Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: heho on June 25, 2002, 01:31:00 PM

Title: APACHE SECURITY ADVISORY: June 20, 2002
Post by: heho on June 25, 2002, 01:31:00 PM

From apache.org :

This follow-up to our earlier advisory is to warn of known-exploitable conditions related to this vulnerability on both 64-bit platforms and 32-bit platforms alike. Though we previously reported that 32-bit platforms were not remotely exploitable, it has since been proven by Gobbles that certain conditions allowing exploitation do exist.

Successful exploitation of this vulnerability can lead to the execution of arbitrary code on the server with the permissions of the web server child process. This can facilitate the further exploitation of vulnerabilities unrelated to Apache on the local system, potentially allowing the intruder root access.

Note that early patches for this issue released by ISS and others do not address its full scope.

Due to the existence of exploits circulating in the wild for some platforms, the risk is considered high. The Apache Software Foundation has released versions 1.3.26 and 2.0.39 that address and fix this issue, and all users are urged to upgrade immediately. These versions are available for download; see below.

If, for any reason, you are unable to upgrade at this time, as a minimum, this patch for httpd 1.2.0-1.3.22 should be applied to the source code.

Title: Re: APACHE SECURITY ADVISORY: June 20, 2002
Post by: Nathan Fowler on June 25, 2002, 06:27:27 PM

For those wanting to upgrade to 1.3.6, I recommed visiting http://rpms.arvin.dk/apache

Title: Re: APACHE SECURITY ADVISORY: June 20, 2002
Post by: Rich Lafferty on June 25, 2002, 06:47:40 PM

We're currently performing QA on Apache upgrades for SME Server version
5.0 and newer. I expect they will be available later today.

Please note that SME Server version 5.1.1 and newer use a modified version
of Apache. Using a standard Red Hat Apache may break some server-manager
features which take a long time to execute.

Cheers,
--Rich

Title: Re: APACHE SECURITY ADVISORY: June 20, 2002
Post by: Ruusvuu on June 26, 2002, 07:24:40 AM

Rich!

Could you respond to this so I get an email when the upgrade is available?

Thanks

Title: Re: APACHE SECURITY ADVISORY: June 20, 2002
Post by: Rich Lafferty on June 26, 2002, 09:48:31 AM

No, but the update will be announced on www.e-smith.org when available.

Cheers,
--Rich

Title: Re: APACHE SECURITY ADVISORY: June 20, 2002
Post by: Darrin on June 26, 2002, 07:14:23 PM

Rich,
       You had said in an earlier posting you expected the patch to be released yesterday pending QA. A search shows it is not yet released.... is there a QA issue? I'm not trying to be a pain but I have been able to patch all my other Apache boxes (including Win2k) for a few days now.

Thanks, Darrin

Title: Re: APACHE SECURITY ADVISORY: June 20, 2002
Post by: Rich Lafferty on June 26, 2002, 11:48:13 PM

Not an "issue", no -- we're still proceeding as planned (even if my estimate
was a bit optimistic :-).

Cheers,
--Rich