[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Apache Security Alert from my CO-LO facility
- Subject: [cobalt-users] Apache Security Alert from my CO-LO facility
- From: Jason Gottschalk <Jason@xxxxxxx>
- Date: Mon Jul 1 10:11:03 2002
- Organization: SYO Computer Engineering Services, Inc.
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Hello cobalt-users,
My Co-Location facility just sent this. I don't know if it applies
to my Raq4, can someone help me determine if I should act on or
dismiss this message?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It has recently been brought to our attention that there is a severe
security issue with the Apache Webserver. Below, you will find an
explanation of the exploit, affected versions and links for updated
packages that will allow you to patch your server. It should be noted
that this ONLY AFFECTS Dedicated Servers running the Apache Webserver.
Microsoft Windows 2000/NT 4.0 Customers can ignore this advisory.
Please note, this only affects the following versions.
? Web servers based on Apache code versions 1.2.2 and above
? Web servers based on Apache code versions 1.3 through 1.3.24
? Web servers based on Apache code versions 2.0 through 2.0.36
For Redhat Linux based Dedicated Servers, Please see the following URL.
http://rhn.redhat.com/errata/RHSA-2002-103.html
You will want to download the appropriate files to your dedicated
server, and then apply them by using RPM. You should upload the files
to your server, and then apply them by using SSH/Telnet to connect to
your server, changing to the directory where the files are stored, and
issuing the following command.
?rpm ?Uvh apache-1.3.22-5.6.i386.rpm?
If you are running RedHat 6.2, you will need these files.
ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.22-5.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.22-5.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.22-5.6.i386.rpm
If you are running RedHat 7.2, you will need these files.
ftp://updates.redhat.com/7.2/en/os/i386/apache-1.3.22-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-devel-1.3.22-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-manual-1.3.22-6.i386.rpm
If you are running RedHat 7.3, you will need these files.
ftp://updates.redhat.com/7.3/en/os/i386/apache-1.3.23-14.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-devel-1.3.23-14.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-manual-1.3.23-14.i386.rpm
This will fix the security hole in your Webserver.
For Sun Solaris Customers, please download the latest available patch
clusters for your servers. These can be found here:
http://www.sun.com/bigadmin/patches/index.html
Once downloaded, you will need to unzip the patch cluster, change into
the directory that was created by unzipping the file and run
?./install_cluster?
For Debian Linux users, you should be able to enter the following command.
?apt-get update apache?
This will take care of the security hole for you.
All other Unix/Linux clients will need to see the following page for
more information in regards to updating against this.
http://www.apache.org/dist/httpd/Announcement.html
CERT Advisory follows
Original release date: June 17, 2002
Last revised: June 24, 2002
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
? Web servers based on Apache code versions 1.2.2 and above
? Web servers based on Apache code versions 1.3 through 1.3.24
? Web servers based on Apache code versions 2.0 through 2.0.36
Overview
There is a remotely exploitable vulnerability in the way that
Apache web servers (or other web servers based on their source code)
handle data encoded in chunks. This vulnerability is present by
default in configurations of Apache web server versions 1.2.2 and
above, 1.3 through 1.3.24, and versions 2.0 through 2.0.36. The impact
of this vulnerability is dependent upon the software version and the
hardware platform the server is running on.
I. Description
Apache is a popular web server that includes support for chunk-encoded
data according to the HTTP 1.1 standard as described in RFC2616. There
is a vulnerability in the handling of certain chunk-encoded HTTP
requests that may allow remote attackers to execute arbitrary code.
The Apache Software Foundation has published an advisory describing
the details of this vulnerability. This advisory is available on their
web site at
http://httpd.apache.org/info/security_bulletin_20020617.txt
Vulnerability Note VU#944335 includes a list of vendors that have been
contacted about this vulnerability.
II. Impact
For Apache versions 1.2.2 through 1.3.24 inclusive, this vulnerability
may allow the execution of arbitrary code by remote attackers.
Exploits are publicly available that claim to allow the execution of
arbitrary code. For Apache versions 2.0 through 2.0.36 inclusive, the
condition causing the vulnerability is correctly detected and causes
the child process to exit. Depending on a variety of factors,
including the threading model supported by the vulnerable system, this
may lead to a denial-of-service attack against the Apache web server.
III. Solution
Upgrade to the latest version The Apache Software Foundation has
released two new versions of Apache that correct this vulnerability.
System administrators can prevent the vulnerability from being
exploited by upgrading to Apache httpd version 1.3.26 or 2.0.39. Due
to some unexpected problems with version 1.3.25, the CERT/CC has been
informed by the Apache Software Foundation that the corrected version
of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are available on
their web site at
http://www.apache.org/dist/httpd/
--
Best regards,
Jason Gottschalk mailto:Jason@xxxxxxx
SYO Computer Engineering Services, Inc.
586-286-2557