[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RedHat][Other] Schwachstelle in Apache 2.x - RHSA-2003:186-01
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes RedHat Security Advisory ueber
Sicherheitsprobleme im Apache Webserver. Wir geben diese Informationen
unveraendert an Sie weiter. Die Schwachstelle betrifft auch andere
UNIX Versionen des Apache Webservers und evtl. auch die Windows
Portierung.
CAN-2003-0189:
Es existiert ein Fehler im Modul der Basic Authentification des
Webservers, welcher von einem entfernten Angreifer zu einem Denial
of Service Angriff misbraucht werden kann.
Der Fehler tritt nur auf, wenn ein 'Threaded Server' httpd.worker
verwendet wird. Dies ist unter RedHat Linux nicht die Standard-
Einstellung.
CAN-2003-0245:
Es existiert ein momentan noch nicht weiter beschriebener Fehler der
durch ein WebDAV Modul (mod_dav) und evtl. auf anderem Wege ausgeloest
werden kann. Einem entfernten Angreifer ist so ein Denial of Service
Angriff moeglich. Evtl. besteht die Moeglichkeit beliebigen Code auf
dem Server auszufuehren.
Von den Schwachstellen sind die 2.x Apache Versionen bis 2.0.45
betroffen und damit u.a. RedHat Linux 8 und 9. Der Entwicklungszweig
1.3.x ist nicht betroffen. Von RedHat werden Patches zur Behebung der
Sicherheitsluecke bereit gestellt, deren genaue Adressen dem
angehaengten RedHat Advisory zu entnehmen sind.
Wie ueblich, ist das Advisory von RedHat nicht digital signiert.
Die Fehler sind weiterhin in der Version 2.0.46 des Apache Webservers
behoben worden. Die genauen Adressen der Patches und der neuen Version
sind der angehaengten Ankuendigung des Apache Projects zu entnehmen.
(c) der deutschen Zusammenfassung bei DFN-CERT GmbH; die Verbreitung,
auch auszugsweise, ist nur unter Hinweis auf den Urheber, DFN-CERT GmbH,
und nur zu nicht kommerziellen Zwecken gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
- --
Andreas Bunten | mailto:bunten@xxxxxxxxxxx
DFN-CERT GmbH | http://www.cert.dfn.de/team/bunten/
Heidenkampsweg 41 | Phone: +49(40)808077-555
D-20097 Hamburg | FAX: +49(40)808077-556
Germany | PGP-Key: finger bunten@xxxxxxxxxxxxxxx
PGP-Key fingerprint = 25 E9 A6 DD 15 6C 09 70 9D 05 10 2B C7 AB C2 31
- ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated httpd packages fix Apache security vulnerabilities
Advisory ID: RHSA-2003:186-01
Issue date: 2003-05-28
Updated on: 2003-05-28
Product: Red Hat Linux
Keywords: Apache httpd auth remote
Cross references:
Obsoletes:
CVE Names: CAN-2003-0189 CAN-2003-0245
- ---------------------------------------------------------------------
1. Topic:
Updated httpd packages that fix two security issues are now available for
Red Hat Linux 8.0 and 9.
2. Relevant releases/architectures:
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386
3. Problem description:
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
A bug in Apache 2.0 through 2.0.45 allows remote attackers to cause a
denial of service, and may allow execution of arbitrary code. This bug
affects both Red Hat Linux 8.0 and 9. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0245 to
this issue.
A build system problem in Apache 2.0 through 2.0.45 allows remote attackers
to cause a denial of access to authenticated content when a threaded
server is used. This bug affects only Red Hat Linux 9 when the threaded
server "httpd.worker" has been configured, which is not the default.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0189 to this issue.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues, and applied to Apache version 2.0.40.
After the errata packages are installed, restart the Web service by running
the following command:
/sbin/service httpd restart
Red Hat would like to thank iDefense who initially discovered CAN-2003-0245
and John Hughes for CAN-2003-0189.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
88575 - Byte Range implementation fix
89170 - fullstatus segfaults apachectl
89179 - mod_proxy (forward proxy) inserts empty line before header
6. RPMs required:
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/httpd-2.0.40-11.5.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-devel-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-manual-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mod_ssl-2.0.40-11.5.i386.rpm
Red Hat Linux 9:
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/httpd-2.0.40-21.3.src.rpm
i386:
ftp://updates.redhat.com/9/en/os/i386/httpd-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-devel-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-manual-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mod_ssl-2.0.40-21.3.i386.rpm
7. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
904aee1a576c1e0aa8db130f38ff4944 8.0/en/os/SRPMS/httpd-2.0.40-11.5.src.rpm
2f19f8a77ec3b3d176e2dca39b0c0afe 8.0/en/os/i386/httpd-2.0.40-11.5.i386.rpm
cb1e6c56201c66be08f0154160f6e853
8.0/en/os/i386/httpd-devel-2.0.40-11.5.i386.rpm
65953249119902e90b5064f9a5682622
8.0/en/os/i386/httpd-manual-2.0.40-11.5.i386.rpm
8e32d341bd26b8d31fbba3955c03fe41 8.0/en/os/i386/mod_ssl-2.0.40-11.5.i386.rpm
a0a8e23c41fd1ca6ddb1be41e00f3ed9 9/en/os/SRPMS/httpd-2.0.40-21.3.src.rpm
414838fb1cd03bfe0c528361c4d1efa2 9/en/os/i386/httpd-2.0.40-21.3.i386.rpm
36584099d7e1f4a560bd4ce2ada65f4e 9/en/os/i386/httpd-devel-2.0.40-21.3.i386.rpm
346e7032c5d1b89dd3545e9f5218577b 9/en/os/i386/httpd-manual-2.0.40-21.3.i386.rpm
b86192fe630b4797b0e176abe22e2cba 9/en/os/i386/mod_ssl-2.0.40-21.3.i386.rpm
These packages are GPG signed by Red Hat for security. Our key is
available at http://www.redhat.com/solutions/security/news/publickey/
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245
9. Contact:
The Red Hat security contact is <security@xxxxxxxxxx>. More contact
details at http://www.redhat.com/solutions/security/news/contact/
Copyright 2003 Red Hat, Inc.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache 2.0.46 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the ninth public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.46 as compared to 2.0.45.
This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
Of particular note is that 2.0.46 addresses two security
vulnerabilities:
Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
certain circumstances. This can be triggered remotely through mod_dav
and possibly other mechanisms. The crash was originally reported by
David Endler <DEndler@xxxxxxxxxxxx> and was researched and fixed by
Joe Orton <jorton@xxxxxxxxxx>. Specific details and an analysis of the
crash will be published Friday, May 30. No more specific information
is disclosed at this time, but all Apache 2.0 users are encouraged to
upgrade now.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]
Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
vulnerable to a denial-of-service attack on the basic authentication
module, which was reported by John Hughes <john.hughes@xxxxxxxxxxxxx>.
A bug in the configuration scripts caused the apr_password_validate()
function to be thread-unsafe on platforms with crypt_r(), including
AIX and Linux. All versions of Apache 2.0 have this thread-safety
problem on platforms with no crypt_r() and no thread-safe crypt(),
such as Mac OS X and possibly others. When using a threaded MPM (which
is not the default on these platforms), this allows remote attackers
to create a denial of service which causes valid usernames and
passwords for Basic Authentication to fail until Apache is restarted.
We do not believe this bug could allow unauthorized users to gain
access to protected resources.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]
The Apache Software Foundation would like to thank David Endler
and John Hughes for the responsible reporting of these issues.
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
Apache 2.0.46 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
Apache 2.0.46 Major changes
Security vulnerabilities closed since Apache 2.0.45
*) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
remotely through mod_dav and possibly other mechanisms, causing
an Apache child process to crash. The crash was first reported
by David Endler <DEndler@xxxxxxxxxxxx> and was researched and
fixed by Joe Orton <jorton@xxxxxxxxxx>. Details will be released
on 30 May 2003.
*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
affecting basic authentication on Unix platforms related to
thread-safety in apr_password_validate(). The problem was reported
by John Hughes <john.hughes@xxxxxxxxxxxxx>
Bugs fixed and features added since Apache 2.0.45
*) Fix for mod_dav. Call the 'can_be_activity' callback, if provided,
when a MKACTIVITY request comes in.
[Ben Collins-Sussman <sussman@xxxxxxxxxx>]
*) Perform run-time query in apxs for apr and apr-util's includes.
[Justin Erenkrantz]
*) run libtool from the apr install directory (in case that is different
from the apache install directory) [Jeff Trawick]
*) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]
*) If mod_mime_magic does not know the content-type, do not attempt to
guess. PR 16908. [Andrew Gapon <agapon@xxxxxxxxxxxxx>]
*) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
caching. PR 17864.
[Andreas Leimbacher <andreasl67@xxxxxxxx>, Madhusudan Mathihalli]
*) Add a delete flag to htpasswd.
[Thom May]
*) Fix mod_rewrite's handling of absolute URIs. The escaping routines
now work scheme dependent and the query string will only be
appended if supported by the particular scheme. [André Malo]
*) Add another check for already compressed content in mod_deflate.
PR 19913. [Tsuyoshi SASAMOTO <nazonazo@xxxxxxxxxxxxxxx>]
*) Fixes for VPATH builds; copying special.mk and any future .mk files
from the source tree as well as the build tree (now creates a usable
configuration for apxs), and eliminated redundant -I'nclude paths.
[William Rowe]
*) Code fixes, constness corrections and ssl_toolkit_compat.h updates
for SSLC and OpenSSL toolkit compatibility. Still work remains to
be done to cripple features based on the limitations of RSA's binary
distribution of their SSL-C toolkit.
[William Rowe, Madhusudan Mathihalli, Jeff Trawick]
*) Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
[Greg Ames]
*) ap_get_mime_headers_core: allocate space for the trailing null
when folding is in effect.
PR 18170 [Peter Mayne <PeterMayne@xxxxxxxxxxxxxxxxxxxxxxxx>]
*) Fix --enable-mods-shared=most and other variants. [Aaron Bannert]
*) mod_log_config: Add the ability to log the id of the thread
processing the request via new %P formats. [Jeff Trawick]
*) Use appropriate language codes for Czech (cs) and Traditional Chinese
(zh-tw) in default config files. PR 9427. [André Malo]
*) mod_auth_ldap: Use generic whitespace character class when parsing
"require" directives, instead of literal spaces only. PR 17135.
[André Malo]
*) Hook mod_rewrite's type checker before mod_mime's one. That way the
RewriteRule [T=...] Flag should work as expected now. PR 19626.
[André Malo]
*) htpasswd: Check the processed file on validity. If a line is not empty
and not a comment, it must contain at least one colon. Otherwise exit
with error code 7. [Kris Verbeeck <Kris.Verbeeck@xxxxxxxxxx>, Thom May]
*) Fix a problem that caused httpd to be linked with incorrect flags
on some platforms when mod_so was enabled by default, breaking
DSOs on AIX. PR 19012 [Jeff Trawick]
*) By default, use the same CC and CPP with which APR was built.
The user can override with CC and CPP environment variables.
[Jeff Trawick]
*) Fix ap_construct_url() so that it surrounds IPv6 literal address
strings with []. This fixes certain types of redirection.
PR 19207. [Jeff Trawick]
*) forward port of buffer overflow fixes for htdigest. [Thom May]
*) Added AllowEncodedSlashes directive to permit control of whether
the server will accept encoded slashes ('%2f') in the URI path.
Default condition is off (the historical behaviour). This permits
environments in which the path-info needs to contain encoded
slashes. PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
[Ken Coar]
*) When using Redirect in directory context, append requested query
string if there's no one supplied by configuration. PR 10961.
[André Malo]
*) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
the pattern will not always match as desired. PR 12596.
[André Malo]
*) mod_autoindex now emits and accepts modern query string parameter
delimiters (;). Thus column headers no longer contain unescaped
ampersands. PR 10880 [André Malo]
*) Enable ap_sock_disable_nagle for Windows. This along with the
addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
to be disabled for Windows. [Allan Edwards]
*) Correct a mis-correlation between mpm_common.c and mpm_common.h;
This patch reverts us to pre-2.0.46 behavior, using the
ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
was never compiled on Win32. [Allan Edwards, William Rowe]
*) Fix a build problem with passing unsupported --enable-layout
args to apr and apr-util. This broke binbuild.sh as well as
user-specified layout parameters. PR 18649 [Justin Erenkrantz,
Jeff Trawick]
*) If a Date response header was already set in the headers array,
this value was ignored in favour of the current time. This meant
that Date headers on proxied requests where rewritten when they
should not have been. PR: 14376 [Graham Leggett]
*) Add code to buildconf that produces an httpd.spec file from
httpd.spec.in, using build/get-version.sh from APR.
[Graham Leggett]
*) Fixed a segfault when multiple ProxyBlock directives were used.
PR: 19023 [Sami Tikka <sami.tikka@xxxxxxxxxxxx>]
*) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability
identified and reported by Robert Howard <rihoward@xxxxxxxxx> that
where device names faulted the running OS2 worker process.
The fix is actually in APR 0.9.4. [Brian Havard]
*) Forward port: Escape special characters (especially control
characters) in mod_log_config to make a clear distinction between
client-supplied strings (with special characters) and server-side
strings. This was already introduced in version 1.3.25.
[André Malo]
*) mod_deflate: Check also err_headers_out for an already set
Content-Encoding: gzip header. This prevents gzip compressed content
from a CGI script from being compressed once more. PR 17797.
[André Malo]
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+1OGPNhUi14Kre9ERAgCPAKD7wcQxzXa/m7lJah1KMVLtEZSKTwCaA1DF
M+DtGud2fxkWMEZl84gqO8Y=
=ZKS4
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQEVAgUBPtdNrCgU04YpslABAQHGaAgAqcYwsb3Vr2faNsy1cj6LfTpYlAzAtjAK
mVuDFAidHRaojIbMrI+lRjdOeisWeD6Lc+3+yz0sccu0aEdqsKoR1LPZ0Qc/4i7j
8jwVhlV2J3kwcntjb1wMlQCZHu071YyofP8AorCGIeMQryeSbMEHGbeJqYakUXdW
7P5KK1asTgG6g3zb4CEYUwGt33Ng+8cU7pk2aghtFNZbk7kbkMraNm/Y2Fsn2FpI
trqH+B+KtpyYhV7p4LD8eUpCVhAz0PySRrPqDf774nGEg755gfgYxc928xfwwoXj
4BDSiCOkElOHCSMEpDb8OcyTZtzNekM0qEw5FA2S8q6tUVvipbHv7w==
=g3B8
-----END PGP SIGNATURE-----