httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "TSAO,YU-KANG (HP-USA,ex1)" <yu-kang_t...@hp.com>
Subject RE: apache 1.3.3 patch
Date Thu, 27 Jun 2002 20:39:23 GMT

Hi Rasmus:

Thanks a lot.  I do want to just upgrade it to 1.3.26 but if I do that, an
application called SST Lite will not work.  SST Lite will only work with
apache 1.3.3.    That's why I need to patch it.  Thanks a lot.  

Sincerely,

Yu-Kang

-----Original Message-----
From: Rasmus Lerdorf [mailto:rasmus@apache.org]
Sent: Thursday, June 27, 2002 4:29 PM
To: TSAO,YU-KANG (HP-USA,ex1)
Subject: RE: apache 1.3.3 patch 


The same patch would work, but you would need to download the 1.3.3 Apache
sources, patch it and build it using the MS Visual C compiler.  I suggest
simply upgrading to 1.3.26 instead.  Much easier.

-Rasmus

On Thu, 27 Jun 2002, TSAO,YU-KANG (HP-USA,ex1) wrote:

> Hi Rasmus:
>
> Thanks for the reply.  And No, the web server is on a a NT 4 box.  What
> should I do to patch apache on a windows NT 4 box ?  Thanks a lot.
>
> Sincerely,
>
> Yu-Kang
>
>
> -----Original Message-----
> From: Rasmus Lerdorf [mailto:rasmus@apache.org]
> Sent: Thursday, June 27, 2002 4:10 PM
> To: TSAO,YU-KANG (HP-USA,ex1)
> Cc: users@httpd.apache.org
> Subject: RE: apache 1.3.3 patch
>
>
> The name of the file you downloaded was something like
> apply_to_1.3.3_patch..  Or maybe not.  Just put whatever the filename was
> there.  Don't do this on a Windows box though.  Presumably your web server
> is some variety of UNIX, right?
>
> -Rasmus
>
> On Thu, 27 Jun 2002, TSAO,YU-KANG (HP-USA,ex1) wrote:
>
> >
> > Hi Rasmus:
> >
> > Thanks for the reply but I still don't get it.  my first apache patch
...
> >
> > what is the <apply_to... after
> >
> > patch -p1 < apply_to...  ?
> >
> > Do  I need to put the whole code afer that like this ?
> >
> > Thanks a lot,
> >
> > Sincerely,
> >
> > Yu-Kang
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > ~~~~~~~~~~
> >
> >
> > c:\>cd apache_1.3.3
> >
> > c:\>patch -p1 --- apache_1.3.22/src/main/http_protocol_orig.c	Fri
Jun 22
> > 05:43:54 2001
> > +++ apache_1.3.22/src/main/http_protocol.c	Sun Jun 23 15:56:34 2002
> > @@ -1913,6 +1913,9 @@
> >          }
> >
> >          r->remaining = atol(lenp);
> > +        if (r->remaining < 0) {
> > +            return HTTP_BAD_REQUEST;
> > +        }
> >      }
> >
> >      if ((r->read_body == REQUEST_NO_BODY) &&
> > @@ -2049,6 +2052,10 @@
> >          }
> >
> >          len_to_read = get_chunk_size(buffer);
> > +        if (len_to_read < 0) {
> > +            r->connection->keepalive = -1;
> > +            return -1;
> > +        }
> >
> >          if (len_to_read == 0) { /* Last chunk indicated, get footers */
> >              if (r->read_body == REQUEST_CHUNKED_DECHUNK) {
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > ~~~~~~~~~~
> >
> >
> >
> >
> > -----Original Message-----
> > From: Rasmus Lerdorf [mailto:rasmus@apache.org]
> > Sent: Thursday, June 27, 2002 3:34 PM
> > To: TSAO,YU-KANG (HP-USA,ex1)
> > Cc: users@httpd.apache.org
> > Subject: RE: apache 1.3.3 patch
> >
> >
> > cd apache_1.3.3
> > patch -p1 < apply_to...
> >
> > On Thu, 27 Jun 2002, TSAO,YU-KANG (HP-USA,ex1) wrote:
> >
> > >
> > > Hi Rasmus:
> > >
> > > Thank you very much for your help.   I got this code from that patch
web
> > > site
> > >
> > >
> >
>
http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/SECURITY_chunk_size_
> > > patch.txt
> > >
> > > how should I apply it  ?  Thanks a lot.
> > >
> > > ===============================================================
> > > ===============================================================
> > >
> > > --- apache_1.3.22/src/main/http_protocol_orig.c	Fri Jun 22 05:43:54
> > 2001
> > > +++ apache_1.3.22/src/main/http_protocol.c	Sun Jun 23 15:56:34
2002
> > > @@ -1913,6 +1913,9 @@
> > >          }
> > >
> > >          r->remaining = atol(lenp);
> > > +        if (r->remaining < 0) {
> > > +            return HTTP_BAD_REQUEST;
> > > +        }
> > >      }
> > >
> > >      if ((r->read_body == REQUEST_NO_BODY) &&
> > > @@ -2049,6 +2052,10 @@
> > >          }
> > >
> > >          len_to_read = get_chunk_size(buffer);
> > > +        if (len_to_read < 0) {
> > > +            r->connection->keepalive = -1;
> > > +            return -1;
> > > +        }
> > >
> > >          if (len_to_read == 0) { /* Last chunk indicated, get footers
*/
> > >              if (r->read_body == REQUEST_CHUNKED_DECHUNK) {
> > >
> > >
> > > ===============================================================
> > > ===============================================================
> > >
> > > Sincerely,
> > >
> > > Yu-Kang
> > >
> > >
> > > -----Original Message-----
> > > From: Rasmus Lerdorf [mailto:rasmus@apache.org]
> > > Sent: Thursday, June 27, 2002 12:27 PM
> > > To: TSAO,YU-KANG (HP-USA,ex1)
> > > Cc: users@httpd.apache.org
> > > Subject: Re: apache 1.3.3 patch
> > >
> > >
> > > > Hi Everyone:
> > > >
> > > > I have a Windows NT 4 server and apache 1.3.3 on it which will fall
on
> > to
> > > > this latest apache vulunerability as post in
> > > >
> > > > http://httpd.apache.org/info/security_bulletin_20020617.txt
> > > >
> > > > It's the bug that include in routines that deal with invalid
> processing
> > > > requests using "chunked encoding" techniques.
> > > >
> > > > Is there any patch  for apache1.3.3 for this security hole instead
of
> > > > upgrading it to apache 2.0.39 ?   Thanks a lot.
> > >
> > > Just upgrade to 1.3.26
> > >
> > > Or, if you want to just fix 1.3.3 look here:
> > >
> > > http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/
> > >
> > > The patch itself is:
> > >
> > >
> >
>
http://www.apache.org/dist/httpd/patches/apply_to_1.3.3/SECURITY_chunk_size_
> > > patch.txt
> > >
> > > -Rasmus
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message