[Patch 014] httpd

Contributed by jose on 2004-03-14 from the SPARC64-only dept.

A bug has been fixed in the in-tree Apache server which affected access controls. This only affects the Sparc64 platform , so if you are running an OpenBSD web server on i386 or PPC you are ok, it appears. From the OpenBSD errata site :

Due to a bug in the parsing of Allow/Deny rules for httpd(8)'s access module, using IP addresses without a netmask on big endian 64-bit platforms causes the rules to fail to match. This only affects sparc64.

This is also known by the CVE candidate name CAN-2003-0993 .

Patches areavailable:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/014_httpd2.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/019_httpd2.patch

(Comments are closed)

Comments

By dlg () dlg@dorkzilla.org on 2004-03-14 19:04 http://www.dorkzilla.org/~dlg

If this is truly a sparc64 bug only, what's it doing in the 'common' folder on the ftp sites?
Comments
1. By Anonymous Coward () on 2004-03-15 07:47
  
  It's a bug, even ONLY in sparc64 it can be a problem.
  Comments
  1. By bdge () on 2004-03-15 10:04
    
    yes, but is listed in "all architectures"
    
    I can't understand why.
    
    There are other specific sections...
    
    Comments
    
    By jose () on 2004-03-15 10:09 http://monkey.org/~jose/
    
    it's not in an architecture specific part of the tree, in a nutshell.
    
    Comments
    
    By Brad () brad at comstyle dot com on 2004-03-15 20:33 mailto:brad at comstyle dot com
    
    What Jose said is correct and was the reasoning behind putting the patch in the common area as opposed to the sparc64 area. I know it can be a little bit confusing like this.
    
    Comments
    
    By bdge () on 2004-03-17 09:15
    
    got it ;)
By Anonymous Coward () on 2004-03-14 20:08

What about Alpha? 64-bit... big-endian...? Do
we need to upgrade ASAP?
Comments
1. By Brad () brad at comstyle dot com on 2004-03-14 21:07 mailto:brad at comstyle dot com
  
  alpha and amd64 (just as another example) are both 64-bit little endian. sparc64 and powerpc64/hppa64 (if we had such ports) are 64-bit big endian.
By Jedi/Sector One () j@pureftpd.org on 2004-03-16 00:24 http://www.pureftpd.org/

Is the vanilla Apache also vulnerable to this flaw or does it only affect OpenBSD ?
Comments
1. By Anonymous Coward () on 2004-03-16 00:29
  
  Vanilla Apache is also affected. See, e.g. http://www.apacheweek.com/features/security-13
  Comments
  1. By Jedi/Sector One () j@pureftpd.org on 2004-03-15 19:23 http://www.pureftpd.org
    
    Well done Claudio and Henning :)

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]