Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities

2002-11-19 Thread Olaf Meeuwissen 
Roger Ward <[EMAIL PROTECTED]> writes:

> Anyone know how to see if UseCannocialName is on or off by default? I am
> using Apache 1.3.26.

Apart from `grep -r UseCanonicalName /etc/apache` you mean?
  If you don't know what the hard-coded default is and can't find it
in the documentation (or don't want to rely on it), by all means, be
explicit and set it in your configuration file.

HTH,
-- 
Olaf MeeuwissenEPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH

Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities

2002-11-19 Thread Olaf Meeuwissen 
Roger Ward <[EMAIL PROTECTED]> writes:

> Anyone know how to see if UseCannocialName is on or off by default? I am
> using Apache 1.3.26.

Apart from `grep -r UseCanonicalName /etc/apache` you mean?
  If you don't know what the hard-coded default is and can't find it
in the documentation (or don't want to rely on it), by all means, be
explicit and set it in your configuration file.

HTH,
-- 
Olaf MeeuwissenEPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities

2002-11-19 Thread Roger Ward 
Anyone know how to see if UseCannocialName is on or off by default? I am
using Apache 1.3.26.

Thanks,
Roger

On Mon, 2002-11-04 at 10:26, Martin Schulze wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> - --
> Debian Security Advisory DSA 187-1 [EMAIL PROTECTED]
> http://www.debian.org/security/ Martin Schulze
> November 4th, 2002  http://www.debian.org/security/faq
> - --
> 
> Package: apache
> Vulnerability  : several
> Problem-Type   : remote, local
> Debian-specific: no
> CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 
> CAN-2002-1233
> BugTraq ID : 5847 5884 5887
> 
> According to David Wagner, iDEFENSE and the Apache HTTP Server
> Project, several remotely exploitable vulnerabilities have been found
> in the Apache package, a commonly used webserver.  These
> vulnerabilities could allow an attacker to enact a denial of service
> against a server or execute a cross scripting attack.  The Common
> Vulnerabilities and Exposures (CVE) project identified the following
> vulnerabilities:
> 
> 1. CAN-2002-0839: A vulnerability exists on platforms using System V
>shared memory based scoreboards.  This vulnerability allows an
>attacker who can execute under the Apache UID to exploit the Apache
>shared memory scoreboard format and send a signal to any process as
>root or cause a local denial of service attack.
> 
> 2. CAN-2002-0840: Apache is susceptible to a cross site scripting
>vulnerability in the default 404 page of any web server hosted on a
>domain that allows wildcard DNS lookups.
> 
> 3. CAN-2002-0843: There were some possible overflows in the utility
>ApacheBench (ab) which could be exploited by a malicious server.
> 
> 4. CAN-2002-1233: A race condition in the htpasswd and htdigest
>program enables a malicious local user to read or even modify the
>contents of a password file or easily create and overwrite files as
>the user running the htpasswd (or htdigest respectively) program.
> 
> 5. CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and
>others allows local users to overwrite arbitrary files via a
>symlink attack.
> 
>This is the same vulnerability as CAN-2002-1233, which was fixed in
>potato already but got lost later and was never applied upstream.
> 
> 5. NO-CAN: Several buffer overflows have been found in the ApacheBench
>(ab) utility that could be exploited by a remote server returning
>very long strings.
> 
> These problems have been fixed in version 1.3.26-0woody3 for the
> current stable distribution (woody) and in 1.3.9-14.3 for the old
> stable distribution (potato).  Corrected packages for the unstable
> distribution (sid) are expected soon.
> 
> We recommend that you upgrade your Apache package immediately.
> 
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
> 
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
> 
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
> 
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
> 
> 
> Debian GNU/Linux 2.2 alias potato
> - -
> 
>   Source archives:
> 
> 
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.diff.gz
>   Size/MD5 checksum:   345741 5f88eecddfe95c8366888bb71e0917ce
> 
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.dsc
>   Size/MD5 checksum:  666 d69af430768983c68a2d881c4c9ee236
> 
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9.orig.tar.gz
>   Size/MD5 checksum:  1691969 6758fe8b931be0b634b6737d9debf703
> 
>   Architecture independent components:
> 
> 
> http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.9-14.3_all.deb
>   Size/MD5 checksum:   544588 95611594e54cb8bf69b5ffa47598a17d
> 
>   Alpha architecture:
> 
> 
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_alpha.deb
>   Size/MD5 checksum:   409920 178a31efa994c54161515d7e5dceb32a
> 
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_alpha.deb
>   Size/MD5 checksum:   809564 102b7a7ed3be7752ff80f209c755ca8e
> 
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_alpha.deb
>   Size/MD5 checksum:   754386 39db60aedbba0afaa45015149e6cabd6
> 
>   ARM architecture:
> 
> 
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_arm.deb
>   Size/MD5 checksum:   366248 3cba61971237b64017d19ed554d89d99
> 
> http://security.debian.org/pool/up

Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities

2002-11-04 Thread Matt Zimmerman 
On Mon, Nov 04, 2002 at 10:55:53AM -0500, andrew lattis wrote:

> i'm assuming these also apply to apache-ssl, but there doesn't appear to
> be a new package. is it still in the works or is apache-ssl not
> vulnerable?

The former.

-- 
 - mdz

Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities

2002-11-04 Thread Matt Zimmerman 
On Mon, Nov 04, 2002 at 10:55:53AM -0500, andrew lattis wrote:

> i'm assuming these also apply to apache-ssl, but there doesn't appear to
> be a new package. is it still in the works or is apache-ssl not
> vulnerable?

The former.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities

2002-11-04 Thread andrew lattis 
i'm assuming these also apply to apache-ssl, but there doesn't appear to
be a new package. is it still in the works or is apache-ssl not
vulnerable?

thanks,
andrew

On 2002/11/04 04:26:57PM +0100, Mon, Martin Schulze wrote:
> 
> Package: apache
> Vulnerability  : several
> Problem-Type   : remote, local
> Debian-specific: no
> CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 
> CAN-2002-1233
> BugTraq ID : 5847 5884 5887


pgpVhafO4LTXN.pgp
Description: PGP signature

Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities

2002-11-04 Thread andrew lattis 
i'm assuming these also apply to apache-ssl, but there doesn't appear to
be a new package. is it still in the works or is apache-ssl not
vulnerable?

thanks,
andrew

On 2002/11/04 04:26:57PM +0100, Mon, Martin Schulze wrote:
> 
> Package: apache
> Vulnerability  : several
> Problem-Type   : remote, local
> Debian-specific: no
> CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 
>CAN-2002-1233
> BugTraq ID : 5847 5884 5887



msg07614/pgp0.pgp
Description: PGP signature