Bug 917402 (CVE-2003-1418) - VUL-1: CVE-2003-1418: apache2: ETag Header Information Disclosure Weakness still present
Summary: VUL-1: CVE-2003-1418: apache2: ETag Header Information Disclosure Weakness s...
Status: RESOLVED FIXED
Alias: CVE-2003-1418
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2015-08-07
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:62232:moderate
Keywords: security_vulnerability
Depends on: 907477
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-11 15:25 UTC by Johannes Segitz
Modified: 2016-04-07 10:38 UTC (History)
8 users (show)

See Also:
Found By: Beta-Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
proposed patch (1.29 KB, patch)
2015-03-09 16:35 UTC, Kristyna Streitova 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-11 15:25:48 UTC 
+++ This bug was initially created as a clone of Bug #907477 +++

Seems like apache is still vulnerable to CVE-2003-1418, see
https://bugzilla.novell.com/show_bug.cgi?id=907477#add_comment

We need to include this into the next apache update
Comment 1 Johannes Segitz 2015-02-11 15:26:33 UTC 
gnah, correct link to the comment:
https://bugzilla.novell.com/show_bug.cgi?id=907477#c8
Comment 2 Marcus Meissner 2015-02-11 15:35:31 UTC 
old statement we had: 

https://bugzilla.suse.com/show_bug.cgi?id=713970
Comment 4 Swamp Workflow Management 2015-02-11 23:00:45 UTC 
bugbot adjusting priority
Comment 5 Kristyna Streitova 2015-03-09 16:35:25 UTC 
Created attachment 625920 [details]
proposed patch

I'm attaching a patch for this bug.

According to upstream it was fixed in 2.4.1: (https://bz.apache.org/bugzilla/show_bug.cgi?id=49623#c6)

The following table expresses which products are affected according to their versions:

|    Product    | Version | Affected |    request     |
|---------------|---------|----------|----------------|
| SLE 11        | 2.2.10  | yes      | wait for swamp |
| SLE 11 SP1    | 2.2.12  | yes      | wait for swamp |
| SLE 11 SP4    | 2.2.12  | yes      | wait for swamp |
| SLE 12        | 2.4.10  | no       | -              |
| openSUSE 13.1 | 2.4.6   | no       | -              |
| openSUSE 13.2 | 2.4.10  | no       | -              |
| Factory       | 2.4.12  | no       | -              |
Comment 7 Marcus Meissner 2015-03-10 11:03:21 UTC 
The patch is good as upstream does the same thing.

I am putting this fix on the planned update list for the next apache2 update.

REPRODUCER for QA 

put a favicon.ico or other file on the server

curl -v testhost/favicon.ico 2>&1|grep -i etag

< ETag: "5f40a9-57e-50a5c3c3616c0"

         inode in hex - filesize in hex - mtime in hex * 10000000

The inode part should go away after the update.
Comment 8 Kristyna Streitova 2015-03-11 09:12:46 UTC 
Thank you, I'm closing this bug until the submission is needed.
Comment 9 Johannes Segitz 2015-03-11 11:46:01 UTC 
Rather than closing please just assign the bug to us, we take it from there
Comment 10 Kristyna Streitova 2015-04-02 16:51:17 UTC 
Submitted to:
  - SLE10SP3: https://build.suse.de/request/show/54652
  - SLE11SP1: https://build.suse.de/request/show/53778

SLE12 and openSUSE/Factory are not affected.
Comment 11 Marcus Meissner 2015-04-27 13:08:57 UTC 
was released or is in queue I think. (tracked under bug 907477)
Comment 12 Kristyna Streitova 2015-04-27 13:14:24 UTC 
(In reply to Marcus Meissner from comment #11)
> was released or is in queue I think. (tracked under bug 907477)

In this case it can be closed, I guess.
Comment 13 Swamp Workflow Management 2015-07-24 12:10:29 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-08-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62232