Apache 1.3.7 (RH73) question wrt CVEs
David Eisenstein
deisenst at gtw.net
Fri May 12 06:44:52 UTC 2006
On Thu, 11 May 2006, Jim Popovitch wrote:
> In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships
> with Apache 1.3.7-9 so I thought I would query BZ and see what I could
> find of these. (I am a BZ newbie when it comes to queries).
>
> CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple
> Vulnerabilities
>
> CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service
>
> CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence
> Vulnerabilities
>
> CVE-2003-0993 Apache mod_access Security Bypass
>
> CVE-2004-0700 Apache mod_ssl Format String Vulnerability
>
>
> Unfortunately I couldn't find any of those in the Comments under Apache
> for Fedora Legacy Redhat 7.3. I can't believe that all of those
> aren't addressed, so lack of query results suggests to me that I am
> missing something. Some of those CVE/CANs are several years old, but
> wouldn't the still be in BZ comments somewhere?
It appears that Red Hat Linux 7.3 shipped with apache-1.3.23-11... I
don't know what shipped with apache-1.3.7 ... From Fedora Legacy's
archives, RHL 7.3's apache was shipped on 16-Apr-2002.
The latest update for Red Hat 7.3's apache appears to have been released
by the Fedora Legacy project on 18-Feb-2006 and is apache-1.3.27-9.legacy.
The latest mod_ssl for RHL 7.3 is mod_ssl-2.8.12-8.legacy, released
9-Nov-2005.
A couple of things. First, not all Legacy work is documented in Red Hat's
Bugzilla. Initial Fedora Legacy group work thru Mar 2005 was tracked in
http://bugzilla.fedora.us/. For example, a quick peek there shows that
CAN-2004-0700 was handled here:
<http://bugzilla.fedora.us/show_bug.cgi?id=1888>.
The second thing is that you may wish to check the apache's and mod_ssl's
changelogs. If you have a RH7.3 system, you can do a query on the RPMs you
have installed:
$ rpm -q --changelog apache
$ rpm -q --changelog mod_ssl
All vulnerabilities that are fixed *ought* to be mentioned in the
changelog, mentioning the CVE # in the changelog entry. However,
sometimes CVE's are taken care of by updating a package to a newer
upstream version, so package maintainers may or may not mention the
CVE's that an upstream-upgrade fixes. Again, I think they *ought*
to, but they don't always.
Item-by-item:
* CVE-2002-1233. The description in the CVE database for this entry
goes:
"A regression error in the Debian distributions of the apache-ssl
package (before 1.3.9 on Debian 2.2, and before 1.3.26 on Debian
3.0), for Apache 1.3.27 and earlier, allows local users to read or
modify the Apache password file via a symlink attack on temporary
files when the administrator runs (1) htpasswd or (2) htdigest, a
re-introduction of a vulnerability that was originally identified
and addressed by CVE-2001-0131."
Further comment disputing the validity of the CVE is present also:
"Cox> Many vendors have included fixes for CVE-2001-0131 in their
distributions of Apache even though this has not been fixed
upstream. I still believe that this is not worthy of a separate CVE
name since this is just Debian forgetting to include their fix for
CVE-2001-0131 in one of their versions, and then correcting it."
Since this is a Debian-only issue, I would not expect to find mention
of CAN-2002-1233 in any Bugzilla nor the changelogs.
* CVE-2003-0020. This was fixed with Red Hat's release of apache-
1.3.27-3 with their advisory RHSA-2003:243-07, issued on 2003-09-22
when RH Linux 7.3 was still under Red Hat's care. One can find this
issue mentioned in apache-1.3.27-9.legacy's changelogs. Ref:
<http://rhn.redhat.com/errata/RHSA-2003-243.html>.
* CVE-2003-0083. According to this CVE, this vulnerability only affects
Apache 1.3 before 1.3.25, so it would not have affected this version
of apache.
* CVE-2003-0993. I don't see this one mentioned in the changelogs. But
I don't think this one would affect Legacy, as this issue only seems
to affect Apache 1.3 when running on big-endian 64-bit platforms,
according to the CVE. Legacy only supports x86 for RH Linux 7.3.
* CVE-2004-0700. This was was fixed by legacy in mod_ssl-2.8.12-5.legacy.
See the bugzilla.fedora.us mentioned above, as well as mod_ssl's
changelogs.
* CVE-2004-0748. Looking at how it was reported for RHEL 3, in RH's
Bugzilla # 130749, it appears to not affect mod_ssl with Apache
1.3. <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130749#c0>.
So this would not have affected Red Hat Linux 7.3
For FC1 & newer distros that use Apache 2.0.xx, this appears to have
been fixed with an upgrade to httpd-2.0.51. For RHL 9, I am not fin-
ding where this was fixed, as the update advisory that included
verbiage for this CVE
<http://www.redhat.com/archives/fedora-legacy-announce/2004-October/msg00007.html>
indicated that RHL 9 was not affected by this vulnerability.
* CVE-2004-0751. From the text of the CVE, this is a bug in the
char_buffer_read function in the mod_ssl module for Apache 2.xx.
This vulnerability apparently does not affect Apache 1.3.xx.
Hope this helped, Jim.
> -Jim P.
>
> --
> Fedora-security-list mailing list
> Fedora-security-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-security-list
More information about the Fedora-security-list
mailing list