Subject: Re: apache and audit-packages
To: Dick Davies <rasputnik@hellooperator.net>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-users
Date: 04/05/2004 09:13:56
On Sun, 4 Apr 2004, Dick Davies wrote:

> I'm still getting daily warnings about
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
>
> from audit-packages for apache-1.3.29...
>
> Is there a fix? I'm assuming this is the 'acls don't work on 64-bit platforms'
> error, but the URL given doesn't respond...

It comes up for me. Here are some other URLs for same:

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0093.html
http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
http://www.iss.net/security_center/static/11412.php

It is "Arbitrary client-supplied strings can be written to the error log
which can allow exploits of certain terminal emulators."

The problem was fixed in the 2.0.49 release.

The 1.3.x branch was fixed on January 23, but I don't know what files.

I don't know if this is the entire fix:
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_log.c?r1=1.96&r2=1.97
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_log.c?r1=1.98&r2=1.99

If I have time today, I may make a patch based on above and put in pkgsrc.

(I have blind-carbon-copied this to tech-pkg.)

   Jeremy C. Reed
   http://bsd.reedmedia.net/