Bug 41150 (CVE-2003-0132)

Summary: VUL-0: CVE-2003-0132: Security update of apache2?
Product: [Novell Products] SUSE Security Incidents Reporter: Forgotten User OS1JNCFbCX <forgotten_OS1JNCFbCX>
Component: IncidentsAssignee: Peter Poeml <poeml>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: dmueller, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0245: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User OS1JNCFbCX 2003-04-08 05:00:10 UTC 
Although this security problem is known now for some time, apache2 is not listed in the 
pending vulnerabilities list in the security announcements. 
 
Are you aware of the problem? 
 
Is it planned to release an update? 
 
Note that details of the problem are announced to be disclosed TODAY.
Comment 1 Forgotten User OS1JNCFbCX 2003-04-08 05:00:10 UTC 
<!-- SBZ_reproduce  -->
Nothing to reproduce here.
Comment 2 Roman Drahtmueller 2003-04-08 09:56:16 UTC 
We are.
Olaf, looks like we don't have to make bugs; They show up automatically.
:-)
Reassigning.
Comment 3 Peter Poeml 2003-04-14 21:42:53 UTC 
Since Friday there is a patch for 2.0.44, which fixes
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132

http://www.apache.org/dist/httpd/patches/apply_to_2.0.44/denial_of_service_fix.patch

The issue about file descriptor leak to child processes (such as cgi
scripts) remains. I don't know how to dissect the fairly widespread
changes in apr and apache from the other changes, and I am seriously
considering a version update... 

apache-2.0.45 runs fine, and the apr 0.9.2 prerelease that ships with it
is stable and known to be work with subversion.
Comment 4 Olaf Kirch 2003-05-26 21:37:51 UTC 
dist meeting decision is to do a version upgrade. please proceed.
Comment 5 Peter Poeml 2003-05-30 20:40:42 UTC 
The update will be 2.0.46, which has three more fixes:

  Security [CAN-2003-0245]: Fixed a bug that could be triggered
    remotely through mod_dav
  Security [CAN-2003-0189]: Fixed a denial-of-service
    vulnerability affecting basic authentication
  Security: forward port of buffer overflow fixes for htdigest.
Comment 6 Forgotten User OS1JNCFbCX 2003-06-01 02:49:21 UTC 
*** Bug 41939 has been marked as a duplicate of this bug. ***
Comment 7 Peter Poeml 2003-06-10 19:33:11 UTC 
Updates are submitted (2.0.46), and are currently under control of
patch-management.
Comment 8 Forgotten User OS1JNCFbCX 2003-06-18 04:17:19 UTC 
They are out now.
Comment 9 Thomas Biege 2009-10-13 19:44:58 UTC 
CVE-2003-0245: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)