Bug 60871 (CVE-2004-0811)

Summary: VUL-0: CVE-2004-0811: apache2 2.0.51 issues
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Peter Poeml <poeml>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0811: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2004-09-23 16:51:21 UTC 
From: Mark J Cox <mjc@redhat.com>                                                
To: vendor-sec@lst.de                                                            
cc: vulteam@niscc.gov.uk                                                         
Subject: [vendor-sec] CAN-2004-0811: Apache 2.0.51 authentication bypass         
                                                                                 
A number of users have reported that after upgrading to 2.0.51 their             
password protected pages have been served without requiring                      
authentication.  This is due to a change made between 2.0.50 and 2.0.51          
which broke the merging of the Satisfy directive.  This affects any              
installation using the "Satisfy" directive, and is CAN-2004-0811.                
                                                                                 
If you have issued 2.0.51 updates using the official Apache 2.0.51 tarball       
you are vulnerable to this issue and should apply the patch for                  
CAN-2004-0811 below.  The ASF is looking at producing a 2.0.52 within the        
next day or two that includes this fix.                                          
                                                                                 
If you used the patches we supplied for the last security fixes and did a        
backported update then this issue will not affect you.                           
                                                                                 
http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch     
                                                                                 
This issue is public.                                                            
                                                                                 
NISCC, please can you forward this message on to the list of folks you           
notify about Apache issues.                                                      
                                                                                 
Thanks, Mark                                                                     
--                                                                               
Mark J Cox / Red Hat Security Response Team
Comment 1 Marcus Meissner 2004-09-23 16:51:22 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Peter Poeml 2004-09-23 16:57:48 UTC 
Not a normal occurance at the Apache Software Foundation...
2.0.52 will be released today.

Luckily, we don't have 2.0.51 and its bug (it was released at the
fifteenth).
Comment 3 Marcus Meissner 2004-09-23 17:03:24 UTC 
thanks for verifying peter!
Comment 4 Thomas Biege 2009-10-13 19:50:44 UTC 
CVE-2004-0811: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)