Re: crypt_r() should have been selected!

I got the same problem, but it seems to be a known bug:

http://www.apache.org/dist/httpd/Announcement2.html

---------
Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
vulnerable to a denial-of-service attack on the basic authentication
module, which was reported by John Hughes <john.hughes@entegrity.com>.
A bug in the configuration scripts caused the apr_password_validate()
function to be thread-unsafe on platforms with crypt_r(), including
AIX and Linux. All versions of Apache 2.0 have this thread-safety
problem on platforms with no crypt_r() and no thread-safe crypt(),
such as Mac OS X and possibly others. When using a threaded MPM (which
is not the default on these platforms), this allows remote attackers
to create a denial of service which causes valid usernames and
passwords for Basic Authentication to fail until Apache is restarted.
We do not believe this bug could allow unauthorized users to gain
access to protected resources.
------

But how can i select crypt_r()?

In article <ef4046e0.0306270454.2119b858@posting.google.com >, one of infinite monkeys
at the keyboard of sven.borkert@uni.de (Sven Borkert) wrote:

> Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
> vulnerable to a denial-of-service attack on the basic authentication
> module, which was reported by John Hughes <john.hughes@entegrity.com>.
> A bug in the configuration scripts caused the apr_password_validate()
> function to be thread-unsafe on platforms with crypt_r(), including
> AIX and Linux.

Corollary: could this same issue affect third-party modules - such as
mod_auth_[pg|my]sql - which use crypt under similar circumstances?
The references in the announcement don't seem to point to the original
discussion; perhaps someone has a URL?

> But how can i select crypt_r()?

Not having an AIX box, can't help there. On Linux (which the announcement
names as having the same issue) it compiles fine out-of-the-box.

--
Nick Kew

In urgent need of paying work - see http://www.webthing.com/~nick/cv.html

nick@fenris.webthing.com (Nick Kew) wrote in message news:<c10idb.571.ln@jarl.webthing.com>...

> Not having an AIX box, can't help there. On Linux (which the announcement
> names as having the same issue) it compiles fine out-of-the-box.

At least I managed to make the source compile now. I don't know why it
doesn't use crypt_r() although configure says its available. In
srclib/apr/include/apr.hw / apr.hnw you can make the APR run without
threads by commenting out

#define APR_HAS_THREADS 1

It seems to be a little bug that
httpd-2.0.46/srclib/apr-util/crypto/apr_md5.c uses

#if defined(_AIX) && defined(APR_HAS_THREADS)

to check APR_HAS_THREADS. Setting it to 0 will make it defined as
well, so you got to uncomment the whole line to make it undefined.