On Tue, 3 Apr 2001, Emmanuel Dreyfus wrote:

> Two question about our document on package security:
> 
> apache is insecure prior to 1.3.14. I looked at the apache release
> documents, and I was not able to find a security hole fixed in 1.3.14.
> What is the problem?

I think the changes were in the unreleased (and not packaged) 1.3.13. For
example, our pkgsrc
(http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/www/apache/Makefile) says:

 Update apache to 1.3.14.  Changes from version 1.3.12 are listed below.
   
   The security fixes are:
     * A problem with the Rewrite module, mod_rewrite, allowed access to
       any file on the web server under certain circumstances
     * The handling of Host: headers in mass virtual hosting
       configurations, mod_vhost_alias, could allow access to any file on
       the server
     * If a cgi-bin directory is under the document root, the source to
       the scripts inside it could be sent if using mass virtual hosting

And the Apache release notes
(http://httpd.apache.org/dist/httpd/CHANGES_1.3) has:

 Changes with Apache 1.3.13 [not released]  

  *) Fix a security problem that affects some configurations of
     mod_rewrite. If the result of a RewriteRule is a filename that
     contains expansion specifiers, especially regexp backreferences
     $0..$9 and %0..%9, then it may have been possible for an attacker
     to access any file on the web server. [Tony Finch]

  *) Prevent the source code for CGIs from being revealed when using
     mod_vhost_alias and the CGI directory is under the document root
     and a user makes a request like http://www.example.com//cgi-bin/cgi
     as reported in <news:960999105.344321@ernani.logica.co.uk>
     [Tony Finch]

   Jeremy C. Reed
   http://www.reedmedia.net/