Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2009-1195: Apache HTTP Server AllowOverride Options Security Bypass

Related Vulnerabilities: CVE-2009-1195  

Source

Debian Bug report logs - #530834
CVE-2009-1195: Apache HTTP Server AllowOverride Options Security Bypass

version graph

Package: apache2; Maintainer for apache2 is Debian Apache Maintainers <debian-apache@lists.debian.org>; Source for apache2 is src:apache2 (PTS, buildd, popcon).

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Thu, 28 May 2009 06:54:01 UTC

Severity: serious

Tags: patch, security

Fixed in version apache2/2.2.11-6

Done: Stefan Fritsch <sf@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#530834; Package apache2. (Thu, 28 May 2009 06:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Apache Maintainers <debian-apache@lists.debian.org>. (Thu, 28 May 2009 06:54:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-1195: Apache HTTP Server AllowOverride Options Security Bypass
Date: Thu, 28 May 2009 08:50:33 +0200
Package: apache2
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

redhat recently patched apache2.

CVE-2009-1195 is still reserved, but is disclosed in RHSA-2009-1075[1]

A security issue has been reported in Apache HTTP Server, which can be exploited
by malicious, local users to bypass certain security restrictions.

The security issue is caused due to an error when processing "AllowOverride"
directives and certain "Options" arguments in ".htaccess" files, which can be
exploited to e.g. execute commands via Server Side Includes.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.


[1]https://rhn.redhat.com/errata/RHSA-2009-1075.html

For further information see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
https://bugzilla.redhat.com/show_bug.cgi?id=489436

Patch: http://svn.apache.org/viewvc?view=rev&revision=772997


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoeNDUACgkQNxpp46476aqz6QCgiucSQYvA8tWz3uSq4ps49ZaR
hEEAoJeOa+VFCuH2ZcC+DIhhPRtitElP
=nVX9
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#530834; Package apache2. (Thu, 28 May 2009 08:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Stefan Fritsch" <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>. (Thu, 28 May 2009 08:48:03 GMT) (full text, mbox, link).

Message #10 received at 530834@bugs.debian.org (full text, mbox, reply):

From: "Stefan Fritsch" <sf@sfritsch.de>
To: 530834@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#530834: CVE-2009-1195: Apache HTTP Server AllowOverride Options Security Bypass
Date: Thu, 28 May 2009 10:45:58 +0200 (CEST)
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
> https://bugzilla.redhat.com/show_bug.cgi?id=489436
>
> Patch: http://svn.apache.org/viewvc?view=rev&revision=772997

If I understood the discussion on httpd-dev correctly, the fix in trunk
svn breaks API compatibility and makes mod_perl FTBFS. But I haven't
looked at redhat's patch, yet.

In any case mod_perl has to be tested when doing a fix.

Reply sent to Stefan Fritsch <sf@debian.org>:
You have taken responsibility. (Mon, 08 Jun 2009 19:06:03 GMT) (full text, mbox, link).

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Mon, 08 Jun 2009 19:06:03 GMT) (full text, mbox, link).

Message #15 received at 530834-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@debian.org>
To: 530834-close@bugs.debian.org
Subject: Bug#530834: fixed in apache2 2.2.11-6
Date: Mon, 08 Jun 2009 18:47:13 +0000
Source: apache2
Source-Version: 2.2.11-6

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-dbg_2.2.11-6_i386.deb
  to pool/main/a/apache2/apache2-dbg_2.2.11-6_i386.deb
apache2-doc_2.2.11-6_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.11-6_all.deb
apache2-mpm-event_2.2.11-6_all.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.11-6_all.deb
apache2-mpm-prefork_2.2.11-6_all.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.11-6_all.deb
apache2-mpm-worker_2.2.11-6_all.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.11-6_all.deb
apache2-prefork-dev_2.2.11-6_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.11-6_i386.deb
apache2-src_2.2.11-6_all.deb
  to pool/main/a/apache2/apache2-src_2.2.11-6_all.deb
apache2-suexec-custom_2.2.11-6_i386.deb
  to pool/main/a/apache2/apache2-suexec-custom_2.2.11-6_i386.deb
apache2-suexec_2.2.11-6_i386.deb
  to pool/main/a/apache2/apache2-suexec_2.2.11-6_i386.deb
apache2-threaded-dev_2.2.11-6_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.11-6_i386.deb
apache2-utils_2.2.11-6_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.11-6_i386.deb
apache2.2-bin_2.2.11-6_i386.deb
  to pool/main/a/apache2/apache2.2-bin_2.2.11-6_i386.deb
apache2.2-common_2.2.11-6_all.deb
  to pool/main/a/apache2/apache2.2-common_2.2.11-6_all.deb
apache2_2.2.11-6.diff.gz
  to pool/main/a/apache2/apache2_2.2.11-6.diff.gz
apache2_2.2.11-6.dsc
  to pool/main/a/apache2/apache2_2.2.11-6.dsc
apache2_2.2.11-6_all.deb
  to pool/main/a/apache2/apache2_2.2.11-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530834@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 08 Jun 2009 19:22:58 +0200
Source: apache2
Binary: apache2.2-common apache2.2-bin apache2-mpm-worker apache2-mpm-prefork apache2-mpm-event apache2-utils apache2-suexec apache2-suexec-custom apache2 apache2-doc apache2-prefork-dev apache2-threaded-dev apache2-src apache2-dbg
Architecture: source i386 all
Version: 2.2.11-6
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Apache HTTP Server metapackage
 apache2-dbg - Apache debugging symbols
 apache2-doc - Apache HTTP Server documentation
 apache2-mpm-event - Apache HTTP Server - event driven model
 apache2-mpm-prefork - Apache HTTP Server - traditional non-threaded model
 apache2-mpm-worker - Apache HTTP Server - high speed threaded model
 apache2-prefork-dev - Apache development headers - non-threaded MPM
 apache2-src - Apache source code
 apache2-suexec - Standard suexec program for Apache 2 mod_suexec
 apache2-suexec-custom - Configurable suexec program for Apache 2 mod_suexec
 apache2-threaded-dev - Apache development headers - threaded MPM
 apache2-utils - utility programs for webservers
 apache2.2-bin - Apache HTTP Server common binary files
 apache2.2-common - Apache HTTP Server common files
Closes: 530834 532278
Changes: 
 apache2 (2.2.11-6) unstable; urgency=high
 .
   * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server
     Side Includes (closes: #530834).
   * Fix postinst scripts (closes: #532278).
Checksums-Sha1: 
 15e57cc9361cb003e6f6dbefed97d7b16b0e2991 1670 apache2_2.2.11-6.dsc
 1386c929ce25e51e66cab3abfca701629f1dd1e9 138556 apache2_2.2.11-6.diff.gz
 b7f3497b9a6f505bc2344ee88a4bd6e38903f5dd 1093804 apache2.2-bin_2.2.11-6_i386.deb
 a3556b8b3d20fa148cfe4c96c78dcf22dd46826f 146404 apache2-utils_2.2.11-6_i386.deb
 e7f3509510ef6ae9b32c90712a5f0a7a9cfa7837 85368 apache2-suexec_2.2.11-6_i386.deb
 46867e24b46b3b9ba737aa83ec96a65e35a1bf20 86958 apache2-suexec-custom_2.2.11-6_i386.deb
 a7d71ae8c42d7e5d271d5dcba9a49cf20664ff74 137742 apache2-prefork-dev_2.2.11-6_i386.deb
 14bbb29185441dbf24e83adee0ba5cd3814ef412 138914 apache2-threaded-dev_2.2.11-6_i386.deb
 8c19d20ac6b3b2c3a2da4da9ca290895d61fc7c0 2288638 apache2-dbg_2.2.11-6_i386.deb
 5e62965bee6d01ccde7c81895beb53f5242e35c7 269764 apache2.2-common_2.2.11-6_all.deb
 84b627e14af587f15507d78101f2de2c709b09a5 2148 apache2-mpm-worker_2.2.11-6_all.deb
 8f49e7ba87aca3cb4fa288e26461eb43a6f810cb 2204 apache2-mpm-prefork_2.2.11-6_all.deb
 b7b18aa9d300f52c369dc195d1ed109caf154e72 2176 apache2-mpm-event_2.2.11-6_all.deb
 4ef1741c2d7e833dd33b08490d912a5b311144f1 1368 apache2_2.2.11-6_all.deb
 c4031485a8005d6aa81afbb2a931d7997c833f91 2227492 apache2-doc_2.2.11-6_all.deb
 ba44556183505bc29f900d84939ed7bef98748a8 6946112 apache2-src_2.2.11-6_all.deb
Checksums-Sha256: 
 8915d21a441277817a2f643b63c3e72c5d01c9fe50919b3048af29597767166d 1670 apache2_2.2.11-6.dsc
 482b3e8668cbbdbfa93e489c14896fbc5fab63b42648715d8325b71240c2e2ba 138556 apache2_2.2.11-6.diff.gz
 759fdc5f087ef725242dbb8b3017fdd9b26e623a5eece98d1567dfee1dc7ef46 1093804 apache2.2-bin_2.2.11-6_i386.deb
 b348dc7a68d10f49374a6e449cc27b3a2ad3a409e697738b5ae9885974565592 146404 apache2-utils_2.2.11-6_i386.deb
 7ccb0677cb8c8ed4e61b680558781a726a3caadd992be977e1682eecc02b5790 85368 apache2-suexec_2.2.11-6_i386.deb
 24112333f3c8b0a2c1e6d3e7e8b50c84d5df08ad9b121836765cb0463e63cb19 86958 apache2-suexec-custom_2.2.11-6_i386.deb
 1142901e5ad93b5220693a2b2e70d93ef17cf179c7eead8d4b92052d4117e4b7 137742 apache2-prefork-dev_2.2.11-6_i386.deb
 b5ba0491870bf1aee4deeecd976697c52dd15d8be04ccceae93ef7d26ba1bd3e 138914 apache2-threaded-dev_2.2.11-6_i386.deb
 807ff503cb224fbaf1909bcc8e6e1c4ae328974643fdfd3596c06d535785dc04 2288638 apache2-dbg_2.2.11-6_i386.deb
 c425b2c0cab633226435620ed1b06383fec89c2f66346b86aa038422d9ba0672 269764 apache2.2-common_2.2.11-6_all.deb
 3735ff5d3093b4da25df170e06bc7533a0e3f9bac84cc0020ea0240467659549 2148 apache2-mpm-worker_2.2.11-6_all.deb
 337c5a5139004125414d74eb16cbef932880e5b57fae4e73124da34ceec4531a 2204 apache2-mpm-prefork_2.2.11-6_all.deb
 e38bbaebc1bba4e99da9b96303da835350f04813498b3ef280b200cd513fca83 2176 apache2-mpm-event_2.2.11-6_all.deb
 84213b35700e30507f353038bf770df314947275b87ba32165f69d3681183969 1368 apache2_2.2.11-6_all.deb
 93b51c6983bd7b6e89d0ea201448875f47e4b8f4756c002873c7cd69f1bad088 2227492 apache2-doc_2.2.11-6_all.deb
 ac44f6f2b3b0e2c745fb090a7b1e3e3bd515fd31f399b725af2018823dc42748 6946112 apache2-src_2.2.11-6_all.deb
Files: 
 b86fa17934b19e4b9f45d99517ae0832 1670 httpd optional apache2_2.2.11-6.dsc
 5356706cd3db44898c8796682bbc5991 138556 httpd optional apache2_2.2.11-6.diff.gz
 e2186d9aded9b5585c57ec520971e2d5 1093804 httpd optional apache2.2-bin_2.2.11-6_i386.deb
 66d03755680eeb683cbc3b66f5dcde68 146404 httpd optional apache2-utils_2.2.11-6_i386.deb
 44b52c9dc6a31b20e753baead4d18f95 85368 httpd optional apache2-suexec_2.2.11-6_i386.deb
 ea0dd06038735e739318d4cad74d8be6 86958 httpd extra apache2-suexec-custom_2.2.11-6_i386.deb
 a6c1f35ab098978a428afa071d3caa5e 137742 httpd extra apache2-prefork-dev_2.2.11-6_i386.deb
 b1c3de251ad9e05a68786f28bf1031a1 138914 httpd extra apache2-threaded-dev_2.2.11-6_i386.deb
 21915f1f341cf2e0f76ff8c8907a23d0 2288638 debug extra apache2-dbg_2.2.11-6_i386.deb
 7dafe0fe2065c165587da9a3629be219 269764 httpd optional apache2.2-common_2.2.11-6_all.deb
 53aa9a7935c47d34389262aa6eeeafe4 2148 httpd optional apache2-mpm-worker_2.2.11-6_all.deb
 e9d3e7c2b7f0d2b3196140a391bce93b 2204 httpd optional apache2-mpm-prefork_2.2.11-6_all.deb
 e25eb6203a62f54722bbf5e925e619b9 2176 httpd optional apache2-mpm-event_2.2.11-6_all.deb
 37e007b22b83511e6101e3357f64882b 1368 httpd optional apache2_2.2.11-6_all.deb
 e79f9eac7fa9379efa83ba8c3e821141 2227492 doc optional apache2-doc_2.2.11-6_all.deb
 e2e5c44394f2acb115034c577aee54f3 6946112 httpd extra apache2-src_2.2.11-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKLVk6bxelr8HyTqQRAlaZAJsGEftx5FZjMymo1qSbP6EC+viByQCfYs4b
/YhFPX3rM6dbAliEK0QbzpQ=
=ecjg
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Jul 2009 07:31:16 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:30:23 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started