Topic: Apache DoS

[Dan Williamson]

Hi Folks,

Can I simply update my Apache with the RedHat 7.2 RPM fixes that correct the recent vulnerability?

RedHat issued patched versions of Apache 1.3.22-6 to correct a DoS vulnerability (http://rhn.redhat.com/errata/RHSA-2002-103.html) for RH 7.2 as well as other versions for 6.2,7.0,7.1,7.3 etc.

Is it necessary to have an es module update or an es specific patch?

I'd like to fix this as soon as possible as there are rumours of a possible overwrite condition that may compromise some systems.

regards,

Dan

Note: Cross-posted to General Discussion Group

[Nathan Fowler]

Those versions are all 1.3.22 (excluding 1.3.23 for RH 7.3), so I'm not sure.  I'm running 1.3.23, but my system is not vanilla.  What version of E-Smith are you running, you don't want to revert to a lower version just for an exploit that doesn't compromise your system.

console> rpm -qa |grep apache

See what version you're running, if you're less than 1.3.22 then rpm -Uvh the RH apache version.  If you're greater than 1.3.22 then hang tight.

Nathan

[Kevin McDermott]

Nathan,

There is an exploit for OpenBSD and the source quite clearly states that they've exploited Linux boxes.

This isn't just a DOS.

Kevin

[Nathan Fowler]

Affecting sytems that are not 64Bit?  That's new to me, please enlighten me, if that is the case I will revert to an older patched version.

[Kevin McDermott]

From Bugtraq posting:

Subject: Remote Apache 1.3.x Exploit

Which supplies an OpenBSD exploit:

 * This code is an early version from when we first began researching the
 * vulnerability. It should spawn a shell on any unpatched OpenBSD system
 * running the Apache webserver.

But adds...

 * However, contrary to what ISS would have you believe, we have
 * successfully exploited this hole on the following operating systems:
 *
 *      Sun Solaris 6-8 (sparc/x86)
 *      FreeBSD 4.3-4.5 (x86)
 *      OpenBSD 2.6-3.1 (x86)
 *      Linux (GNU) 2.4 (x86)

HTH

Kevin

ps. I'd not be certain that earlier versions are invulnerable...

[Nathan Fowler]

Thanks for the info Kevin, I'm not sure that E-Smith has moved the 2.4 Kernel, but like you said, I wouldn't be certain that earlier kernel versions are still not vunerable.  I think I'm going to wait for 1.3.26, or I'll simply compile my own version, RPM it, and post it here.

[Dan Williamson]

Well,

The RedHat patches contain fixes for these vulnerabilities. My systems are running 5.1 SME with one at 1.3.19-5 and the other at 1.3.22.3.7.1es. That would make them both likely candidates for the redhat fix. If I can install any old rpm without fear that I am 'unsynchronized' with e-smith's administrative schema then I can always pick up the 1.3.26 when it is available. If anyone plans on making a SME specific fix available I could hold off for that as well.

regards,

Dan

[Nathan Fowler]

I've always used http://rpms.arvin.dk , these RPMS are compatible with E-Smith.  I use this build for PHP, Apache, Ming, and many other functions.  I've already contacted the author asking him about Apache 1.3.26, I'm going to wait until he has updated his apache rpm build.

Nathan

[Dan Brown]

I'd expect, going on prior history, that Mitel will release an update blade for this shortly (whether with RH's patched 1.3.22, or with 1.3.26, or with something else).

[Nathan Fowler]

Just talked to Troels Arvin (http://rpms.arvin.dk), he has build the Apache 1.2.36 packages.  They are in a "beta" state.

http://rpms.arvin.dk/beta/

Obviously, if you were upgrading you would rpm -Uvh the rpm.

Hey Dan Brown, just wanted to tell you thanks for the PHP Upgrade howto.

Nathan

[Dan Brown]

Glad the PHP HOWTOs helped.  Re: Apache, you should generally be fine upgrading to any 1.3.x version, and then rebuilding the httpd.conf file--Mitel doesn't do anything to the Apache binary; it's all in the config.

[Rich Lafferty]

Not true -- since 5.1.x, we ship a modified Apache in order to make
ProxyPass work with a handful of long-running server-manager
functions. (You'll note that the revision number of the RPM has "es"
appended.)

We're working on Apache updates now.

Cheers,

-Rich

[Dan Brown]

You know, I meant to put "AFAIK" in there; obviously my fingers ran ahead of my brain...  Thanks for the info!

[Peter Hollandare]

[qoute]
"We're working on Apache updates now.[/qoute]

Rich..

Are "we" also working on a updated version for e-smith 4.12 ?

Regards Peter

[robert]

Peter,
I wouldn't count on an apache update for e-smith 4.1.2. That release seems to have been silently abandoned when Mitel didn't provide PHP updates for it.

[Nathan Fowler]

Nicely enough you can install the following RPMS for RH6.2 which work perfectly with E-Smith 4.1.2 (that is what I run).

http://rpms.arvin.dk

Install the Apache 1.3.36 updates in addition to installing the PHP updates.  These RPMS are compatible with E-Smith 4.1.2 and work with no problems.  I did find that for PHP to work correctly I had to uninstall the existing PHP RPMS before I did an rpm -Uvh.

Also, Dan Brown has created a nice FAQ on how to upgrade PHP on E-Smith 4.1.2

Hope this helped I'm using PHP 4.1.2 on Apache 1.3.36 on E-Smith 4.1.2,
Nathan

[Peter Hollandare]

robert :

no @!#$, its tragic to see, that we are forced to go "elsewhere" just to find important updates. I have no intentions to change, nor update my e.smith box from 4.12, to something i found to be working less good. With a little tweaks here and there from (users here that still are helping for non profit!).

My thanks goes to Dan and Darrel, for making this work at all.

My angryness goes to Mitel, shame on you guys, for beeing so ignorant, esp with a issue like this, you could have easy updated a few rpm's for us 4.12 users.
I often come to this page, and there are times when i often wonders - why does this page even still exists anymore????

Nathan :

Yes i visit arvins site freq to check for updates. Theres a BIG note to take when updating the latest Apache 1.3.26 from arvin. Make damn sure to save /var/www/icons - since arvins updated apache removes every singel icon.

Updated, and everything seeme to work perfect.

[Nathan Fowler]

Peter, next time you get a chance do a http://www.netcraft.com query on www.e-smith.org.  Make sure you're sitting down, if you have any animocity (spelling?) towards Mitel you'll really start laughing.

Like you, I have no intentions on updating past 4.1.2.

Don't you find it funny to have security posts pasted on the front page of a webserver exploitable by such posts?

The site www.e-smith.org is running Apache/1.3.12 (Unix) (Red Hat/Linux) PHP/4.0.1pl2 on Linux.

Sad.  I'm here to attempt to give back at least 5% of what the E-Smith community has given me.  Contributions from Darrel May, Dan Brown, and the countless others are the real reasons for the success with E-Smith.  Everyone give yourselves a pat on the back for a job well done, I could take or leave Mitel either way; I guess I'm a little biased not being on the payroll.

Nathan

[Dave Wyatt]

I just updated one of our 4.12 servers with these Apache RPMs and received these errors:

[root@abraF01 temp01]# rpm -Uvh *.rpm
error: failed dependencies:
        libexpat.so.0   is needed by apache-1.3.26-3.arvin.rh6.2
        libmm.so.1   is needed by apache-1.3.26-3.arvin.rh6.2
        make is needed by mod_ssl-2.8.10-2.arvin.rh6.2
[root@abraF01 temp01]#

I don't have make as I haven't needed to compile anything on this server and I guess that isn't installed with the normal installation.  
 
What about the dependencies?  Did I miss something? Was Apache 1.3.26 installed and how do I tell?

Thanks,
Dave

[Dave Wyatt]

>I just updated one of our 4.12 servers with these Apache RPMs and received >these errors:

>[root@abraF01 temp01]# rpm -Uvh *.rpm
>error: failed dependencies:
>libexpat.so.0 is needed by apache-1.3.26-3.arvin.rh6.2
>libmm.so.1 is needed by apache-1.3.26-3.arvin.rh6.2
>make is needed by mod_ssl-2.8.10-2.arvin.rh6.2
>[root@abraF01 temp01]#

>I don't have make as I haven't needed to compile anything on this server and I >guess that isn't installed with the normal installation.

I have since downloaded the libmm and libexpat rpms from Arvins' and I have installed them.  I still get the 'make is needed by mod ssl-2.8.10-2.arvin.rh6.2' error.  I can't find where to get make, it does not appear to be on the 4.1.2 iso. I burnt to a cd?  Is make enough or am I going to have to install a bunch of stuff to complie?

[Nathan Fowler]

Dave, keep in mind that 4.1.2 is based off RH6.2, therefore most RPMS are compatible.

http://www.rpmfind.net/linux/RPM/redhat/6.2/i386/make-3.78.1-4.i386.html

I recommend using RPMFIND.net to find the missing RPMs.

Hope this helped,
Nathan

[Dave Wyatt]

Thanks Nathan,

I knew about RPMFIND but I just didn't happen to think about looking there for it.  Too many brain cells gone I guess.  Thanks again,

Dave

[Nathan Fowler]

Dave, anytime.  Don't feel bad, it happens all the time

Nathan