Bug 60871 (CVE-2004-0811) - VUL-0: CVE-2004-0811: apache2 2.0.51 issues
Summary: VUL-0: CVE-2004-0811: apache2 2.0.51 issues
Status: RESOLVED INVALID
Alias: CVE-2004-0811
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Peter Poeml
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0811: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-23 16:51 UTC by Marcus Meissner
Modified: 2021-10-02 09:54 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2004-09-23 16:51:21 UTC 
From: Mark J Cox <mjc@redhat.com>                                                
To: vendor-sec@lst.de                                                            
cc: vulteam@niscc.gov.uk                                                         
Subject: [vendor-sec] CAN-2004-0811: Apache 2.0.51 authentication bypass         
                                                                                 
A number of users have reported that after upgrading to 2.0.51 their             
password protected pages have been served without requiring                      
authentication.  This is due to a change made between 2.0.50 and 2.0.51          
which broke the merging of the Satisfy directive.  This affects any              
installation using the "Satisfy" directive, and is CAN-2004-0811.                
                                                                                 
If you have issued 2.0.51 updates using the official Apache 2.0.51 tarball       
you are vulnerable to this issue and should apply the patch for                  
CAN-2004-0811 below.  The ASF is looking at producing a 2.0.52 within the        
next day or two that includes this fix.                                          
                                                                                 
If you used the patches we supplied for the last security fixes and did a        
backported update then this issue will not affect you.                           
                                                                                 
http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch     
                                                                                 
This issue is public.                                                            
                                                                                 
NISCC, please can you forward this message on to the list of folks you           
notify about Apache issues.                                                      
                                                                                 
Thanks, Mark                                                                     
--                                                                               
Mark J Cox / Red Hat Security Response Team
Comment 1 Marcus Meissner 2004-09-23 16:51:22 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Peter Poeml 2004-09-23 16:57:48 UTC 
Not a normal occurance at the Apache Software Foundation...
2.0.52 will be released today.

Luckily, we don't have 2.0.51 and its bug (it was released at the
fifteenth).
Comment 3 Marcus Meissner 2004-09-23 17:03:24 UTC 
thanks for verifying peter!
Comment 4 Thomas Biege 2009-10-13 19:50:44 UTC 
CVE-2004-0811: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)