OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 04-Oct-2002 20:18:44
Branch: HEAD Handle: 2002100419184400
Added files:
openpkg-web/security OpenPKG-SA-2002.009-apache.txt
Log:
Add today's Apache package security advisory text.
Summary:
Revision Changes Path
1.1 +90 -0 openpkg-web/security/OpenPKG-SA-2002.009-apache.txt
____________________________________________________________________________
Index: openpkg-web/security/OpenPKG-SA-2002.009-apache.txt
============================================================
$ cvs update -p -r1.1 OpenPKG-SA-2002.009-apache.txt
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2002.009 04-Oct-2002
________________________________________________________________________
Package: apache
Vulnerability: denial of service
OpenPKG Specific: no
Affected Releases: OpenPKG 1.0 OpenPKG 1.1
Affected Packages: <= apache-1.3.22-1.0.0 <= apache-1.3.26-1.1.0
Corrected Packages: >= apache-1.3.22-1.0.X >= apache-1.3.26-1.1.1
Dependent Packages: None.
Description:
According to the Apache HTTP Server Project [1] [2], there are several remotely
exploitable vulnerabilities which could allow an attacker to enact a denial
of service against a server running one of the affected OpenPKG packages
(see above). The Common Vulnerabilities and Exposures (CVE) project assigned
the IDs CAN-2002-0839 [3], CAN-2002-0840 [4], and CAN-2002-0843 [5] to the
following security issues.
CAN-2002-0839 (cve.mitre.org)[3]: A vulnerability exists in all versions
of Apache prior to 1.3.27 on platforms using System V shared memory based
scoreboards. This vulnerability allows an attacker who can execute under
the Apache UID to exploit the Apache shared memory scoreboard format and
send a signal to any process as root or cause a local denial of service
attack. We thank iDefense for their responsible notification and
disclosure of this issue.
CAN-2002-0840 (cve.mitre.org)[4]: Apache is susceptible to a cross site
scripting vulnerability in the default 404 page of any web server hosted
on a domain that allows wildcard DNS lookups. We thank Matthew Murphy
for notification of this issue.
CAN-2002-0843 (cve.mitre.org)[5]: There were some possible overflows
in ab.c which could be exploited by a malicious server. Note that this
vulnerability is not in Apache itself, but rather one of the support
programs bundled with Apache. We thank David Wagner for the responsible
notification and disclosure of this issue.
Please check whether you are affected by running "<prefix>/bin/rpm -q
apache". If you have an affected version of the "apache" package (see
above), upgrade it according to the solution below. Remember to also
rebuild and reinstall any dependent OpenPKG packages. [6]
Solution:
Select the updated source RPM appropriate for your OpenPKG release [7],
fetch it from the OpenPKG FTP service [8] or a mirror location, verify
its integrity [9], build a corresponding binary RPM from it and update
your OpenPKG installation by finally installing the binary RPM [6]. For
the latest OpenPKG 1.1 release, perform the following operations to
permanently fix the security problem (for other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get apache-1.3.26-1.1.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm --checksig apache-1.3.26-1.1.1.src.rpm
$ <prefix>/bin/rpm --rebuild apache-1.3.26-1.1.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.26-1.1.1.*.rpm
# <prefix>/etc/rc apache stop start
________________________________________________________________________
References:
[1] http://httpd.apache.org/
[2] http://www.apache.org/dist/httpd/Announcement.html
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
[6] http://www.openpkg.org/tutorial.html#regular-source
[7] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm
[8] ftp://ftp.openpkg.org/release/1.1/UPD/
[9] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
