OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: OpenPKG (openpkg_at_openpkg.org)
Date: Fri Oct 04 2002 - 14:53:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-securityopenpkg.org openpkgopenpkg.org
    OpenPKG-SA-2002.009 04-Oct-2002
    ________________________________________________________________________

    Package: apache
    Vulnerability: denial of service
    OpenPKG Specific: no

    Affected Releases: OpenPKG 1.0 OpenPKG 1.1
    Affected Packages: <= apache-1.3.22-1.0.4 <= apache-1.3.26-1.1.0
    Corrected Packages: >= apache-1.3.22-1.0.5 >= apache-1.3.26-1.1.1
    Dependent Packages: none none

    Description:
      According to the Apache HTTP Server Project [1][2], there are
      several remotely exploitable vulnerabilities which could allow an
      attacker to enact a denial of service against a server. The Common
      Vulnerabilities and Exposures (CVE) project identified the following
      three vulnerabilities:
      
      1. CAN-2002-0839 [3]: A vulnerability exists on platforms using System
      V shared memory based scoreboards. This vulnerability allows an
      attacker who can execute under the Apache UID to exploit the Apache
      shared memory scoreboard format and send a signal to any process as
      root or cause a local denial of service attack.

      2. CAN-2002-0840 [4]: Apache is susceptible to a cross site scripting
      vulnerability in the default 404 page of any web server hosted on a
      domain that allows wildcard DNS lookups.

      3. CAN-2002-0843 [5]: There were some possible overflows in the
      utility ApacheBench (ab) which could be exploited by a malicious
      server.

      Please check whether you are affected by running "<prefix>/bin/rpm -q
      apache". If you have an affected version of the "apache" package (see
      above), upgrade it according to the solution below. Remember to also
      rebuild and reinstall any dependent OpenPKG packages. [6]

    Solution:
      Select the updated source RPM appropriate for your OpenPKG release
      [7][9], fetch it from the OpenPKG FTP service [8][10] or a mirror
      location, verify its integrity [11], build a corresponding binary RPM
      from it and update your OpenPKG installation by finally installing
      the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the
      following operations to permanently fix the security problem (for
      other releases adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/1.1/UPD
      ftp> get apache-1.3.26-1.1.1.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm --checksig apache-1.3.26-1.1.1.src.rpm
      $ <prefix>/bin/rpm --rebuild apache-1.3.26-1.1.1.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.26-1.1.1.*.rpm
      # <prefix>/etc/rc apache stop start
    ________________________________________________________________________

    References:
      [1] http://httpd.apache.org/
      [2] http://www.apache.org/dist/httpd/Announcement.html
      [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
      [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
      [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
      [6] http://www.openpkg.org/tutorial.html#regular-source
      [7] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm
      [8] ftp://ftp.openpkg.org/release/1.1/UPD/
      [9] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.5.src.rpm
      [10] ftp://ftp.openpkg.org/release/1.0/UPD/
      [11] http://www.openpkg.org/security.html#signature
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with
    the OpenPGP public key "OpenPKG <openpkgopenpkg.org>" (ID 63C4CB9F)
    of the OpenPKG project which you can find under the official URL
    http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
    check the integrity of this advisory, verify its digital signature by
    using GnuPG (http://www.gnupg.org/). For example, pipe this message to
    the command "gpg --verify --keyserver keyserver.pgp.com".
    ________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkgopenpkg.org>

    iEYEARECAAYFAj2d8PwACgkQgHWT4GPEy5+q/wCdEeH+NYJKsMJH/Y77Avk1Y/wT
    NtsAoLyGvajiwgosGOYEoXWpfxHzTirq
    =OPWn
    -----END PGP SIGNATURE-----