Re: [VOTE] Release httpd-2.4.51-rc1 as httpd-2.4.51

[Mark J . Cox]

+1 on Fedora 34

On 2021/10/07 13:17:36, "ste...@eissing.org"  wrote: 
> Hi all,
> 
> due to found security weaknesses in our 2.4.50 release, the security team
> feels it is necessary to do a new release on very short notice. We will skip
> the usual 3 day voting period and close the vote once we feel comfortable
> with our testing.
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days^h^h^h^hhours to release
> this candidate tarball httpd-2.4.51-rc1 as 2.4.51:
> [ ] +1: It's not just good, it's hopefully good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha1: 516128e5acb7311e6e4d32d600664deb0d12e61f *httpd-2.4.51-rc1.tar.gz
> sha256: c2cedb0b47666bea633b44d5b3a2ebf3c466e0506955fbc3012a5a9b078ca8b4 
> *httpd-2.4.51-rc1.tar.gz
> sha512: 
> 507fd2bbc420e8a1f0a90737d253f1aa31000a948f7a840fdd4797a78f7a4f1bd39250b33087485213a3bed4d11221e98eabfaf4ff17c7d0380236f8a52ee157
>  *httpd-2.4.51-rc1.tar.gz
> 
> The SVN candidate source is found at tags/candidate-2.4.51-rc1.
> 
> Kind Regards,
> Stefan

Re: [httpd-site] branch main updated: publishing release httpd-2.4.49

[Mark J Cox]

Hi; at the moment the ASF customisation to the tool is tracked in my github
fork along with issues.  There's no specific place to discuss it other than
secur...@apache.org.  That's all just because there's only me having worked
on it.

There are going to be some big changes needed to the tool and running
instance in the coming months to support the new CVE Project v5.0 JSON
schema, as that is required for more of the future CVE project automation
(such as live submission to their database), so that will likely take up
all the time I can personally spend updating the tool in the near future.

Issues:
https://github.com/iamamoose/Vulnogram/issues

ASF changes from the upstream Vulnogram code:
https://github.com/Vulnogram/Vulnogram/compare/master...iamamoose:asfmaster

Regards, Mark J Cox
ASF Security


On Thu, Sep 16, 2021 at 4:57 PM Ruediger Pluem  wrote:

>
>
> On 9/16/21 3:16 PM, Eric Covener wrote:
> > On Thu, Sep 16, 2021 at 9:07 AM ste...@eissing.org 
> wrote:
> >>
> >>
> >>
> >>> Am 16.09.2021 um 15:01 schrieb Ruediger Pluem :
> >>>
> >>>
> >>>
> >>> On 9/16/21 2:59 PM, ste...@eissing.org wrote:
> >>>> And thanks, Rüdiger, for noticing and the quick fixes.\o/
> >>>
> >>> And thanks to you for all the release and scripting work.
> >>
> >> I think we should request some download url feature from the
> cveprocess, so that we can automate that part as well. The timeline entry
> should be added automatically. The "affected_by" we can at least check and
> report.
> >
> > I'm not sure we have Mark watching here, best to take it to the two
>
> I fear that as well, but I wanted to avoid crosposts on dev@ and security@
> at the same time due to their different visibility.
> In general I think improvements to the CVE tool can be discussed in
> public, but I am not sure what the correct venue aka list is
> for this topic.
> @Mark: Can you give us a hint what is the correct forum to talk about
> improvements of the CVE tool?
>
> > security lists.
> >
>
> Regards
>
> Rüdiger
>

Re: Changing the httpd security process

[Mark J . Cox]

> > This roughly reverts the httpd process to what we used prior to adopting 
> > the Tomcat-esque policy for the whole ASF.  We would have to document 
> > this and possibly need it approved by the ASF security team.
> 
> Not sure if we need to have it approved, but at least we should discuss with 
> the ASF security team.

https://s.apache.org/cveprocess allows projects to deviate from the default 
policy with "review" from the ASF security team.  So once you have agreement 
have the PMC present the proposed policy.  

This is not an uncommon plan, outside of ASF projects such as OpenSSL have 
similar policies where lower severity issues (low/moderate) are committed as 
security fixes prior to and independently of releases.  Dealing with security 
issues in private is a pain in both the process and getting the right fix with 
limited reviewers.  It's worth that pain when the issue is an actual risk to 
users, less so for the low risk issues.

Mark

Re: [Fwd: iDefense Final Notice [IDEF1445]]

[Mark J Cox]

For reference, Mitre assigned:

CVE-2007-1741 - Path Checking Race Condition Vulnerability
CVE-2007-1742 - Path Checking Design Error Vulnerability
CVE-2007-1743 - Arbitrary GID Input Validation  Vulnerability

We can supply statements to Mitre for any we dispute.

Mark
--
Mark J Cox | www.awe.com/mark

CGI Script Source Code Disclosure Vulnerability in Apache for Windows

[Mark J Cox]

See 
http://marc.theaimsgroup.com/?l=bugtraqm=115527423727441w=2

which basically reports if you put cgi-bin under docroot then you can
view cgi scripts on OS which have case insensitive filesystems

Joe replied: 
http://marc.theaimsgroup.com/?l=bugtraqm=115574424402976w=2
and I submitted that as an DISPUTED to CVE

But the original reporter disagrees:
http://marc.theaimsgroup.com/?l=bugtraqm=115583509231594w=2

I think the right response here is to make it more explicit in the
documentation that putting a ScriptAlias cgi-bin inside document root is
bad.

Mark
--
Mark J Cox | www.awe.com/mark

Re: [Fwd: 2.2+ security page empty?]

[Mark J Cox]

There is nothing on the security page any more for 2.2, is there a bug
 with the report you use to populate it?

Fixed

Cheers, Mark

Re: svn commit: r398494 - in /httpd/site/trunk: docs/security/vulnerabilities_13.html docs/security/vulnerabilities_20.html docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities_22.xml

[Mark J Cox]

 This killed the list of vulnerabilities for all versions. Was this intended?
 And if yes, where can they be found now?

Must be someone with bad java foo, fixing.

Mark
--
Mark J Cox | www.awe.com/mark

Re: svn commit: r392230 - in /httpd/site/trunk: docs/security/vulnerabilities_13.html xdocs/security/vulnerabilities-httpd.xml

[Mark J Cox]

 1.3 was UNAFFECTED 

Yes, indeed it was me that insisted that this didn't affect 1.3, I'll
revert it :)

Cheers, Mark

Security release needed for 2.0

[Mark J Cox]

We've a few security issues fixed recently that haven't made it out into 
releases from the ASF, but have made it out into releases from the various 
OS vendors.  One issue is important severity, and public now for 10 
days.

I don't watch this list much, are there other things holding up a release?  
If so we ought to consider doing a 2.0.55 with just fixes for these issues
over 2.0.54:

CAN-2005-2700 important: SSLVerifyClient bypass

A flaw in the mod_ssl handling of the SSLVerifyClient  
directive. This flaw would occur if a virtual host has been
configured using SSLVerifyClient optional and further a
directive SSLVerifyClient required is set for a specific
location.  For servers configured in this fashion, an attacker may
be able to access resources that should otherwise be protected, by
not supplying a client certificate when connecting.
public=20050830
[*** needs committing]

CAN-2005-2728 moderate: Byterange filter DoS

A flaw in the byterange filter would cause some responses to be
buffered into memory. If a server has a dynamic resource such as a
CGI script or PHP script which generates a large amount of data,
an attacker could send carefully crafted requests in order to
consume resources, potentially leading to a Denial of Service.
public=20050707
[committed]

CAN-2005-2088 moderate: HTTP Request Spoofing

A flaw occured when using the Apache server as a HTTP proxy. A
remote attacker could send a HTTP request with both a
Transfer-Encoding:  chunked header and a Content-Length header,
causing Apache to incorrectly handle and forward the body of the
request in a way that causes the receiving server to process it as
a separate HTTP request.  This could allow the bypass of web
application firewall protection or lead to cross-site scripting
(XSS) attacks.
public=20050611
[committed]

CAN-2005-1268 low: Malicious CRL off-by-one

An off-by-one stack overflow was discovered in the mod_ssl CRL
verification callback. In order to exploit this issue the Apache
server would need to be configured to use a malicious certificate
revocation list (CRL)
public=200506085~
[committed]

CAN-2005-2491 low: PCRE overflow

An integer overflow flaw was found in PCRE, a Perl-compatible
regular expression library included within httpd.  A local user
who has the ability to create .htaccess files could create a
maliciously crafted regular expression in such as way that they
could gain the privileges of a httpd child.
public=20050801
[*** needs committing]

Re: 2.1.6 is available for veto^H^H^H^Hvoting

[Mark J Cox]

 Do we have an incident number for this report as it pertains
 to the Apache HTTP Server?

I'm obtaining a CVE name for this issue -- (as the issue is already public 
it requires co-ordination with Mitre)

Cheers, Mark

Re: 2.1.6 is available for veto^H^H^H^Hvoting

[Mark J Cox]

 I'm obtaining a CVE name for this issue -- (as the issue is already public 
 it requires co-ordination with Mitre)

CAN-2005-2088

Has anyone looked to make sure this doesn't apply to later 1.3 releases?  

Cheers,
Mark

CAN-2004-0492 mod_proxy security issue

[Mark J Cox]

A security issue has been reported in mod_proxy.  See

http://www.guninski.com/modproxy1.html

The flaw affects Apache httpd 1.3.25 to 1.3.31 that have mod_proxy enabled
and configured.  Apache httpd 2.0 is unaffected.

The security issue is a buffer overflow which can be triggered by getting
mod_proxy to connect to a remote server which returns an invalid
(negative)  Content-Length.  This results in a memcpy to the heap with a 
large length value, which will in most cases cause the Apache child to 
crash.  This does not represent a significant Denial of Service attack as 
requests will continue to be handled by other Apache child processes.

Under some circumstances it may be possible to exploit this issue to cause 
arbitrary code execution.   However an attacker would need to get an
Apache installation that was configured as a proxy to connect to
a malicious site.  

1. On older OpenBSD/FreeBSD distributions it is easily exploitable because
of the internal implementation of memcpy which rereads it's length from 
the stack.

2. On newer BSD distributions it may be exploitable because the 
implementation of memcpy will write three arbitrary bytes to an attacker 
controlled location.

3. It may be exploitable on any platform if the optional (and not default)
define AP_ENABLE_EXCEPTION_HOOK is enabled.  This is used for example by
the experimental mod_whatkilledus module.

In all other circumstances this issue looks to be unexploitable other than 
to crash the Apache child that is processing the proxy request.

A patch to correct this issue is attached.

Note that the reporter of this issue contacted [EMAIL PROTECTED] on June
8th but was unwilling to keep the issue private until the investigation 
was completed or a new Apache release was available.  He published his 
advisory on June 10th.

Mark
--
Mark J Cox ... www.awe.com/mark
Apache Software Foundation . OpenSSL Group . Apache Week editor

Index: src/CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1942
diff -u -p -u -r1.1942 CHANGES
--- src/CHANGES 2 Jun 2004 22:49:03 -   1.1942
+++ src/CHANGES 9 Jun 2004 15:58:44 -
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.32
 
+  *) SECURITY: CAN-2004-0492 (cve.mitre.org)
+ Reject responses from a remote server if sent an invalid (negative) 
+ Content-Length.  [Mark Cox]
+
   *) Fix a bunch of cases where the return code of the regex compiler
  was not checked properly. This affects mod_usertrack and
  core. PR 28218.  [André Malo]
Index: src/modules/proxy/proxy_http.c
===
RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v
retrieving revision 1.106
diff -u -p -u -r1.106 proxy_http.c
--- src/modules/proxy/proxy_http.c  29 Mar 2004 17:47:15 -  1.106
+++ src/modules/proxy/proxy_http.c  8 Jun 2004 14:23:05 -
@@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r
 content_length = ap_table_get(resp_hdrs, Content-Length);
 if (content_length != NULL) {
 c-len = ap_strtol(content_length, NULL, 10);
+
+   if (c-len  0) {
+   ap_kill_timeout(r);
+   return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r-pool,
+Invalid Content-Length from remote server,
+  NULL));
+   }
 }
 
 }

Re: [patch] - digest nonce including MM bump, doc and changes.

[Mark J Cox]

 +  *) SECURITY - verification as to wether the nonce returned in the
 + client response is one we issued ourselves by means of a
 + AuthNonce secret exposed as an md5(). See mod_digest documentation
 + for more details. The experimental/mod_auth_digest.c does not
 + have this issue.  [Dirk-Willem van Gulik]
 +

Use CAN-2003-0987 for this issue

Mark
--
Mark J Cox ... www.awe.com/mark
Apache Software Foundation . OpenSSL Group . Apache Week editor

Re: Why Redhat 8.0 / 9.0 still use 2.0.40 (+ security fixes)

[Mark J Cox]

 For those who wonder why Redhat didn't update Apache 2.0 in distro
 8.0 and 9.0, just read :
 
 http://www.redhat.com/advice/speaks_backport.html

Apache httpd was an example that I happened to remember when writing that
explanation - Apache is far from the worst offender to mix security
updates with other changes in a new release ;)

Mark
--
Mark J Cox ... www.awe.com/mark
Apache Software Foundation . OpenSSL Group . Apache Week editor

Apache 2.0 vulnerability affects non-Unix platforms

[Mark J Cox]

-BEGIN PGP SIGNED MESSAGE-

For Immediate Disclosure

=== SUMMARY 

Title: Apache 2.0 vulnerability affects non-Unix platforms
 Date: 9th August 2002
  Version: 1
 Product Name: Apache web server 2.0
  OS/Platform: Windows, OS2, Netware
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
  Vendor Name: Apache Software Foundation
   Vendor URL: http://www.apache.org/
  Affects: All Released versions of 2.0 through 2.0.39
 Fixed in: 2.0.40
  Identifiers: CAN-2002-0661

=== BACKGROUND 

Apache is a powerful, full-featured, efficient, and freely-available Web
server.  On the 7th August 2002, The Apache Software Foundation was
notified of the discovery of a significant vulnerability, identified by
Auriemma Luigi [EMAIL PROTECTED].

This vulnerability has the potential to allow an attacker to inflict
serious damage to a server, and reveal sensitive data.  This vulnerability
affects default installations of the Apache web server.

Unix and other variant platforms appear unaffected.  Cygwin users are
likely to be affected.

A simple one line workaround in the httpd.conf file will close the
vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:

   RedirectMatch 400 \\\.\.

Fixes for this vulnerability are also included in Apache version 2.0.40.
Apache 2.0.40 also contains some less serious security fixes.

More information will be made available by the Apache Software
Foundation and Auriemma Luigi [EMAIL PROTECTED] in the
coming weeks.

=== REFERENCES 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0661 to this issue.  

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661





-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBPVQBxu6tTP1JpWPZAQHCwAP9HVzSAMMrXadmRdPfEe9eFUKOxpQA4v8d
mKrLciDXnVpPlaKc7/1OHUcCwPu0IucHGUN5sF93Dw3X2BKoAjJFHnmS123r/CP6
WnHAaM+Hl17pPVxI3dXJXbiDvmpBB6b9SNCrsmf0RLykLHVZqoekOh2902Y7+Fts
NpKuwE7xzdA=
=mEuL
-END PGP SIGNATURE-

Re: cvs commit: httpd-site/xdocs/info security_bulletin_20020809a.txt

[Mark J Cox]

Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt

Hmmm, actually it really ought to be 20020809a.txt like the files I 
commited, the text that went out was wrong due to too many us-uk 
conversions ;).  A cunning redirect rule in the server config would fix 
it so 20020908a redirects to 20020809a
 
Cheers, Mark

Re: cvs commit: httpd-site/xdocs/info security_bulletin_20020809a.txt

[Mark J Cox]

On Fri, 9 Aug 2002, Joshua Slive wrote:

 [EMAIL PROTECTED] wrote:
 
Revision  ChangesPath
1.1  httpd-site/docs/info/security_bulletin_20020809a.txt
 
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt

I put in a symlink for now security_bulletin_20020908a.txt - 
security_bulletin_20020809a.txt
what is the right fix (redirect?)

Mark

Re: [PATCH] adding xml output to mod_status -- [REPOST]

[Mark J Cox]

 - on Linux and NetWare I only get the data unformated back, looks as
 there are problems with the scoreboard.xsl or so. Any ideas what's

Yeah, Mozilla isn't very stable at doing the rendering.  Most of the
problems you mention are due to the XSLT being done inside the browser.
I'm not real worried about problems with the XSL because most of the time
you'll want the raw XML data instead, and these browsers will only get
better at XSLT over time.

 6.29982236431605997495353221893310546875kB

If you look in the XSLT I wanted to use xsl:format-number to round to one
decimal place, but Mozilla doesn't support format-number yet.  You could
probably negotiate the xsl file returned based on user-agent and have
several.

 you should really change the TZ to numerous expression as Sander
 already suggested:

Good plan.  I wanted to avoid timestamps that are offsets though so the
XML data is consistant (and can be compared) across platforms.

Cheers,
Mark

Re: Apache 1.3.21 tag this evening....

[Mark J Cox]

I've written an Announcement file for 1.3.21 and will commit within the
hour (just got back from dentist)

Mark