O-015: Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities

O-015: Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities Privacy and Legal Notice INFORMATION BULLETIN O-015: Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities [Apache 2.0.48 Released] October 29, 2003 19:00 GMT
[REVISED 21 Nov 2003]
[REVISED 10 Dec 2003]
[REVISED 17 Dec 2003]
[REVISED 18 Dec 2003]
[REVISED 14 Jan 2004]
[REVISED 11 Feb 2004]
[REVISED 21 Sep 2004]
[REVISED 12 Oct 2004]
[REVISED 15 Aug 2005]


PROBLEM:	There exist two security vulnerabilities: 1) mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded Multi-processing Module (MPM) is used. 2) A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured.
SOFTWARE:	Apache 2.0.47
PLATFORM:	HP-UX B.11.00, B.11.11, B.11.20, B.11.23 Red Hat Enterprise Linux - AS, ES, and WS v2.1 and v.3 Red Hat Linux 7.1, 7.2, 7.3, 8.0 and 9 SGI Sun Solaris 8 and 9
DAMAGE:	1) Information for one user could be directed to another. 2) A buffer overflow could cause a system crash or be used to take control of a system.
SOLUTION:	Upgrade to appropriate version or apply appropriate patches.

VULNERABILITY ASSESSMENT:	The risk is LOW. The first problem is unlikely to expose a system to additional compromise. For the second problem, a mod_rewrite regular expression is unlikely to be configured to have more than 9 captures.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/o-015.shtml
ORIGINAL BULLETIN:	http://www.apache.org/dist/httpd/Announcement2.html
ADDITIONAL INFORMATION:	Visit Hewlett Packard's Subscription Service for: HPSBUX0311-301 (SSRT3663)
	RED HAT Security Advisory RHSA-2003:360-08 https://rhn.redhat.com/errata/RHSA-2003-360.html
	RED HAT Security Advisory RHSA-2003:320-09 https://rhn.redhat.com/errata/RHSA-2003-320.html
	RED HAT Security Advisory RHSA-2003:405-04 https://rhn.redhat.com/errata/RHSA-2003-405.html
	RED HAT Security Advisory RHSA-2004:015-04 https://rhn.redhat.com/errata/RHSA-2004-015.html
	SGI security update #7 ftp://patches.sgi.com/support/free/security/advisories/20031203-01-U.asc
	Sun Alert ID: 57496 (superceded by Alert ID: 101444) http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101444-1
CVE/CAN:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0789 CVE-2003-0542

REVISION HISTORY:
11/21/03 - Added Hewlett Packard's bulletin link information for HPSBUX0311-301
(SSRT3663), added HP-UX in the Platform section.
12/10/03 - Added Red Hat's advisory link information for RHSA-2003:360-08 for
their Enterprise Linux products, and added product versions in the
the Platform section.
12/17/03 - Added Red Hat's advisory link information for RHSA-2003:320-09 for
Linux 8.0 and 9 platforms, and added to the Platform section.
12/18/03 - (1) added a link to Red Hat's Security Advisory RHSA-2003:405-04
announcing the release of their updated Apache httpd packages for
their Linux platforms 7.1, 7.2 and 7.3.
(2) added a link to SGI's Security Update #7 announcing the release
of their Patch 10039 for this vulnerability.
1/14/04 - add a link to Red Hat's Security Advisory RHSA-2004:015-04 announcing
the release of their updated Apache httpd packages for their Enterprise
Linux platforms AS, ES, WS (v. 3).
2/11/04 - add a link to Sun Alert ID: 57496.
9/21/04 - Sun Alert ID #57496 was updated by the release of T-patches for
Solaris 8.
10/12/04 - Sun Alert ID #57496 was updated. The Contributing Factors and Resolution
sections were modified.
08/15/05 - Sun Microsystems has superceded their Alert ID #57496 with Alert ID: 101444
and modified Contributing Factors and Resolutions sections where links to
patches are provided.

[***** Start Apache 2.0.48 Released *****]

Apache HTTP Server 2.0.48 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the eleventh
public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.48
as compared to 2.0.47.

This version of Apache is principally a bug fix release. A summary of the bug fixes is given at the end
of this document. Of particular note is that 2.0.48 addresses two security vulnerabilities:

mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a
threaded MPM is used.
[CAN-2003-0789]

A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9
captures is configured.
[CAN-2003-0542]

This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release
to be the best version of Apache available and encourage users of all prior versions to upgrade.

Apache 2.0.48 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For
an overview of new features introduced after 1.3 please see

http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep in mind the following:

If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the
libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.

Apache 2.0.48 Major changes

Security vulnerabilities closed since Apache 2.0.47

SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate
with the cgid daemon and the CGI script. [Jeff Trawick]
SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one
configured a regular expression with more than 9 captures. [André Malo]

Bugs fixed and features added since Apache 2.0.47

mod_include: fix segfault which occured if the filename was not set, for example, when processing some
error conditions. PR 23836. [Brian Akins , André Malo]
fix the config parser to support .. containers (no arguments in the opening tag) supported by
httpd 1.3. Without this change mod_perl 2.0's sections are broken. ["Philippe M. Chiasson" ]
mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at
the end of a request. [Jeff Trawick]
Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining
the meaning of compressed file extensions. [Roy Fielding]
mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André Malo]
mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code
was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira ]
cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616.
[Thomas Castelle ]
Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to
work the same as httpd-std.conf PR: 19611 [Thom May]
mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil ]
mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no
longer replaced by the icon of that file. PR 9587. [David Shane Holden ]
Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood ]
mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or
Last-Modified headers. PR 23130. [bjorn@exoweb.net]
mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response
codes). [Astrid Keßler]
Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz]
Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained
only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo]
Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard
character. PR 22194. [André Malo]
mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick]
Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_mutex_perms(). Allow the functions
to be called for any type of mutex. PR 20312 [Jeff Trawick]
ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of
ServerLimit. [Jeff Trawick]
Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers.
PR 9011 [Jeff Trawick]
MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar]
Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive]
Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate.
(Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman]
mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker]
mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested
without a trailing slash. PR 20195. [André Malo]
ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo]
mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz]
Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves ,
William Rowe]
Update mime.types to include latest IANA and W3C types. [Roy Fielding]
mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff
Trawick]
Fix buildconf errors when libtool version changes. [Jeff Trawick]
Remember an authenticated user during internal redirects if the redirection target is not access protected and pass
it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [André Malo]
mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the
output stream. PR 21095. [Ron Park , André Malo, Cliff Woolley]
Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris
Verbeeck , Nicel KM ]
Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer ]
Added FreeBSD directory layout. PR 21100. [Sander Holthaus , André Malo]
Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen , André Malo]
mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-
based serialization is used (e.g., FreeBSD). [Jeff Trawick]
Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is
from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick]

[***** End Apache 2.0.48 Released *****]

CIAC wishes to acknowledge the contributions of Apache for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/