5592683 2000-10-14 02:12 /153 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13279>
Ärende: Apache 1.3.14 Released
------------------------------------------------------------
From: Renzo Toma <renzo.toma@VERONICA.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <NDBBLKOPOLNKELHPDEFKCELNCEAA.renzo.toma@veronica.nl>
---------- Forwarded message ----------
Date: Fri, 13 Oct 2000 13:04:54 +0100 (BST)
From: Mark J Cox <mjc@apache.org>
To: announce@apache.org
Cc: ml-apache@unix-ag.org
Subject: Apache 1.3.14 Released
-----BEGIN PGP SIGNED MESSAGE-----
Apache 1.3.14 Released
The Apache Software Foundation and The Apache Server Project are
pleased to announce the release of version 1.3.14 of the Apache
HTTP server. Version 1.3.13 was never released.
This version of Apache is primarily a security fix and bug fix
release, but there are a few new features and improvements. A
summary of the new features is given at the end of this document.
We consider Apache 1.3.14 to be the best version of Apache
available and we strongly recommend that users of older versions,
especially of the 1.1.x and 1.2.x family, upgrade as soon as
possible. No further releases will be made in the 1.2.x family.
Apache 1.3.14 is available for download from
http://httpd.apache.org/dist/
Please see the CHANGES_1.3 file in the same directory for a full
list of changes.
Binary distributions are available from
http://httpd.apache.org/dist/binaries/
As of Apache 1.3.12 binary distributions contain all standard
Apache modules as shared objects (if supported by the platform)
and include full source code. Installation is easily done by
executing the included install script. See the README.bindist and
INSTALL.bindist files for a complete explanation. Please note that
the binary distributions are only provided for your convenience
and current distributions for specific platforms are not always
available.
The source and binary distributions are also available via any of
the mirrors listed at
http://www.apache.org/mirrors/
For an overview of new features in 1.3 please see
http://httpd.apache.org/docs/new_features_1_3.html
In general, Apache 1.3 offers several substantial improvements over
version 1.2, including better performance, reliability and a wider
range of supported platforms, including Windows 95/98 and NT (which
fall under the "Win32" label).
Apache is the most popular web server in the known universe; over
half of the servers on the Internet are running Apache or one of
its variants.
IMPORTANT NOTE FOR WIN32 USERS: Over the years, many users have
come to trust Apache as a secure and stable server. It must be
realized that the current Win32 code has not yet reached the
levels of the Unix version, but is of acceptable quality. Any
Win32 stability or security problems do not impact, in any way,
Apache on other platforms.
Apache 1.3.14 Major changes
The security fixes are:
* A problem with the Rewrite module, mod_rewrite, allowed access to
any file on the web server under certain circumstances
* The handling of Host: headers in mass virtual hosting
configurations, mod_vhost_alias, could allow access to any file on
the server
* If a cgi-bin directory is under the document root, the source to
the scripts inside it could be sent if using mass virtual hosting
The main new features include:
* Support for a directory-based configuration system. If any of the
configuration directives point to directories instead of files,
all files in that directory (and in subdirectories) will be also
parsed as configuration files
* Support name-based virtual hosting without needing to specify an
IP address in the Apache configuration file. This enables sites
that use dynamic IP addresses to support name-based virtual
hosting as well as allowing identical machines to share a
configuration file, say in a load-balanced cluster
* The SetEnvIf and BrowserMatch range of directives are now able to
be used in .htaccess files.
* Administrators who are nervous about their full server version
details being public can use the new keyword 'ProductOnly' in the
ServerTokens directive. This keyword forces the server to only
return the string "Apache" as the server version.
* The new digest authentication module, mod_auth_digest has had a
number of fixes and upgrades applied
Selected new features that relate to windows platforms:
* The project files have been converted to work with Microsoft
Visual C 6.0
* The DBM package "sdbm" is now bundled with Apache
* Windows 95 and 98 can now benefit from an emulation of the NT
services, including install and uninstall options. The Apache
server therefore can start when the OS loads and will not stop if
the current user logs off for example
* A comprehensive review of the Windows documentation has been
performed.
* Preparations for allowing Apache to be built using the free
Borland bcc 5.5 compiler
Selected new features relating to other platforms:
* Support for the new FreeBSD accept filters feature. This feature
postpones the requirement for a child process to handle a new
connection until a HTTP request has arrived, therefore increasing
the number of connections that a given number of child processes
can handle
* A number of alterations for the MPE platform including fixing
error reporting, updating the DSO code to be compatible with a
recent OS patch, refining user and group management, and initial
support for the proxy module
* The default serialised accept has been changed for AIX 4.3 to
provide a substantial performance improvement on multiple CPU
machines serving large numbers of concurrent clients
* DSO support added for BS2000 and OS/390 USS platforms
* A directory layout for Solaris 8 has been added to the
configuration system
* The proxy module mod_proxy has been patched so that it can be
built on BeOS 4.5.2
* Updated configuration script to allow building on IBM's IA-64
version of AIX
- -- Mark J Cox
........................................... www.awe.com/mark Apache
Software Foundation ..... OpenSSL Group ..... Apache Week editor
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBOeb6bu6tTP1JpWPZAQHryQP/f2gnmMjE+s5FxIW2L7hpEDYFV0jvJH7D
It0nwKkvPhVcVHbBlF88ufq579gRaF6kMJsDf8xtOoULAvf7hFGauaJnQdJ9cgmG
A4EeQWKOivPxJCJzVYWtWlkiOfX4kraDgZsnxyIKhlkpDyNBu0kX81w0fHrw2ixF
k/PSohSk2Mg=
=EmHT
-----END PGP SIGNATURE-----
(5592683) ------------------------------------------(Ombruten)
5612437 2000-10-18 20:33 /135 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13325>
Kommentar till text 5560084 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Security vulnerability in Apache mod_rewrite
------------------------------------------------------------
From: Tony Finch <dot@DOTAT.AT>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20001018162749.F3582@hand.dotat.at>
Since the Apache Group released 1.3.14 (which incorporates the
mod_rewrite security "fix") we have been informed that it breaks most
configurations that use RewriteMaps, because the lookup key is no
longer expanded. See <http://bugs.apache.org/index.cgi/full/6671>,
which includes a patch to restore the lost functionality. I have also
included the patch below.
Redistributors of Apache should update their packages to incorporate
1.3.14 with this patch.
Tony.
--
en oeccget g mtcaa f.a.n.finch
v spdlkishrhtewe y dot@dotat.at
eatp o v eiti i d. fanf@covalent.net
? diff
Index: mod_rewrite.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_rewrite.c,v
retrieving revision 1.162
retrieving revision 1.163
diff -u -r1.162 -r1.163
--- mod_rewrite.c 2000/09/22 20:47:19 1.162
+++ mod_rewrite.c 2000/10/18 04:26:43 1.163
@@ -2258,30 +2258,50 @@
/* now we have a '$' or a '%' */
if (inp[1] == '{') {
char *endp;
- endp = strchr(inp, '}');
+ endp = find_closing_bracket(inp+2, '{', '}');
if (endp == NULL) {
goto skip;
}
*endp = '\0';
if (inp[0] == '$') {
/* ${...} map lookup expansion */
+ /*
+ * To make rewrite maps useful the lookup key and
+ * default values must be expanded, so we make
+ * recursive calls to do the work. For security
+ * reasons we must never expand a string that includes
+ * verbatim data from the network. The recursion here
+ * isn't a problem because the result of expansion is
+ * only passed to lookup_map() so it cannot be
+ * re-expanded, only re-looked-up. Another way of
+ * looking at it is that the recursion is entirely
+ * driven by the syntax of the nested curly brackets.
+ */
char *key, *dflt, *result;
+ char xkey[MAX_STRING_LEN];
+ char xdflt[MAX_STRING_LEN];
+ char *empty = "";
key = strchr(inp, ':');
if (key == NULL) {
goto skip;
}
*key++ = '\0';
dflt = strchr(key, '|');
- if (dflt) {
+ if (dflt == NULL) {
+ dflt = empty;
+ }
+ else {
*dflt++ = '\0';
}
- result = lookup_map(r, inp+2, key);
+ do_expand(r, key, xkey, sizeof(xkey), briRR, briRC);
+ do_expand(r, dflt, xdflt, sizeof(xdflt), briRR, briRC);
+ result = lookup_map(r, inp+2, xkey);
if (result == NULL) {
- result = dflt ? dflt : "";
+ result = xdflt;
}
span = ap_cpystrn(outp, result, space) - outp;
key[-1] = ':';
- if (dflt) {
+ if (dflt != empty) {
dflt[-1] = '|';
}
}
@@ -4141,6 +4161,28 @@
}
}
return 0;
+}
+
+/*
+**
+** Find end of bracketed expression
+** s points after the opening bracket
+**
+*/
+
+static char *find_closing_bracket(char *s, int left, int right)
+{
+ int depth;
+
+ for (depth = 1; *s; ++s) {
+ if (*s == right && --depth == 0) {
+ return s;
+ }
+ else if (*s == left) {
+ ++depth;
+ }
+ }
+ return NULL;
}
/*EOF*/
Index: mod_rewrite.h
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_rewrite.h,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- mod_rewrite.h 2000/09/29 17:32:32 1.72
+++ mod_rewrite.h 2000/10/18 04:26:43 1.73
@@ -496,6 +496,9 @@
/* Lexicographic Comparison */
static int compare_lexicography(char *cpNum1, char *cpNum2);
+ /* Find end of bracketed expression */
+static char *find_closing_bracket(char *s, int left, int right);
+
#endif /* _MOD_REWRITE_H */
/*EOF*/
(5612437) ------------------------------------------