Apache 1.3.7 (RH73) question wrt CVEs

David Eisenstein deisenst at gtw.net
Fri May 12 06:44:52 UTC 2006 

On Thu, 11 May 2006, Jim Popovitch wrote:

> In another arena I saw a list of CVEs against Apache 1.3.7.  RH73 ships 
> with Apache 1.3.7-9 so I thought I would query BZ and see what I could 
> find of these.  (I am a BZ newbie when it comes to queries).
>
> CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple 
> Vulnerabilities
> 
> CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service
> 
> CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence 
> Vulnerabilities
> 
> CVE-2003-0993 Apache mod_access Security Bypass
> 
> CVE-2004-0700 Apache mod_ssl Format String Vulnerability
> 
> 
> Unfortunately I couldn't find any of those in the Comments under Apache 
>   for Fedora Legacy Redhat 7.3.  I can't believe that all of those 
> aren't addressed, so lack of query results suggests to me that I am 
> missing something.  Some of those CVE/CANs are several years old, but 
> wouldn't the still be in BZ comments somewhere?

It appears that Red Hat Linux 7.3 shipped with apache-1.3.23-11...  I
don't know what shipped with apache-1.3.7 ...  From Fedora Legacy's
archives, RHL 7.3's apache was shipped on 16-Apr-2002.

The latest update for Red Hat 7.3's apache appears to have been released 
by the Fedora Legacy project on 18-Feb-2006 and is apache-1.3.27-9.legacy.

The latest mod_ssl for RHL 7.3 is mod_ssl-2.8.12-8.legacy, released
9-Nov-2005.

A couple of things.  First, not all Legacy work is documented in Red Hat's 
Bugzilla.  Initial Fedora Legacy group work thru Mar 2005 was tracked in 
http://bugzilla.fedora.us/.  For example, a quick peek there shows that
CAN-2004-0700 was handled here:
   <http://bugzilla.fedora.us/show_bug.cgi?id=1888>.

The second thing is that you may wish to check the apache's and mod_ssl's
changelogs.  If you have a RH7.3 system, you can do a query on the RPMs you
have installed:

   $ rpm -q --changelog apache 
   $ rpm -q --changelog mod_ssl

All vulnerabilities that are fixed *ought* to be mentioned in the
changelog, mentioning the CVE # in the changelog entry.  However, 
sometimes CVE's are taken care of by updating a package to a newer
upstream version, so package maintainers may or may not mention the
CVE's that an upstream-upgrade fixes.  Again, I think they *ought*
to, but they don't always.

Item-by-item:

  * CVE-2002-1233.  The description in the CVE database for this entry 
    goes:  
       "A regression error in the Debian distributions of the apache-ssl
       package (before 1.3.9 on Debian 2.2, and before 1.3.26 on Debian
       3.0), for Apache 1.3.27 and earlier, allows local users to read or
       modify the Apache password file via a symlink attack on temporary
       files when the administrator runs (1) htpasswd or (2) htdigest, a
       re-introduction of a vulnerability that was originally identified
       and addressed by CVE-2001-0131."  
    Further comment disputing the validity of the CVE is present also:
       "Cox> Many vendors have included fixes for CVE-2001-0131 in their
       distributions of Apache even though this has not been fixed
       upstream.  I still believe that this is not worthy of a separate CVE
       name since this is just Debian forgetting to include their fix for
       CVE-2001-0131 in one of their versions, and then correcting it."
     
    Since this is a Debian-only issue, I would not expect to find mention
    of CAN-2002-1233 in any Bugzilla nor the changelogs.

  * CVE-2003-0020.  This was fixed with Red Hat's release of apache-
    1.3.27-3 with their advisory RHSA-2003:243-07, issued on 2003-09-22
    when RH Linux 7.3 was still under Red Hat's care.  One can find this
    issue mentioned in apache-1.3.27-9.legacy's changelogs.  Ref:
    <http://rhn.redhat.com/errata/RHSA-2003-243.html>.

  * CVE-2003-0083.  According to this CVE, this vulnerability only affects
    Apache 1.3 before 1.3.25, so it would not have affected this version
    of apache.

  * CVE-2003-0993.  I don't see this one mentioned in the changelogs.  But
    I don't think this one would affect Legacy, as this issue only seems
    to affect Apache 1.3 when running on big-endian 64-bit platforms, 
    according to the CVE.  Legacy only supports x86 for RH Linux 7.3.

  * CVE-2004-0700.  This was was fixed by legacy in mod_ssl-2.8.12-5.legacy.
    See the bugzilla.fedora.us mentioned above, as well as mod_ssl's
    changelogs.

  * CVE-2004-0748.  Looking at how it was reported for RHEL 3, in RH's
    Bugzilla # 130749, it appears to not affect mod_ssl with Apache
    1.3.  <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130749#c0>.
    So this would not have affected Red Hat Linux 7.3

    For FC1 & newer distros that use Apache 2.0.xx, this appears to have
    been fixed with an upgrade to httpd-2.0.51.  For RHL 9, I am not fin-
    ding where this was fixed, as the update advisory that included
    verbiage for this CVE
    <http://www.redhat.com/archives/fedora-legacy-announce/2004-October/msg00007.html>
    indicated that RHL 9 was not affected by this vulnerability.

  * CVE-2004-0751.  From the text of the CVE, this is a bug in the 
    char_buffer_read function in the mod_ssl module for Apache 2.xx.
    This vulnerability apparently does not affect Apache 1.3.xx.

Hope this helped, Jim.

> -Jim P.
> 
> --
> Fedora-security-list mailing list
> Fedora-security-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-security-list

More information about the Fedora-security-list mailing list