Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Sun, 23 Jun 2002, Joshua Lee wrote: On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Not FreeBSD, but it's possible to reconfigure Apache. The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. I've found a better solution! On today's freshports there is something called mod_blowchunks :-) If installed, it will reject chunking and log it. This is an alternative to upgrading Apache. Given the place the problem occurs: I'd be weary of such solutions. Apaceh's myrad of config abilities are second only to sendmail - and it is easy to let a certain case slip through. If nessesary simply do a 'cvs diff' on apache it's cvs (dev.apache.org for anon access; I am willing to work with BSD developers to help if needed) to see the relatively few lines of code which are an issue - and which can be backported easily. Dw To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Joshua Lee wrote: Terry Lambert [EMAIL PROTECTED] wrote: Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Not FreeBSD, but it's possible to reconfigure Apache. The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. I've found a better solution! On today's freshports there is something called mod_blowchunks :-) If installed, it will reject chunking and log it. This is an alternative to upgrading Apache. But if a client uses chunking legitimately, and does so becuase it believes it's talking to an HTTP server, you've just broken that client's ability to POST/PUT. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Sun, 23 Jun 2002 02:06:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Joshua Lee wrote: Terry Lambert [EMAIL PROTECTED] wrote: The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. I've found a better solution! On today's freshports there is something called mod_blowchunks :-) If installed, it will reject chunking and log it. This is an alternative to upgrading Apache. But if a client uses chunking legitimately, and does so becuase it believes it's talking to an HTTP server, you've just broken that client's ability to POST/PUT. You mean to say it believes it is talking to an HTTP 1.1 server, yes? I guess using HTTP 1.0 is a better solution then. Of course, maybe the *best* solution IMVHO would be to upgrade to the Apache version without this bug. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Joshua Lee wrote: [ ... mod_blowchunks ... ] But if a client uses chunking legitimately, and does so becuase it believes it's talking to an HTTP server, you've just broken that client's ability to POST/PUT. You mean to say it believes it is talking to an HTTP 1.1 server, yes? Yes. I guess using HTTP 1.0 is a better solution then. Of course, maybe the *best* solution IMVHO would be to upgrade to the Apache version without this bug. Yeah; this whole thread is premised on working around the problem without an Apache software change. It's a reasonable premise (IMO) -- if you've got a custom compilation and a lot of modules, that can end up being a lot of software. I build a PHP4+SSL+Apache+IMAP+etc. source tree at one point, and it ended up being ~1.2 million lines of code, all told, that had to be made to work together. If you had just built it, then it would be very hard to update just one component without repeating the whole process. My advice? Use CVS. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Yeah; this whole thread is premised on working around the problem without an Apache software change. It's a reasonable premise (IMO) -- if you've got a custom compilation and a lot of modules, that can end up being a lot of software. I build a PHP4+SSL+Apache+IMAP+etc. source tree at one point, and it ended up being ~1.2 million lines of code, all told, that had to be made to work together. If you had just built it, then it would be very hard to update just one component without repeating the whole process. My advice? Use CVS. Actually, this whole thread is premised on I have a dev system with 16 jailed apaches and it would be a pain to upgrade all 16 of them vs. just making one global kernel/environment change. It sounds like that is probably a pipe dream though.. --PT To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Not FreeBSD, but it's possible to reconfigure Apache. The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. I've found a better solution! On today's freshports there is something called mod_blowchunks :-) If installed, it will reject chunking and log it. This is an alternative to upgrading Apache. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Why not upgrade Apache...?? Both the 1 and 2 series have been updated I think. (I'm a newbie at server stuff, so bear with me if I made a faux pas.) The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
I think that libsafe would protect against this bug to at least prevent against any possible malicious code execution. I think it still leaves the DoS possibility open though... Even some kind of non-exec stack protection patched into FBSD would only generate a SEGV if it got triggered[*]. Very hard to stop the DoS. [*] and yes does nothing to prevent against malicious code execution attacks on x86 architecture either, only obscures... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote: Kris Kennaway wrote: Surely it's easier to just upgrade the apache port, instead of recompiling your kernel and the entire OS. Not always. (I'm running an old version of Covalent Raven SSL and I'm loathe to upgrade. If it works, don't fix it and there are only so many hours in a day.) The exact same argument can be made for not upgrading the OS, which is a much larger endeavour and can potentially screw things up much worse. Kris msg35140/pgp0.pgp Description: PGP signature
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Joshua Lee wrote: The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? It depends. Does it still use 4 outstanding connections to the server on the other end, or does it serialize all your picture download requests through a single pipe? If the latter, what is the measured latency between the end of one response and the beginning of another? Basically, this is going to boild down to how the web server on the back end is written, and what's between you and it, in the way of smart hardware. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Fri, 21 Jun 2002, Kris Kennaway wrote: On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote: Kris Kennaway wrote: Surely it's easier to just upgrade the apache port, instead of recompiling your kernel and the entire OS. Not always. (I'm running an old version of Covalent Raven SSL and I'm loathe to upgrade. If it works, don't fix it and there are only so many hours in a day.) The exact same argument can be made for not upgrading the OS, which is a much larger endeavour and can potentially screw things up much worse. That's a very valid point. I'm certainly not recommending that Frank upgrade his OS, but I must note that I trust ugprading the entire FreeBSD operating system to be a smoother operation than upgrading one single, solitary commercial closed source package. At least if I'm gonna go about installing a new world I /know/ what I'm getting myself into and that if my box gets screwed up: a) It's probably my fault. b) I can go reading the error messages and Makefiles and figure out what I botched. I have the source. However, I would ask Frank if there's a particular reason he needs to use Covalent Raven SSL. OpenSSL is free, works like gangbusters, and comes with FreeBSD. I have a feeling he'd be much happier with it if there's not some other reason he cannot move to it. Brandon D. Valentine -- http://www.geekpunk.net [EMAIL PROTECTED] ++[++-][++-].[+-][+-]+.+++..++ +.+[++-]++.+++..+++.--..+. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Fri, 21 Jun 2002, Kris Kennaway wrote: On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote: Kris Kennaway wrote: Surely it's easier to just upgrade the apache port, instead of recompiling your kernel and the entire OS. Not always. (I'm running an old version of Covalent Raven SSL and I'm loathe to upgrade. If it works, don't fix it and there are only so many hours in a day.) The exact same argument can be made for not upgrading the OS, which is a much larger endeavour and can potentially screw things up much worse. You can just patch the running version of apache with the diffs that fix the security hole. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Fri, Jun 21, 2002 at 02:29:30AM -0400, Joshua Lee wrote: On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Why not upgrade Apache...?? Both the 1 and 2 series have been updated I think. (I'm a newbie at server stuff, so bear with me if I made a faux pas.) The apache13+ipv6 port has not, because the last ipv6 patchset is available for 1.13.22. The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? It should fallback. -- B.Walter COSMO-Project http://www.cosmo-project.de [EMAIL PROTECTED] Usergroup [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Kris Kennaway wrote: On Thu, Jun 20, 2002 at 07:33:54PM -0700, Frank Mayhar wrote: Kris Kennaway wrote: Surely it's easier to just upgrade the apache port, instead of recompiling your kernel and the entire OS. Not always. (I'm running an old version of Covalent Raven SSL and I'm loathe to upgrade. If it works, don't fix it and there are only so many hours in a day.) The exact same argument can be made for not upgrading the OS, which is a much larger endeavour and can potentially screw things up much worse. Yep. Which is why the only times I've upgraded the kernel on my production boxes have been when there is a critical fix that I _had_ to install, usually a security fix. -- Frank Mayhar [EMAIL PROTECTED] http://www.exit.com/ Exit Consulting http://www.gpsclock.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Brandon D. Valentine wrote: However, I would ask Frank if there's a particular reason he needs to use Covalent Raven SSL. OpenSSL is free, works like gangbusters, and comes with FreeBSD. I have a feeling he'd be much happier with it if there's not some other reason he cannot move to it. As I mentioned, the two reasons are (1) it hasn't been broken (at least up to now) and (2) I haven't had time. These are colocated production boxes; I don't have easy physical access to them to fix things if they go seriously wrong, and having them be down for any length of time is a Bad Thing. -- Frank Mayhar [EMAIL PROTECTED] http://www.exit.com/ Exit Consulting http://www.gpsclock.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
What none of you has mentioned is the thought I had in mind when I asked this question, and that is, I have a rd machine with 16 jails on it, each running apache. Therefore in a situation like this it would be _much_ easier to just tune a sysctl or rebuild the kernel, vs. rebuilding 16 differently configured, different versions of apache. YMMV. --PT On Fri, 21 Jun 2002, Frank Mayhar wrote: Brandon D. Valentine wrote: However, I would ask Frank if there's a particular reason he needs to use Covalent Raven SSL. OpenSSL is free, works like gangbusters, and comes with FreeBSD. I have a feeling he'd be much happier with it if there's not some other reason he cannot move to it. As I mentioned, the two reasons are (1) it hasn't been broken (at least up to now) and (2) I haven't had time. These are colocated production boxes; I don't have easy physical access to them to fix things if they go seriously wrong, and having them be down for any length of time is a Bad Thing. -- Frank Mayhar [EMAIL PROTECTED] http://www.exit.com/ Exit Consulting http://www.gpsclock.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Fri, 21 Jun 2002 10:38:21 +0200 Bernd Walter [EMAIL PROTECTED] wrote: On Fri, Jun 21, 2002 at 02:29:30AM -0400, Joshua Lee wrote: On Thu, 20 Jun 2002 19:59:20 -0700 Terry Lambert [EMAIL PROTECTED] wrote: The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? It should fallback. Considering that there's a warning concerning it's use with some servers maybe it doesn't... Luckily it's not on by default. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Joshua Lee wrote: Mozilla has an option to enable http pipelining as a performance option. I regularly used this, maybe I shouldn't? It should fallback. Considering that there's a warning concerning it's use with some servers maybe it doesn't... Luckily it's not on by default. THat's not the issue. The issue is that some servers claim to be 1.1 servers, but do not implement pipelining. Older Apache servers fall into this category. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Fri, 21 Jun 2002, Terry Lambert wrote: THat's not the issue. The issue is that some servers claim to be 1.1 servers, but do not implement pipelining. Older Apache servers fall into this category. I have been using pipelining in Mozilla for many months now without encountering a single, solitary server which caused me problems. I would guage that the number of servers out there which exhibit this problem is few. Netcraft could probably provide some fairly authoritative data in this regard, provided someone has a list of known buggy HTTP 1.1 implementations. It would probably be a much appreciated public service to the network if someone were resourceful enough to construct such a list, run it through netcraft, inform the admins of any and all known websites running buggy HTTP 1.1 implementations of the issue and recommend an upgrade path based on their currently installed HTTP server. This would be fairly simple to automate I would imagine with some help from the folks at netcraft. Brandon D. Valentine -- http://www.geekpunk.net [EMAIL PROTECTED] ++[++-][++-].[+-][+-]+.+++..++ +.+[++-]++.+++..+++.--..+. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
On Thu, Jun 20, 2002 at 02:17:41PM -0700, Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Surely it's easier to just upgrade the apache port, instead of recompiling your kernel and the entire OS. Kris msg35123/pgp0.pgp Description: PGP signature
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Kris Kennaway wrote: Surely it's easier to just upgrade the apache port, instead of recompiling your kernel and the entire OS. Not always. (I'm running an old version of Covalent Raven SSL and I'm loathe to upgrade. If it works, don't fix it and there are only so many hours in a day.) -- Frank Mayhar [EMAIL PROTECTED] http://www.exit.com/ Exit Consulting http://www.gpsclock.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: inuring FreeBSD to the apache bug without upgrading apache ?
Patrick Thomas wrote: Is it possible to patch/recompile FreeBSD 4.5 in such a way that your system is no longer vulnerable to the chunking attack, even if you are still running a vulnerable apache ? Not FreeBSD, but it's possible to reconfigure Apache. The way you would deal with this would be to tell Apache that it was an HTTP 1.0 server, since chunking is an HTTP 1.1 feature. The only place this is an issue is if you need to reuse an HTTP connection, and that only occurs in HTTP 1.1 when you are doing pipelining. Everywhere else, you can indicate an end of data by having the server close the connection. Thus you do not need to use chunking in order to get around the fact that the CGI was written by someone who did not attach a proper Content-Length: header because they were too lazy to determine ahjead of time how much data they would be putting out. The exploit is chunking from the client to the server. I guess you would have to endure that Apache in 1.0 mode refused chunked data in POST's, etc. (last time I looked at the source code, I thought it did). This won't work if you are requiring 1.1 features for your applciation, but in most cases, no one uses these features much anyway. Though turning this off if you have a Netscaler or a similar connection reusing cache might drop your overall throughput, so if you are over the border on that, you may want to take that into account (most people don't know what their web servers are doing anyway, so it's probably never going to make a difference for you, anyway). -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message