Koozali.org: home of the SME Server

Apache DoS

Dan Williamson

Apache DoS
« on: June 20, 2002, 06:41:48 PM »
Hi Folks,

Can I simply update my Apache with the RedHat 7.2 RPM fixes that correct the recent vulnerability?

RedHat issued patched versions of Apache 1.3.22-6 to correct a DoS vulnerability (http://rhn.redhat.com/errata/RHSA-2002-103.html) for RH 7.2 as well as other versions for 6.2,7.0,7.1,7.3 etc.

Is it necessary to have an es module update or an es specific patch?

I'd like to fix this as soon as possible as there are rumours of a possible overwrite condition that may compromise some systems.

regards,

Dan

Note: Cross-posted to General Discussion Group

Nathan Fowler

Re: Apache DoS
« Reply #1 on: June 20, 2002, 07:20:38 PM »
Those versions are all 1.3.22 (excluding 1.3.23 for RH 7.3), so I'm not sure.  I'm running 1.3.23, but my system is not vanilla.  What version of E-Smith are you running, you don't want to revert to a lower version just for an exploit that doesn't compromise your system.

console> rpm -qa |grep apache

See what version you're running, if you're less than 1.3.22 then rpm -Uvh the RH apache version.  If you're greater than 1.3.22 then hang tight.

Nathan

Kevin McDermott

Re: Apache DoS
« Reply #2 on: June 20, 2002, 07:23:58 PM »
Nathan,

There is an exploit for OpenBSD and the source quite clearly states that they've exploited Linux boxes.

This isn't just a DOS.

Kevin

Nathan Fowler

Re: Apache DoS
« Reply #3 on: June 20, 2002, 07:29:41 PM »
Affecting sytems that are not 64Bit?  That's new to me, please enlighten me, if that is the case I will revert to an older patched version.

Kevin McDermott

Re: Apache DoS
« Reply #4 on: June 20, 2002, 07:42:28 PM »
From Bugtraq posting:

Subject: Remote Apache 1.3.x Exploit

Which supplies an OpenBSD exploit:

 * This code is an early version from when we first began researching the
 * vulnerability. It should spawn a shell on any unpatched OpenBSD system
 * running the Apache webserver.

But adds...

 * However, contrary to what ISS would have you believe, we have
 * successfully exploited this hole on the following operating systems:
 *
 *      Sun Solaris 6-8 (sparc/x86)
 *      FreeBSD 4.3-4.5 (x86)
 *      OpenBSD 2.6-3.1 (x86)
 *      Linux (GNU) 2.4 (x86)

HTH

Kevin

ps. I'd not be certain that earlier versions are invulnerable...

Nathan Fowler

Re: Apache DoS
« Reply #5 on: June 20, 2002, 08:15:46 PM »
Thanks for the info Kevin, I'm not sure that E-Smith has moved the 2.4 Kernel, but like you said, I wouldn't be certain that earlier kernel versions are still not vunerable.  I think I'm going to wait for 1.3.26, or I'll simply compile my own version, RPM it, and post it here.

Dan Williamson

Apache DoS revisited
« Reply #6 on: June 20, 2002, 10:41:54 PM »
Well,

The RedHat patches contain fixes for these vulnerabilities. My systems are running 5.1 SME with one at 1.3.19-5 and the other at 1.3.22.3.7.1es. That would make them both likely candidates for the redhat fix. If I can install any old rpm without fear that I am 'unsynchronized' with e-smith's administrative schema then I can always pick up the 1.3.26 when it is available. If anyone plans on making a SME specific fix available I could hold off for that as well.

regards,

Dan

Nathan Fowler

Re: Apache DoS revisited
« Reply #7 on: June 20, 2002, 10:47:50 PM »
I've always used http://rpms.arvin.dk , these RPMS are compatible with E-Smith.  I use this build for PHP, Apache, Ming, and many other functions.  I've already contacted the author asking him about Apache 1.3.26, I'm going to wait until he has updated his apache rpm build.

Nathan

Dan Brown

Re: Apache DoS revisited
« Reply #8 on: June 20, 2002, 10:52:19 PM »
I'd expect, going on prior history, that Mitel will release an update blade for this shortly (whether with RH's patched 1.3.22, or with 1.3.26, or with something else).

Nathan Fowler

Re: Apache DoS revisited
« Reply #9 on: June 20, 2002, 11:58:30 PM »
Just talked to Troels Arvin (http://rpms.arvin.dk), he has build the Apache 1.2.36 packages.  They are in a "beta" state.

http://rpms.arvin.dk/beta/

Obviously, if you were upgrading you would rpm -Uvh the rpm.

Hey Dan Brown, just wanted to tell you thanks for the PHP Upgrade howto.

Nathan

Dan Brown

Re: Apache DoS revisited
« Reply #10 on: June 21, 2002, 12:04:56 AM »
Glad the PHP HOWTOs helped.  Re: Apache, you should generally be fine upgrading to any 1.3.x version, and then rebuilding the httpd.conf file--Mitel doesn't do anything to the Apache binary; it's all in the config.

Rich Lafferty

Re: Apache DoS revisited
« Reply #11 on: June 21, 2002, 12:48:08 AM »
Not true -- since 5.1.x, we ship a modified Apache in order to make
ProxyPass work with a handful of long-running server-manager
functions. (You'll note that the revision number of the RPM has "es"
appended.)

We're working on Apache updates now.

Cheers,

-Rich

Dan Brown

Re: Apache DoS revisited
« Reply #12 on: June 21, 2002, 01:01:03 AM »
You know, I meant to put "AFAIK" in there; obviously my fingers ran ahead of my brain...  Thanks for the info!

Peter Hollandare

Re: Apache DoS revisited
« Reply #13 on: June 21, 2002, 04:39:51 AM »
[qoute]
"We're working on Apache updates now.[/qoute]

Rich..

Are "we" also working on a updated version for e-smith 4.12 ?

Regards Peter

robert

Re: Apache DoS revisited
« Reply #14 on: June 21, 2002, 03:33:33 PM »
Peter,
I wouldn't count on an apache update for e-smith 4.1.2. That release seems to have been silently abandoned when Mitel didn't provide PHP updates for it.