Fwd: Security regression in 2.0.39 (Win32)?

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

The following bug was found to affect all platforms and is fixed in 2.0.40
as part of the CAN-2002-0654 incident;

>Date: Mon, 29 Jul 2002 15:27:03 -0700
>From: Jim Race <jr...@qualys.com>
>To: security@apache.org
>Subject: Security regression in 2.0.39 (Win32)?
>
>In previous versions of 2.0.n, there was a bug in which the absolute path 
>was revealed when calling certain CGI scripts.
>
>I performed a default install (only knocked down the number of threads in 
>httpd.conf) last Thursday, and today noticed that this appears to have 
>returned. Note that any previous version of Apache had been completely 
>uninstalled.
>
>OS: Win98SE
>Installed from Apache binary
>
>To reproduce:
>
>1) Open: http://jimrace.com/cgi-bin/printenv.pl
>
>Result:
>HTTP/1.1 500 Internal Server Error
>Date: Mon, 29 Jul 2002 18:59:19 GMT
>Server: Apache/2.0.39 (Win32)
>Vary: accept-language
>Accept-Ranges: bytes
>Connection: close
>Content-Type: text/html; charset=ISO-8859-1
>
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
>
>
>
>Server error!
>
>Error message:
>couldn't create child process: 22502: C:/Program Files/Apache 
>Group/Apache2/cgi-bin/printenv.pl 
>================================================================== Feel 
>free to contact me at this address or mailto:vimages@well.com regards, Jim 
>Race Independent SQA Contractor 650.212.1311 
>--------------------------------------------------------------------- To 
>unsubscribe, e-mail: security-unsubscribe@apache.org For additional 
>commands, e-mail: security-help@apache.org