin -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.6+skas-donald Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] -- Martin Pitt Debian GNU/Linux Developer [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.piware.de http://www.debian.org signature.asc Description: Digital signature
Bug#247140: apache: Uninstallable in sid
Package: apache Version: 1.3.29.0.2-5 Severity: grave Tags: sid Justification: renders package unusable Hi Debian apache team! After today's dist-upgrade (via dselect), I got a surprising boot message that apache was not executable. 'dpkg -L apache' showed that the package was essentially empty (just two or three directories and config files), apache-common was completely empty. So I purged the packages and tried to reinstall them, but that is impossible: apache depends on perl ( 5.8.4-0), but perl is at 5.8.4-1. I'm not sure whether this is the reason why the package was not unpacked properly (I did not read dselect output since it exited cleanly and did not prompt for anything). Nevertheless this dependency makes apache uninstallable in sid. Thanks for sorting that out and for your efforts! Martin -- System Information: Debian Release: testing/unstable Architecture: i386 (i686) Kernel: Linux 2.6.5-grsec Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] -- Martin Pitt Debian GNU/Linux Developer [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.piware.de http://www.debian.org
Re: conf.d usage
Hi again! On 2004-01-01 13:47 +0100, Martin Pitt wrote: Recently, the conf.d directory was added to better support this kind of applications. So I tried to put this line into /etc/apache/conf.d/fibusql, but it does not work. Please excuse the noise, it works now. Stupid small error... I could not find any documentation how to use conf.d, can you point me to any? I would still be interested in this. The problem that this configuration may not work with more complex setups (several virtual hosts, stricter security settings) remains. What would you propose for this case? Explain the situation in README.Debian and have the administrator fix the configuration file manually? Maybe display a warning debconf note in addition? Thanks again, Martin -- Martin Pitt Debian GNU/Linux Developer [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.piware.de http://www.debian.org signature.asc Description: Digital signature
conf.d usage
Hi apache maintainers! First, a happy new year 2004 to everybody! I maintain the package fibusql, a web application for bookkeeping. Currently, the package installs its php scripts in /usr/share/fibusql and relies on the administrator to install an alias like Alias /fibusql /usr/share/fibusql in /etc/apache/httpd.conf, or /etc/apache-ssl/httpd.conf. Recently, the conf.d directory was added to better support this kind of applications. So I tried to put this line into /etc/apache/conf.d/fibusql, but it does not work. I could not find any documentation how to use conf.d, can you point me to any? Thanks in advance and have a nice day! Martin -- Martin Pitt Debian GNU/Linux Developer [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.piware.de http://www.debian.org signature.asc Description: Digital signature
