Ubuntu
apache2 package

apache2: includes non-free and possibly undistributable files

Bug #26130 reported by Debian Bug Importer
12
Affects Status Importance Assigned to Milestone
apache2 (Debian)
Fix Released
Unknown
apache2 (Ubuntu)
Fix Released
High
Adam Conrad

Bug Description

Automatically imported from Debian bug report #340538 http://bugs.debian.org/340538

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #340538 http://bugs.debian.org/340538

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.0 KiB)

Message-Id: <E1Ef4WI-0000Lv-WC@neverland>
Date: Thu, 24 Nov 2005 00:59:22 +0100
From: Francesco Poli <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: includes non-free and possibly undistributable files

Package: apache2
Version: 2.0.54-5
Severity: serious
Justification: Policy 2.2.1

Hi!

By reviewing the copyright file, I found out that apache2 includes
code that does not seem to comply with the DFSG.
What is worse, I even found some code that does not seem to be
distributable at all...

Quoting from the copyright file itself:

For the test\zb.c component:

| /* ZeusBench V1.01
| ===============
|
| This program is Copyright (C) Zeus Technology Limited 1996.
|
| This program may be used and copied freely providing this copyright notice
| is not removed.
|
| This software is provided "as is" and any express or implied waranties,
| including but not limited to, the implied warranties of merchantability and
| fitness for a particular purpose are disclaimed. In no event shall
| Zeus Technology Ltd. be liable for any direct, indirect, incidental, special,
| exemplary, or consequential damaged (including, but not limited to,
| procurement of substitute good or services; loss of use, data, or profits;
| or business interruption) however caused and on theory of liability. Whether
| in contract, strict liability or tort (including negligence or otherwise)
| arising in any way out of the use of this software, even if advised of the
| possibility of such damage.
|
| Written by Adam Twiss (<email address hidden>). March 1996
|
| Thanks to the following people for their input:
| Mike Belshe (<email address hidden>)
| Michael Campanella (<email address hidden>)
|
| */

This license does not grant any permission to modify and to distribute
modifications and derivative works (fails DFSG#3).
Upstream copyright holders should be contacted and asked to relicense
the file: I would suggest the Expat license
(http://www.jclark.com/xml/copying.txt).

| For the srclib\apr-util\test\testmd4.c component:
|
| *
| * This is derived from material copyright RSA Data Security, Inc.
| * Their notice is reproduced below in its entirety.
| *
| * Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
| * rights reserved.
| *
| * RSA Data Security, Inc. makes no representations concerning either
| * the merchantability of this software or the suitability of this
| * software for any particular purpose. It is provided "as is"
| * without express or implied warranty of any kind.
| *
| * These notices must be retained in any copies of any part of this
| * documentation and/or software.
| */

This does not even grant *any* permissions.
It seems to be undistributable (fails DFSG#1 and DFSG#3).
If this is the case, distributing it is also a copyright violation
and should stop ASAP.
Again upstream copyright holders should be contacted and asked to relicense
the file: a good choice could be the Expat license.

| For the srclib\apr\include\apr_md5.h component:
| /*
| * This is work is derived from material Copyright RSA Data Securit...

Read more...

Revision history for this message
In , Joey Hess (joeyh) wrote : followup on this bug?

This RC bug has been open since November with no maintainer followup
that I can see. Is anything being done to remove the problimatic files
and/or get them properly licensed upstream?

--
see shy jo

Revision history for this message
In , Thom May (thombot) wrote : Re: Bug#340538: followup on this bug?

* Joey Hess (<email address hidden>) wrote :
> This RC bug has been open since November with no maintainer followup
> that I can see. Is anything being done to remove the problimatic files
> and/or get them properly licensed upstream?
>

This is in progress with upstream; we've worked with them to remove zb.c
from the upstream repository and are working to find a reasonable solution
to the RSA licensed files.
Cheers,
-Thom

Revision history for this message
In , Steinar H. Gunderson (sesse) wrote :

On Wed, May 31, 2006 at 09:29:20AM +0100, Thom May wrote:
> This is in progress with upstream; we've worked with them to remove zb.c
> from the upstream repository and are working to find a reasonable solution
> to the RSA licensed files.

FWIW, a reasonable usable replacement for the MD5 functions can be found at

  http://sourceforge.net/project/showfiles.php?group_id=42360

For MD4, you might find the following useful:

  http://trolocsis.com/crypto++/md4_8cpp-source.html

I haven't been able to track down the "original" public domain code it talks
about, though, but it might do -- I'm a bit worried that it doesn't
explicitly say anything about modification, though...

/* Steinar */
--
Homepage: http://www.sesse.net/

Revision history for this message
In , Steinar H. Gunderson (sesse) wrote : More free replacements

FWIW: dovecot has MD4 and MD5 implementations placed in the public domain
too.

/* Steinar */
--
Homepage: http://www.sesse.net/

Revision history for this message
In , Jeroen van Wolffelaar (jeroenvw) wrote : Fixed in NMU of apache2 2.2.3-1~exp.r170
Download full text (5.1 KiB)

tag 236193 + fixed
tag 238586 + fixed
tag 241223 + fixed
tag 273929 + fixed
tag 285337 + fixed
tag 337817 + fixed
tag 340538 + fixed
tag 340955 + fixed
tag 341460 + fixed
tag 343467 + fixed
tag 344072 + fixed
tag 348189 + fixed
tag 353443 + fixed
tag 368497 + fixed
tag 379015 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 15 Aug 2006 16:17:33 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2-mpm-worker apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-1~exp.r170
Distribution: experimental
Urgency: low
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Jeroen van Wolffelaar <email address hidden>
Description:
 apache2 - Next generation, scalable, extendable web server
 apache2-common - Next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD 2.1
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
 apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
 apache2-prefork-dev - development headers for apache2
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
Closes: 236193 238586 241223 273929 285337 337817 340538 340955 341460 343467 344072 348189 353443 368497 379015
Changes:
 apache2 (2.2.3-1~exp.r170) experimental; urgency=low
 .
   [ Jeroen van Wolffelaar ]
   * Staging upload to experimental of subversion revision r170
 .
   [ Thom May, Tollef Fog Heen, Fabio M. Di Nitto and Adam Conrad ]
   * New Upstream Release. Closes: #344072
     http://httpd.apache.org/docs/2.2/new_features_2_2.html has a list of
     new features and changes.
     - Fixes LFS support. Closes: #341460, #285337, #241223
     - Fixes off-by-one error in mod_rewrite ldap schema handling
       (CVE-2006-3747)
     - Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352).
       Closes: #343467.
     - mpm_perchild no longer exists, so closing bugs for perchild.
       Closes: #236193, #238586
     - Fixes PHP POST with SSLVerifyClient. Closes: 353443
   * Build-depend on lsb-release and pick up the branding from there.
   * Build-depend on apr-util 1.0 which is now in a separate source
     package.
   * Mangle the Debian layout to be more FHS compatible
   * No longer build-conflict with libgdbm-dev
   * Use external PCRE
   * Make apache2-utils stop providing apache2-utils. Also make it stop
     conflicting with itself.
   * Rename default site from default-site to just default.
   * Try to migrate modules which used to be built-in:, alias, mime,
     authz_host, autoindex, dir, env, negotiation, setenvif, status.
   * Mod imap has been renamed to imagemap, ditto for auth_ldap =>
     authnz_ldap. Cope with that in postinst.
   * Stop globbing in apache2.conf.
     Closes: #337817, #340955, #348189, #379015, #368497
   * Don't ...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in apache2:
status: Unconfirmed → Fix Committed
Revision history for this message
In , Jeroen van Wolffelaar (jeroenvw) wrote :
Download full text (5.5 KiB)

Version: 2.2.3-1~exp.r170

tag 236193 - fixed
tag 238586 - fixed
tag 241223 - fixed
tag 273929 - fixed
tag 285337 - fixed
tag 337817 - fixed
tag 340538 - fixed
tag 340955 - fixed
tag 341460 - fixed
tag 343467 - fixed
tag 344072 - fixed
tag 348189 - fixed
tag 353443 - fixed
tag 368497 - fixed
tag 379015 - fixed
thanks

On Tue, Aug 15, 2006 at 11:04:50AM -0700, Jeroen van Wolffelaar wrote:
> This message was generated automatically in response to a
> non-maintainer upload. The .changes file follows.

Actually, fixed in experimental, so the 'fixed' tag is inappropriate
here. Now closing bugs properly.

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Format: 1.7
> Date: Tue, 15 Aug 2006 16:17:33 +0200
> Source: apache2
> Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2-mpm-worker apache2-threaded-dev apache2-common apache2-mpm-perchild
> Architecture: source all i386
> Version: 2.2.3-1~exp.r170
> Distribution: experimental
> Urgency: low
> Maintainer: Debian Apache Maintainers <email address hidden>
> Changed-By: Jeroen van Wolffelaar <email address hidden>
> Description:
> apache2 - Next generation, scalable, extendable web server
> apache2-common - Next generation, scalable, extendable web server
> apache2-doc - documentation for apache2
> apache2-mpm-event - Event driven model for Apache HTTPD 2.1
> apache2-mpm-perchild - Transitional package - please remove
> apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
> apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
> apache2-prefork-dev - development headers for apache2
> apache2-threaded-dev - development headers for apache2
> apache2-utils - utility programs for webservers
> Closes: 236193 238586 241223 273929 285337 337817 340538 340955 341460 343467 344072 348189 353443 368497 379015
> Changes:
> apache2 (2.2.3-1~exp.r170) experimental; urgency=low
> .
> [ Jeroen van Wolffelaar ]
> * Staging upload to experimental of subversion revision r170
> .
> [ Thom May, Tollef Fog Heen, Fabio M. Di Nitto and Adam Conrad ]
> * New Upstream Release. Closes: #344072
> http://httpd.apache.org/docs/2.2/new_features_2_2.html has a list of
> new features and changes.
> - Fixes LFS support. Closes: #341460, #285337, #241223
> - Fixes off-by-one error in mod_rewrite ldap schema handling
> (CVE-2006-3747)
> - Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352).
> Closes: #343467.
> - mpm_perchild no longer exists, so closing bugs for perchild.
> Closes: #236193, #238586
> - Fixes PHP POST with SSLVerifyClient. Closes: 353443
> * Build-depend on lsb-release and pick up the branding from there.
> * Build-depend on apr-util 1.0 which is now in a separate source
> package.
> * Mangle the Debian layout to be more FHS compatible
> * No longer build-conflict with libgdbm-dev
> * Use external PCRE
> * Make apache2-utils stop providing apache2-utils. Also make it stop
> conflicting with itself.
> * Rename default site from default-site to just default.
> * Try to migrate modules which used to be...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in apache2:
status: Fix Committed → Fix Released
Revision history for this message
Danny Staple (danny-orionrobots) wrote :

How much effort would it take to apply the same fixes that were made in Debian?

Or to rephrase that, how different is the ubuntu apache2 source layout from the Debian ones, and could it be a matter of just using diff and patch to do the work with a little overseeing?

This bug report has not been touched for 10 months, so is it definately still the case?

Changed in apache2:
status: Unconfirmed → Needs Info
Revision history for this message
Loïc Corbasson (cnb) wrote :

Debian fixed it in 2.2.3-1~exp.r170, uploaded to experimental in August, and testing and sid now have 2.2.3-3.1, so this may fixed by syncing from Debian unstable.

Revision history for this message
VF (vfiend) wrote :

Feisty has Apache 2.2.3-3.2build1 but it still seems to have the same problem, I can see testmd4.c and zb.c with the same copyright text.

Changed in apache2:
status: Needs Info → Confirmed
Revision history for this message
Emilio Pozuelo Monfort (pochu) wrote :

This is already fixed in Ubuntu too.

Changed in apache2:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.