<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@xxxxxxxxxxx                         openpkg@xxxxxxxxxxx
OpenPKG-SA-2004.021                                          12-May-2004
________________________________________________________________________

Package:             apache
Vulnerability:       privilege escalation, denial of service
OpenPKG Specific:    no

Affected Releases:   Affected Packages:        Corrected Packages:
OpenPKG CURRENT      <= apache-1.3.29-20040421 >= apache-1.3.31-20040511
OpenPKG 2.0          <= apache-1.3.29-2.0.0    >= apache-1.3.29-2.0.1
OpenPKG 1.3          <= apache-1.3.28-1.3.2    >= apache-1.3.28-1.3.3

Dependent Packages:  none

Description:
  With the release of the Apache HTTP Server [0] version 1.3.31, four
  security issues were fixed [1]:

  1. Access Control List (ACL) Handling:
     mod_access in Apache 1.3 before 1.3.30, when running on big-endian
     64-bit platforms, did not properly parse Allow/Deny rules using IP
     addresses without a netmask. This could allow remote attackers to
     bypass intended access restrictions. The Common Vulnerabilities and
     Exposures (CVE) project assigned the id CAN-2003-0993 [2] to the
     problem.

  2. Error Log Escape Sequence Filtering:
     Apache 1.3 before 1.3.30 did not filter terminal escape sequences
     from its error logs. This could make it easier for attackers
     to insert those sequences into the terminal emulators (of
     administrators viewing the error logs) containing vulnerabilities
     related to escape sequence handling. The Common Vulnerabilities and
     Exposures (CVE) project assigned the id CAN-2003-0020 [3] to the
     problem.

  3. Nonce Verification in Digest Authentication:
     mod_digest in Apache 1.3 before 1.3.31 did not properly verify the
     nonce of a client response by using a AuthNonce secret. Apache
     now verifies the nonce returned in the client response to check
     whether it was issued by itself by means of a "AuthDigestRealmSeed"
     secret exposed as an MD5 checksum. The Common Vulnerabilities and
     Exposures (CVE) project assigned the id CAN-2003-0987 [4] to the
     problem.

  4. Starvation Issue in Serialized accept(2) Handling:
     Apache 1.3 before 1.3.30, when using multiple listening sockets
     on certain platforms, allows remote attackers to cause a Denial
     of Service (blocked new connections) via a short-lived connection
     on a rarely-accessed listening socket. This starvation situation
     caused a child to hold the accept(2) mutual exclusion lock and
     block out new connections (on any socket) until another connection
     arrives on that rarely-accessed listening socket. The source of
     the problem seems to be that under some Unix platforms accept(2)
     unexpectedly blocks after select(2) flagged a socket as readable.
     The Common Vulnerabilities and Exposures (CVE) project assigned the
     id CAN-2004-0174 [5] to the problem.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  apache". If you have the "apache" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) [6][7].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [8][9], fetch it from the OpenPKG FTP service [10][11] or a mirror
  location, verify its integrity [12], build a corresponding binary
  RPM from it [6] and update your OpenPKG installation by applying the
  binary RPM [7]. For the most recent release OpenPKG 2.0, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.0/UPD
  ftp> get apache-1.3.29-2.0.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig apache-1.3.29-2.0.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild apache-1.3.29-2.0.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/apache-1.3.29-2.0.1.*.rpm
________________________________________________________________________

References:
  [0]  http://httpd.apache.org/
  [1]  http://www.apache.org/dist/httpd/CHANGES_1.3
  [2]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
  [3]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
  [4]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
  [5]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
  [6]  http://www.openpkg.org/tutorial.html#regular-source
  [7]  http://www.openpkg.org/tutorial.html#regular-binary
  [8]  ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.3.src.rpm
  [9]  ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.1.src.rpm
  [10] ftp://ftp.openpkg.org/release/1.3/UPD/
  [11] ftp://ftp.openpkg.org/release/2.0/UPD/
  [12] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFAoh68gHWT4GPEy58RAj8AAKDAS62t6ZsSCS7TpVD8P96QboDy9gCfTea5
X7ToXybIkgWSavmLEQUwoBg=
=wAmy
-----END PGP SIGNATURE-----