<<< Date Index >>>     <<< Thread Index >>>

MDKSA-2003:096-1 - Updated apache2 packages fix CGI scripting deadlock



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandrake Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           apache2
 Advisory ID:            MDKSA-2003:096-1
 Date:                   October 24th, 2003
 Original Advisory Date: September 26th, 2003
 Affected versions:      9.1, 9.2
 ______________________________________________________________________

 Problem Description:

 A problem was discovered in Apache2 where CGI scripts that output more
 than 4k of output to STDERR will hang the script's execution which can
 cause a Denial of Service on the httpd process because it is waiting
 for more input from the CGI that is not forthcoming due to the locked
 write() call in mod_cgi.
 
 On systems that use scripts that output more than 4k to STDERR, this
 could cause httpd processes to hang and once the maximum connection
 limit is reached, Apache will no longer respond to requests. 
 
 The updated packages provided use the latest mod_cgi.c from the Apache
 2.1 CVS version.
 
 Users may have to restart apache by hand after the upgrade by issuing
 a "service httpd restart".
  
Update:

 The previous update introduced an experimental mod_cgi.c that while
 fixing the deadlock did not do so in a correct manner and it likewise
 introduced new problems with other scripts.
 
 These packages roll back to the original mod_cgi.c until such a time as
 the apache team have a proper fix in place.  Both Mandrake Linux 9.1
 and 9.2 are affected with this problem.
 
 Likewise, a problem was discovered in the default mod_proxy
 configuration which created an open proxy.  Users who have installed
 mod_perl also have mod_proxy installed due to dependencies and may
 unknowingly have allowed spammers to use their MTA via the wide-open
 mod_proxy settings.
 
 MandrakeSoft encourages all users to upgrade to these new packages
 immediately.
 _______________________________________________________________________

 References:

  http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
 ______________________________________________________________________

 Updated Packages:
  
 Mandrake Linux 9.1:
 0266407e6879970d75f699db87781e53  9.1/RPMS/apache2-2.0.47-1.4.91mdk.i586.rpm
 498191ace6f5898042aa4aeaf19987bb  
9.1/RPMS/apache2-common-2.0.47-1.4.91mdk.i586.rpm
 2aab0ab5f06db331cab1b3cd61222703  
9.1/RPMS/apache2-devel-2.0.47-1.4.91mdk.i586.rpm
 565506f84deabf6ef5f9d7c220598565  
9.1/RPMS/apache2-manual-2.0.47-1.4.91mdk.i586.rpm
 4de0542aed8c6ec5f7390cf43e9de57b  
9.1/RPMS/apache2-mod_dav-2.0.47-1.4.91mdk.i586.rpm
 6d2fe30aa77c6b2522377a781ebe74db  
9.1/RPMS/apache2-mod_ldap-2.0.47-1.4.91mdk.i586.rpm
 1bf2c46c844ed09896154ceb51610429  
9.1/RPMS/apache2-mod_ssl-2.0.47-1.4.91mdk.i586.rpm
 5dd37e86e03ccf353845ef1f469186c2  
9.1/RPMS/apache2-modules-2.0.47-1.4.91mdk.i586.rpm
 a371874746bc9693dda494dd449ac9dc  
9.1/RPMS/apache2-source-2.0.47-1.4.91mdk.i586.rpm
 6df5048842e866d6d029efd15c8d9239  9.1/RPMS/libapr0-2.0.47-1.4.91mdk.i586.rpm
 059fd94b8f53ad5dfb74f8123a0453c1  9.1/SRPMS/apache2-2.0.47-1.4.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 f5d94eb1f0a64746434f828a6cf4acd7  ppc/9.1/RPMS/apache2-2.0.47-1.4.91mdk.ppc.rpm
 2f5e0a20ebd13a1915e655dcc46ac33f  
ppc/9.1/RPMS/apache2-common-2.0.47-1.4.91mdk.ppc.rpm
 51d8563c8b2d92fd93aeea6397665919  
ppc/9.1/RPMS/apache2-devel-2.0.47-1.4.91mdk.ppc.rpm
 6a519e9a6861c719b8a25b63140ee2df  
ppc/9.1/RPMS/apache2-manual-2.0.47-1.4.91mdk.ppc.rpm
 d6986f2037233214aa557a5ff3c83194  
ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.4.91mdk.ppc.rpm
 1cf512ced3909a27eba9e0c361c792ee  
ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.4.91mdk.ppc.rpm
 6288888bf0b3af6b4d4e946a0723479e  
ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.4.91mdk.ppc.rpm
 42f1924400fa8988cb71ec58d0f5b455  
ppc/9.1/RPMS/apache2-modules-2.0.47-1.4.91mdk.ppc.rpm
 9026ab441d5a9a40438a0272dba9851f  
ppc/9.1/RPMS/apache2-source-2.0.47-1.4.91mdk.ppc.rpm
 70c48bdd53a0551c32469b8333b8c52d  ppc/9.1/RPMS/libapr0-2.0.47-1.4.91mdk.ppc.rpm
 059fd94b8f53ad5dfb74f8123a0453c1  
ppc/9.1/SRPMS/apache2-2.0.47-1.4.91mdk.src.rpm

 Mandrake Linux 9.2:
 d8358bda85bfb2671af97ae8cfd754a2  9.2/RPMS/apache2-2.0.47-6.1.92mdk.i586.rpm
 37d4d450259608ff4f156745b3d6a0b6  
9.2/RPMS/apache2-common-2.0.47-6.1.92mdk.i586.rpm
 004bb302d4a29aea85d279bb26f6cbcb  
9.2/RPMS/apache2-devel-2.0.47-6.1.92mdk.i586.rpm
 15b6e364990657d17f0b1f4df3b751a6  
9.2/RPMS/apache2-manual-2.0.47-6.1.92mdk.i586.rpm
 27938e3f6e2ec4314e2d2c205e8fe26d  
9.2/RPMS/apache2-mod_cache-2.0.47-6.1.92mdk.i586.rpm
 fc3042b41ec1708a11d752ee78f7fb2b  
9.2/RPMS/apache2-mod_dav-2.0.47-6.1.92mdk.i586.rpm
 e1f4236f8d51afc50c6772380cb50b34  
9.2/RPMS/apache2-mod_deflate-2.0.47-6.1.92mdk.i586.rpm
 e78c277bafebc5b43090e1cfadc3d8c8  
9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.1.92mdk.i586.rpm
 0309bc5d51d36fd92f2edc110e097a14  
9.2/RPMS/apache2-mod_file_cache-2.0.47-6.1.92mdk.i586.rpm
 47da9f7f1dafcb1d02d4cac6bd28d78a  
9.2/RPMS/apache2-mod_ldap-2.0.47-6.1.92mdk.i586.rpm
 1a49a1936cee042389495ec8f4f6d4f1  
9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.1.92mdk.i586.rpm
 e1828dddeb75c4e3df12292db93bb27d  
9.2/RPMS/apache2-mod_proxy-2.0.47-6.1.92mdk.i586.rpm
 1ad3c77daf86db3d1b2042b911d668ae  
9.2/RPMS/apache2-mod_ssl-2.0.47-6.1.92mdk.i586.rpm
 514956199b61185ee0c79015ccdeb58e  
9.2/RPMS/apache2-modules-2.0.47-6.1.92mdk.i586.rpm
 4b429cc7e33e9fb81510130c026320d8  
9.2/RPMS/apache2-source-2.0.47-6.1.92mdk.i586.rpm
 50c969427cb0448736f85e818362a0e3  9.2/RPMS/libapr0-2.0.47-6.1.92mdk.i586.rpm
 15cee7a5fafdc0610ea4675b6ab2d46c  9.2/SRPMS/apache2-2.0.47-6.1.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by MandrakeSoft for security.  You can obtain
 the GPG public key of the Mandrake Linux Security Team by executing:

  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

 MandrakeSoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

  http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/mcTkmqjQ0CJFipgRArTmAJ0c4Dr5VkLbAbbPfqvzbasRrREUGACgvVrs
7wzdyVqf8OZQ1s83JFE5JWg=
=XnK4
-----END PGP SIGNATURE-----