Re: Apache 1.3.7 (RH73) question wrt CVEs

[Jim Popovitch <jimpop yahoo com>]

David Eisenstein wrote:
> On Thu, 11 May 2006, Jim Popovitch wrote:
>
> > In another arena I saw a list of CVEs against Apache 1.3.7.  RH73 ships 
> > with Apache 1.3.7-9 so I thought I would query BZ and see what I could 
> > find of these.  (I am a BZ newbie when it comes to queries).
> >
> > CVE-2002-1233 Apache HTTP Server htpasswd and htdigest Multiple 
> > Vulnerabilities
> >
> > CVE-2004-0748, CVE-2004-0751 Apache HTTP Server mod_ssl Denial of Service
> >
> > CVE-2003-0083, CVE-2003-0020 Linux/Unix: Apache Escape Sequence 
> > Vulnerabilities
> >
> > CVE-2003-0993 Apache mod_access Security Bypass
> >
> > CVE-2004-0700 Apache mod_ssl Format String Vulnerability
> >
> >
> > Unfortunately I couldn't find any of those in the Comments under Apache 
> >   for Fedora Legacy Redhat 7.3.  I can't believe that all of those 
> > aren't addressed, so lack of query results suggests to me that I am 
> > missing something.  Some of those CVE/CANs are several years old, but 
> > wouldn't the still be in BZ comments somewhere?
>
> It appears that Red Hat Linux 7.3 shipped with apache-1.3.23-11...  I
> don't know what shipped with apache-1.3.7 ...  From Fedora Legacy's
> archives, RHL 7.3's apache was shipped on 16-Apr-2002.
>
> The latest update for Red Hat 7.3's apache appears to have been released 
> by the Fedora Legacy project on 18-Feb-2006 and is apache-1.3.27-9.legacy.

Thank you David for the insight as well as the ground work on going 
through all of those.  It wasn't my intention to have you or someone 
else do that, but I do appreciate your doing so.  Apologies for 
specifying apache-1.3.7, that was a copy/paste error, I meant 
apache-1.3.27.

Again, Thank you for digging through all of that.

-Jim P.