Bugzilla – Bug 41150
VUL-0: CVE-2003-0132: Security update of apache2?
Last modified: 2021-09-27 09:50:18 UTC
Although this security problem is known now for some time, apache2 is not listed in the pending vulnerabilities list in the security announcements. Are you aware of the problem? Is it planned to release an update? Note that details of the problem are announced to be disclosed TODAY.
<!-- SBZ_reproduce --> Nothing to reproduce here.
We are. Olaf, looks like we don't have to make bugs; They show up automatically. :-) Reassigning.
Since Friday there is a patch for 2.0.44, which fixes http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132 http://www.apache.org/dist/httpd/patches/apply_to_2.0.44/denial_of_service_fix.patch The issue about file descriptor leak to child processes (such as cgi scripts) remains. I don't know how to dissect the fairly widespread changes in apr and apache from the other changes, and I am seriously considering a version update... apache-2.0.45 runs fine, and the apr 0.9.2 prerelease that ships with it is stable and known to be work with subversion.
dist meeting decision is to do a version upgrade. please proceed.
The update will be 2.0.46, which has three more fixes: Security [CAN-2003-0245]: Fixed a bug that could be triggered remotely through mod_dav Security [CAN-2003-0189]: Fixed a denial-of-service vulnerability affecting basic authentication Security: forward port of buffer overflow fixes for htdigest.
*** Bug 41939 has been marked as a duplicate of this bug. ***
Updates are submitted (2.0.46), and are currently under control of patch-management.
They are out now.
CVE-2003-0245: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)