Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 78529 invoked by uid 500); 30 Jul 2002 13:08:05 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 78518 invoked by uid 500); 30 Jul 2002 13:08:05 -0000 Delivered-To: apmail-apache-1.3-cvs@apache.org Date: 30 Jul 2002 13:08:05 -0000 Message-ID: <20020730130805.37914.qmail@icarus.apache.org> From: mjc@apache.org To: apache-1.3-cvs@apache.org Subject: cvs commit: apache-1.3/src CHANGES X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N mjc 2002/07/30 06:08:04 Modified: src CHANGES Log: Add 3 new CVE names for old (circa 2000) security issues; rearrange security changes so they are consistant Revision Changes Path 1.1840 +26 -27 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1839 retrieving revision 1.1840 diff -u -r1.1839 -r1.1840 --- CHANGES 24 Jul 2002 20:41:23 -0000 1.1839 +++ CHANGES 30 Jul 2002 13:08:04 -0000 1.1840 @@ -38,10 +38,10 @@ Changes with Apache 1.3.25 - *) SECURITY: Code changes required to address and close the - security issues in CAN-2002-0392 (cve.mitre.org) [CERT VU#944335]. - To support this, we utilize the ANSI functionality of - strtol, and provide ap_strtol for completeness. + *) SECURITY: CAN-2002-0392 (cve.mitre.org) [CERT VU#944335] + Code changes required to address and close chunked + encoding security issues. To support this, we utilize the ANSI + functionality of strtol, and provide ap_strtol for completeness. [Aaron Bannert, Justin Erenkrantz, Jim Jagielski, Brian Pane, William Rowe, Cliff Woolley] @@ -533,16 +533,15 @@ just happened to be index.html.zh.Big5. [Bill Stoddard, Bill Rowe] PR #8130 - *) SECURITY: Close autoindex /?M=D directory listing hole reported + *) SECURITY: CAN-2001-0731 (cve.mitre.org) + Close autoindex /?M=D directory listing hole reported in bugtraq id 3009. In some configurations where multiviews and indexes are enabled for a directory, requesting URI /?M=D could result in a directory listing being returned to the client rather than the negotiated index.html variant that was configured and expected. The work around for this problem (for pre 1.3.21 releases) is to disable Indexes or Multiviews in the affected - directories. The Common Vulnerabilities and Exposures project - (cve.mitre.org) has assigned the name CAN-2001-0731 to this issue. - [Bill Stoddard, Bill Rowe] + directories. [Bill Stoddard, Bill Rowe] *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted) as arguments for mod_vhost_alias'es directives. [William Rowe] @@ -556,15 +555,14 @@ *) PORT: Some Cygwin changes, esp. improvements for dynamic loading, and cleanups. [Stipe Tolj ] - *) Win32 SECURITY: The default installation could lead to mod_negotiation + *) Win32 SECURITY: CAN-2001-0729 (cve.mitre.org) + The default installation could lead to mod_negotiation and mod_dir/mod_autoindex displaying a directory listing instead of the index.html.* files, if a very long path was created artificially by using many slashes. Now a 403 FORBIDDEN is returned. This problem was similar to and in the same area as the problem reported and fixed by Martin Kraemer in 1.3.18, only the scope - is much narrower and is specific to Windows. The Common - Vulnerabilities and Exposures project (cve.mitre.org) has assigned the - name CAN-2001-0729 to this issue. [Bill Stoddard] + is much narrower and is specific to Windows. [Bill Stoddard] *) Update the mime.types file to the registered media types as of 2001-09-25, and add xsl, so, dll extensions [Mark Cox] @@ -647,13 +645,12 @@ before contacting the next proxy, and was thus unusable for SSL proxying. [Martin Kraemer] - *) SECURITY: Make support/split-logfile use the default log file if + *) SECURITY: CAN-2001-0730 (cve.mitre.org) + Make support/split-logfile use the default log file if "/" or "\" are present in the virtual host name. This prevents the possible use of specially crafted virtual host names in some configurations to allow writing to any .log file on the - system. The Common Vulnerabilities and Exposures project - (cve.mitre.org) has assigned the name CAN-2001-0730 to this issue. - [Daniel Matuschek , + system. [Daniel Matuschek , Marc Slemko] PR#7848 *) Added a directive: "AcceptFilter ". To control BSD @@ -861,11 +858,11 @@ *) Apache on Win9x now ensures the service is stopped before removal. [William Rowe] - *) SECURITY: The default installation could lead to mod_negotiation + *) SECURITY: CAN-2001-0925 (cve.mitre.org) + The default installation could lead to mod_negotiation and mod_dir/mod_autoindex displaying a directory listing instead of the index.html.* files, if a very long path was created artificially - by using many slashes. Now a 403 FORBIDDEN is returned. CAN-2001-0925 - (cve.mitre.org) + by using many slashes. Now a 403 FORBIDDEN is returned. [Martin Kraemer] *) Trailing slashes (if they exist) are now removed from ServerRoot, @@ -1251,7 +1248,8 @@ for modules and executables dynamically linked to the core. [William Rowe; Jim Patterson ] - *) SECURITY: Prevent the source code for CGIs from being revealed when + *) SECURITY: CAN-2000-1204 (cve.mitre.org) + Prevent the source code for CGIs from being revealed when using mod_vhost_alias and the CGI directory is under the document root and a user makes a request like http://www.example.com//cgi-bin/cgi as reported in @@ -1310,10 +1308,10 @@ containers, and in .htaccess files when FileInfo overriding is allowed. [Ken Coar] PR#3000 - *) SECURITY: Fix Win32 bug when pathname length exactly equals MAX_PATH. + *) SECURITY: CVE-2000-0505 (cve.mitre.org) + Fix Win32 bug when pathname length exactly equals MAX_PATH. This bug caused directory index to be displayed rather than - returning an error. CVE-2000-0505 (cve.mitre.org) - [Allan Edwards ] + returning an error. [Allan Edwards ] *) Correct mod_proxy Win95 dynamic link __declspec(thread) bug. David Whitmarsh @@ -1546,11 +1544,11 @@ the given character set on any document that does not have one explicitly specified in the headers. [Marc Slemko, Jim Jagielski] - *) SECURITY: + *) SECURITY: CAN-2000-1205 (cve.mitre.org) Properly escape various messages output to the client from a number of modules and places in the core code. [Marc Slemko] - *) SECURITY: + *) SECURITY: CAN-2000-1205 (cve.mitre.org) Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to not consider any parameters such as charset when making decisions based on content type. This does remove some functionality for @@ -1560,7 +1558,7 @@ want to set things on a per charset basis is necessary in the future. [Marc Slemko] - *) SECURITY: + *) SECURITY: CAN-2000-1205 (cve.mitre.org) mod_include now entity encodes output from "printenv" and "echo var" by default. The encoding for "echo var" can be set to URL encoding or no encoding using the new "encoding" attribute to the echo tag. @@ -1619,7 +1617,8 @@ *) Add back support for UseCanonicalName in containers [Manoj Kasichainula] - *) SECURITY: More rigorous checking of Host: headers to fix security + *) SECURITY: CAN-2000-1206 (cve.mitre.org) + More rigorous checking of Host: headers to fix security problems with mass name-based virtual hosting (whether using mod_rewrite or mod_vhost_alias). [Ben Hyde, Tony Finch]