On Thu, 11 May 2006, Jim Popovitch wrote: > In another arena I saw a list of CVEs against Apache 1.3.7. RH73 ships > with Apache 1.3.7-9 so I thought I would query BZ and see what I could > find of these. (I am a BZ newbie when it comes to queries). > > CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple > Vulnerabilities > > CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service > > CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence > Vulnerabilities > > CVE-2003-0993 Apache mod_access Security Bypass > > CVE-2004-0700 Apache mod_ssl Format String Vulnerability > > > Unfortunately I couldn't find any of those in the Comments under Apache > for Fedora Legacy Redhat 7.3. I can't believe that all of those > aren't addressed, so lack of query results suggests to me that I am > missing something. Some of those CVE/CANs are several years old, but > wouldn't the still be in BZ comments somewhere? It appears that Red Hat Linux 7.3 shipped with apache-1.3.23-11... I don't know what shipped with apache-1.3.7 ... From Fedora Legacy's archives, RHL 7.3's apache was shipped on 16-Apr-2002. The latest update for Red Hat 7.3's apache appears to have been released by the Fedora Legacy project on 18-Feb-2006 and is apache-1.3.27-9.legacy. The latest mod_ssl for RHL 7.3 is mod_ssl-2.8.12-8.legacy, released 9-Nov-2005. A couple of things. First, not all Legacy work is documented in Red Hat's Bugzilla. Initial Fedora Legacy group work thru Mar 2005 was tracked in http://bugzilla.fedora.us/. For example, a quick peek there shows that CAN-2004-0700 was handled here: <http://bugzilla.fedora.us/show_bug.cgi?id=1888>. The second thing is that you may wish to check the apache's and mod_ssl's changelogs. If you have a RH7.3 system, you can do a query on the RPMs you have installed: $ rpm -q --changelog apache $ rpm -q --changelog mod_ssl All vulnerabilities that are fixed *ought* to be mentioned in the changelog, mentioning the CVE # in the changelog entry. However, sometimes CVE's are taken care of by updating a package to a newer upstream version, so package maintainers may or may not mention the CVE's that an upstream-upgrade fixes. Again, I think they *ought* to, but they don't always. Item-by-item: * CVE-2002-1233. The description in the CVE database for this entry goes: "A regression error in the Debian distributions of the apache-ssl package (before 1.3.9 on Debian 2.2, and before 1.3.26 on Debian 3.0), for Apache 1.3.27 and earlier, allows local users to read or modify the Apache password file via a symlink attack on temporary files when the administrator runs (1) htpasswd or (2) htdigest, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2001-0131." Further comment disputing the validity of the CVE is present also: "Cox> Many vendors have included fixes for CVE-2001-0131 in their distributions of Apache even though this has not been fixed upstream. I still believe that this is not worthy of a separate CVE name since this is just Debian forgetting to include their fix for CVE-2001-0131 in one of their versions, and then correcting it." Since this is a Debian-only issue, I would not expect to find mention of CAN-2002-1233 in any Bugzilla nor the changelogs. * CVE-2003-0020. This was fixed with Red Hat's release of apache- 1.3.27-3 with their advisory RHSA-2003:243-07, issued on 2003-09-22 when RH Linux 7.3 was still under Red Hat's care. One can find this issue mentioned in apache-1.3.27-9.legacy's changelogs. Ref: <http://rhn.redhat.com/errata/RHSA-2003-243.html>. * CVE-2003-0083. According to this CVE, this vulnerability only affects Apache 1.3 before 1.3.25, so it would not have affected this version of apache. * CVE-2003-0993. I don't see this one mentioned in the changelogs. But I don't think this one would affect Legacy, as this issue only seems to affect Apache 1.3 when running on big-endian 64-bit platforms, according to the CVE. Legacy only supports x86 for RH Linux 7.3. * CVE-2004-0700. This was was fixed by legacy in mod_ssl-2.8.12-5.legacy. See the bugzilla.fedora.us mentioned above, as well as mod_ssl's changelogs. * CVE-2004-0748. Looking at how it was reported for RHEL 3, in RH's Bugzilla # 130749, it appears to not affect mod_ssl with Apache 1.3. <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130749#c0>. So this would not have affected Red Hat Linux 7.3 For FC1 & newer distros that use Apache 2.0.xx, this appears to have been fixed with an upgrade to httpd-2.0.51. For RHL 9, I am not fin- ding where this was fixed, as the update advisory that included verbiage for this CVE <http://www.redhat.com/archives/fedora-legacy-announce/2004-October/msg00007.html> indicated that RHL 9 was not affected by this vulnerability. * CVE-2004-0751. From the text of the CVE, this is a bug in the char_buffer_read function in the mod_ssl module for Apache 2.xx. This vulnerability apparently does not affect Apache 1.3.xx. Hope this helped, Jim. > -Jim P. > > -- > Fedora-security-list mailing list > Fedora-security-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-security-list -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list