Topic: Apache DoS

[Dan Williamson]

Hi Folks,

Can I simply update my Apache with the RedHat 7.2 RPM fixes that correct the recent vulnerability?

RedHat issued patched versions of Apache 1.3.22-6 to correct a DoS vulnerability (http://rhn.redhat.com/errata/RHSA-2002-103.html) for RH 7.2 as well as other versions for 6.2,7.0,7.1,7.3 etc.

Is it necessary to have an es module update or an es specific patch?

I'd like to fix this as soon as possible as there are rumours of a possible overwrite condition that may compromise some systems.

regards,

Dan

Note: Cross-posted to General Discussion Group

[Nathan Fowler]

Those versions are all 1.3.22 (excluding 1.3.23 for RH 7.3), so I'm not sure.  I'm running 1.3.23, but my system is not vanilla.  What version of E-Smith are you running, you don't want to revert to a lower version just for an exploit that doesn't compromise your system.

console> rpm -qa |grep apache

See what version you're running, if you're less than 1.3.22 then rpm -Uvh the RH apache version.  If you're greater than 1.3.22 then hang tight.

Nathan

[Kevin McDermott]

Nathan,

There is an exploit for OpenBSD and the source quite clearly states that they've exploited Linux boxes.

This isn't just a DOS.

Kevin

[Nathan Fowler]

Affecting sytems that are not 64Bit?  That's new to me, please enlighten me, if that is the case I will revert to an older patched version.

[Kevin McDermott]

From Bugtraq posting:

Subject: Remote Apache 1.3.x Exploit

Which supplies an OpenBSD exploit:

 * This code is an early version from when we first began researching the
 * vulnerability. It should spawn a shell on any unpatched OpenBSD system
 * running the Apache webserver.

But adds...

 * However, contrary to what ISS would have you believe, we have
 * successfully exploited this hole on the following operating systems:
 *
 *      Sun Solaris 6-8 (sparc/x86)
 *      FreeBSD 4.3-4.5 (x86)
 *      OpenBSD 2.6-3.1 (x86)
 *      Linux (GNU) 2.4 (x86)

HTH

Kevin

ps. I'd not be certain that earlier versions are invulnerable...

[Nathan Fowler]

Thanks for the info Kevin, I'm not sure that E-Smith has moved the 2.4 Kernel, but like you said, I wouldn't be certain that earlier kernel versions are still not vunerable.  I think I'm going to wait for 1.3.26, or I'll simply compile my own version, RPM it, and post it here.

[Dan Williamson]

Well,

The RedHat patches contain fixes for these vulnerabilities. My systems are running 5.1 SME with one at 1.3.19-5 and the other at 1.3.22.3.7.1es. That would make them both likely candidates for the redhat fix. If I can install any old rpm without fear that I am 'unsynchronized' with e-smith's administrative schema then I can always pick up the 1.3.26 when it is available. If anyone plans on making a SME specific fix available I could hold off for that as well.

regards,

Dan

[Nathan Fowler]

I've always used http://rpms.arvin.dk , these RPMS are compatible with E-Smith.  I use this build for PHP, Apache, Ming, and many other functions.  I've already contacted the author asking him about Apache 1.3.26, I'm going to wait until he has updated his apache rpm build.

Nathan

[Dan Brown]

I'd expect, going on prior history, that Mitel will release an update blade for this shortly (whether with RH's patched 1.3.22, or with 1.3.26, or with something else).

[Nathan Fowler]

Just talked to Troels Arvin (http://rpms.arvin.dk), he has build the Apache 1.2.36 packages.  They are in a "beta" state.

http://rpms.arvin.dk/beta/

Obviously, if you were upgrading you would rpm -Uvh the rpm.

Hey Dan Brown, just wanted to tell you thanks for the PHP Upgrade howto.

Nathan

[Dan Brown]

Glad the PHP HOWTOs helped.  Re: Apache, you should generally be fine upgrading to any 1.3.x version, and then rebuilding the httpd.conf file--Mitel doesn't do anything to the Apache binary; it's all in the config.

[Rich Lafferty]

Not true -- since 5.1.x, we ship a modified Apache in order to make
ProxyPass work with a handful of long-running server-manager
functions. (You'll note that the revision number of the RPM has "es"
appended.)

We're working on Apache updates now.

Cheers,

-Rich

[Dan Brown]

You know, I meant to put "AFAIK" in there; obviously my fingers ran ahead of my brain...  Thanks for the info!

[Peter Hollandare]

[qoute]
"We're working on Apache updates now.[/qoute]

Rich..

Are "we" also working on a updated version for e-smith 4.12 ?

Regards Peter

[robert]

Peter,
I wouldn't count on an apache update for e-smith 4.1.2. That release seems to have been silently abandoned when Mitel didn't provide PHP updates for it.