[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Apache Security Alert from my CO-LO facility

Subject: RE: [cobalt-users] Apache Security Alert from my CO-LO facility
From: "Peter Masloch" <peter@xxxxxxxxxxx>
Date: Mon Jul 1 10:28:30 2002
Organization: EasyniX Consulting
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Install the package update from SUN.
See the e-mail from Ray Healy (20 minutes ago)
Peter


> Hello cobalt-users,
> 
>   My Co-Location facility just sent this.  I don't know if it applies
>   to my Raq4, can someone help me determine if I should act on or
>   dismiss this message? 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> It has recently been brought to our attention that there is a 
> severe security issue with the Apache Webserver. Below, you 
> will find an explanation of the exploit, affected versions 
> and links for updated packages that will allow you to patch 
> your server. It should be noted that this ONLY AFFECTS 
> Dedicated Servers running the Apache Webserver. Microsoft 
> Windows 2000/NT 4.0 Customers can ignore this advisory.
> 
> Please note, this only affects the following versions.
> 
> .       Web servers based on Apache code versions 1.2.2 and above 
> .       Web servers based on Apache code versions 1.3 through 1.3.24 
> .       Web servers based on Apache code versions 2.0 through 2.0.36 
> 
> 
> For Redhat Linux based Dedicated Servers, Please see the 
> following URL.
> 
> http://rhn.redhat.com/errata/RHSA-2002-103.html
> 
> You will want to download the appropriate files to your 
> dedicated server, and then apply them by using RPM. You 
> should upload the files to your server, and then apply them 
> by using SSH/Telnet to connect to your server, changing to 
> the directory where the files are stored, and issuing the 
> following command.
> 
> 'rpm -Uvh apache-1.3.22-5.6.i386.rpm'
> 
> If you are running RedHat 6.2, you will need these files.
> 
> ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.22-5.6.i386.rpm
> ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.22-5.
> 6.i386.rpm
> ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.22-5
> .6.i386.rpm
> 
> If you are running RedHat 7.2, you will need these files. 
> ftp://updates.redhat.com/7.2/en/os/i386/apache-1.3.22-6.i386.rpm
> ftp://updates.redhat.com/7.2/en/os/i386/apache-devel-1.3.22-6.i386.rpm
> ftp://updates.redhat.com/7.2/en/os/i386/apache-manual-1.3.22-6
> .i386.rpm
> 
> If you are running RedHat 7.3, you will need these files.
> 
> ftp://updates.redhat.com/7.3/en/os/i386/apache-1.3.23-14.i386.rpm
> ftp://updates.redhat.com/7.3/en/os/i386/apache-devel-1.3.23-14
> .i386.rpm
> ftp://updates.redhat.com/7.3/en/os/i386/apache-manual-1.3.23-1
> 4.i386.rpm
> 
> This will fix the security hole in your Webserver.
> 
> For Sun Solaris Customers, please download the latest 
> available patch clusters for your servers. These can be found 
> here: http://www.sun.com/bigadmin/patches/index.html
> Once downloaded, you will need to unzip the patch cluster, 
> change into the directory that was created by unzipping the 
> file and run
> 
> './install_cluster'
> 
> For Debian Linux users, you should be able to enter the 
> following command. 'apt-get update apache' This will take 
> care of the security hole for you.
> 
> All other Unix/Linux clients will need to see the following 
> page for more information in regards to updating against this.
> 
> http://www.apache.org/dist/httpd/Announcement.html
> 
> 
> 
> 
> 
> 
> CERT Advisory follows
> 
> 
> 
> Original release date: June 17, 2002
> Last revised: June 24, 2002
> Source: CERT/CC
> A complete revision history can be found at the end of this file.
> 
> Systems Affected
> .       Web servers based on Apache code versions 1.2.2 and above 
> .       Web servers based on Apache code versions 1.3 through 1.3.24 
> .       Web servers based on Apache code versions 2.0 through 2.0.36 
> 
> Overview
> There is a remotely exploitable vulnerability in the way that 
> Apache web servers (or other web servers based on their 
> source code) handle data encoded in chunks. This 
> vulnerability is present by default in configurations of 
> Apache web server versions 1.2.2 and above, 1.3 through 
> 1.3.24, and versions 2.0 through 2.0.36. The impact of this 
> vulnerability is dependent upon the software version and the 
> hardware platform the server is running on.
> 
> I. Description
> Apache is a popular web server that includes support for 
> chunk-encoded data according to the HTTP 1.1 standard as 
> described in RFC2616. There is a vulnerability in the 
> handling of certain chunk-encoded HTTP requests that may 
> allow remote attackers to execute arbitrary code. The Apache 
> Software Foundation has published an advisory describing the 
> details of this vulnerability. This advisory is available on 
> their web site at 
> http://httpd.apache.org/info/security_bulletin> _20020617.txt
> 
> Vulnerability Note VU#944335 includes a list 
> of vendors that have been contacted about this vulnerability.
> 
> II. Impact
> For Apache versions 1.2.2 through 1.3.24 inclusive, this 
> vulnerability may allow the execution of arbitrary code by 
> remote attackers. Exploits are publicly available that claim 
> to allow the execution of arbitrary code. For Apache versions 
> 2.0 through 2.0.36 inclusive, the condition causing the 
> vulnerability is correctly detected and causes the child 
> process to exit. Depending on a variety of factors, including 
> the threading model supported by the vulnerable system, this 
> may lead to a denial-of-service attack against the Apache web server.
> 
> III. Solution
> Upgrade to the latest version The Apache Software Foundation 
> has released two new versions of Apache that correct this 
> vulnerability. System administrators can prevent the 
> vulnerability from being exploited by upgrading to Apache 
> httpd version 1.3.26 or 2.0.39. Due to some unexpected 
> problems with version 1.3.25, the CERT/CC has been informed 
> by the Apache Software Foundation that the corrected version 
> of the software is now 1.3.26. Both 1.3.26 and 2.0.39 are 
> available on their web site at http://www.apache.org/dist/httpd/ 
>   
> 
> -- 
> Best regards,
>  Jason Gottschalk                         mailto:Jason@xxxxxxx
>  SYO Computer Engineering Services, Inc.
>  586-286-2557
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to: 
> http://list.cobalt.com/mailman/listinfo/cobalt> -users
> 
>

References:
- [cobalt-users] Apache Security Alert from my CO-LO facility
  - From: Jason Gottschalk

Prev by Date: [cobalt-users] Re: cobalt-users digest, Vol 1 #4651 - 15 msgs
Next by Date: Re: [cobalt-users] Thank you for help - errors after Cobalt updates
Previous by thread: RE: [cobalt-users] Apache Security Alert from my CO-LO facility
Next by thread: Re: [cobalt-users] Apache Security Alert from my CO-LO facility

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index