Also anyone subscribed to this list should also be subscribed to the CERT mailing list as well.
http://www.cert.org/contact_cert/certmaillist.html I also recommend stopping by the SANS web site and subscribing to their news bites. http://www.sans.org/newlook/digests/newsbites.htm On Tue, 2002-06-18 at 18:42, [EMAIL PROTECTED] wrote: > Since the previous message mentioned this, I thought I would pass it on for > those who need to know these things. It's sometimes nice to have a brother > who is a criminal defense attorney who tracks these things for me :) > > Regards, > Jale > > >From: CERT Advisory <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Organization: CERT(R) Coordination Center - +1 412-268-7090 > >List-Help: <http://www.cert.org/>, <mailto:[EMAIL PROTECTED]?body=help> > >List-Subscribe: <mailto:[EMAIL PROTECTED]?body=subscribe%20cert-advisory> > >List-Unsubscribe: <mailto:[EMAIL PROTECTED]?body=unsubscribe%20cert-advisory> > >List-Post: NO (posting not allowed on this list) > >List-Owner: <mailto:[EMAIL PROTECTED]> > >List-Archive: <http://www.cert.org/> > >Subject: CERT Advisory CA-2002-17 Apache Web Server Chunk Handling > >Vulnerability > > > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability > > > > Original release date: June 17, 2002 > > Last revised: -- > > Source: CERT/CC > > > > A complete revision history can be found at the end of this file. > > > >Systems Affected > > > > * Web servers based on Apache code versions 1.3 through 1.3.24 > > * Web servers based on Apache code versions 2.0 through 2.0.36 > > > >Overview > > > > There is a remotely exploitable vulnerability in the handling of large > > chunks of data in web servers that are based on Apache source code. > > This vulnerability is present by default in configurations of Apache > > web servers versions 1.3 through 1.3.24 and versions 2.0 through > > 2.0.36. The impact of this vulnerability is dependent upon the > > software version and the hardware platform the server is running on. > > > >I. Description > > > > Apache is a popular web server that includes support for chunk-encoded > > data according to the HTTP 1.1 standard as described in RFC2616. There > > is a vulnerability in the handling of certain chunk-encoded HTTP > > requests that may allow remote attackers to execute arbitrary code. > > > > The Apache Software Foundation has published an advisory describing > > the details of this vulnerability. This advisory is available on their > > web site at > > > > http://httpd.apache.org/info/security_bulletin_20020617.txt > > > >II. Impact > > > > For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability > > may allow the execution of arbitrary code by remote attackers. Several > > sources have reported that this vulnerability can be used by intruders > > to execute arbitrary code on Windows platforms. Additionally, the > > Apache Software Foundation has reported that a similar attack may > > allow the execution of arbitrary code on 64-bit UNIX systems. > > > > For Apache versions 2.0 through 2.0.36 inclusive, the condition > > causing the vulnerability is correctly detected and causes the child > > process to exit. Depending on a variety of factors, including the > > threading model supported by the vulnerable system, this may lead to a > > denial-of-service attack against the Apache web server. > > > >III. Solution > > > >Apply a patch from your vendor > > > > Apply a patch from your vendor to correct this vulnerability. The > > CERT/CC has been informed by the Apache Software Foundation that the > > patch provided in the ISS advisory on this topic does not completely > > correct this vulnerability. More information about vendor-specific > > patches can be found in the vendor section of this document. Because > > the publication of this advisory was unexpectedly accelerated, > > statements from all of the affected vendors were not available at > > publication time. As additional information from vendors becomes > > available, this document will be updated. > > > >Upgrade to the latest version > > > > The Apache Software Foundation has released two new versions of Apache > > that correct this vulnerability. System administrators can prevent the > > vulnerability from being exploited by upgrading to Apache version > > 1.3.25 or 2.0.39. The new versions of Apache will be available from > > their web site at > > > > http://httpd.apache.org/ > > > >Appendix A. - Vendor Information > > > > This appendix contains information provided by vendors for this > > advisory. As vendors report new information to the CERT/CC, we will > > update this section and note the changes in our revision history. If a > > particular vendor is not listed below, we have not received their > > comments. > > > >Apache Software Foundation > > > > New versions of the Apache software are available from: > > > > http://httpd.apache.org/ > > > >Conectiva Linux > > > > The Apache webserver shipped with Conectiva Linux is vulnerable to > > this problem. New packages fixing this problem will be announced to > > our mailing list after an official fix becomes available. > > > >Cray, Inc. > > > > Cray, Inc. does not distribute Apache with any of its operating > > systems. > > > >IBM Corporation > > > > IBM makes the Apache Server availble for AIX customers as a software > > package under the AIX-Linux Affinity initiative. This package is > > included on the AIX Toolbox for Linux Applications CD, and can be > > downloaded via the IBM Linux Affinity website. The currently available > > version of Apache Server is susceptible to the vulnerability described > > here. We will update our Apache Server offering shortly to version > > 1.3.23, including the patch for this vulnerability; this update will > > be made available for downloading by accessing this URL: > > > > http://www-1.ibm.com/servers/aix/products/aixos/linux/download. > > html > > > > and following the instructions presented there. > > > > Please note that Apache Server, and all Linux Affinity software, is > > offered on an "as-is" basis. IBM does not own the source code for this > > software, nor has it developed and fully tested this code. IBM does > > not support these software packages. > > > >Lotus > > > > We have verified that the Lotus Domino web server is not vulnerable to > > this type of problem. Also, we do not ship Apache code with any Lotus > > products. > > > >Microsoft Corporation > > > > Microsoft does not ship the Apache web server. > > > >Network Appliance > > > > NetApp systems are not vulnerable to this problem. > > > >RedHat Inc. > > > > Red Hat distributes Apache 1.3 versions in all Red Hat Linux > > distributions, and as part of Stronghold. However we do not distribute > > Apache for Windows. We are currently investigating the issue and will > > work on producing errata packages when an official fix for the problem > > is made available. When these updates are complete they will be > > available from the URL below. At the same time users of the Red Hat > > Network will be able to update their systems using the 'up2date' tool. > > > > http://rhn.redhat.com/errata/RHSA-2002-103.html > > > >Unisphere Networks > > > > The Unisphere Networks SDX-300 Service Deployment System (aka. SSC) > > uses Apache 1.3.24. We are releasing Version 3.0 using Apache 1.3.25 > > soon, and will be issuing a patch release for SSC Version 2.0.3 in the > > very near future. > > _________________________________________________________________ > > > > The CERT/CC thanks Mark Litchfield for reporting this vulnerability to > > the Apache Software Foundation, and Mark Cox for reporting this > > vulnerability to the CERT/CC. > > _________________________________________________________________ > > > > Author: Cory F. Cohen > > ______________________________________________________________________ > > > > This document is available from: > > http://www.cert.org/advisories/CA-2002-17.html > > ______________________________________________________________________ > > > >CERT/CC Contact Information > > > > Email: [EMAIL PROTECTED] > > Phone: +1 412-268-7090 (24-hour hotline) > > Fax: +1 412-268-6989 > > Postal address: > > CERT Coordination Center > > Software Engineering Institute > > Carnegie Mellon University > > Pittsburgh PA 15213-3890 > > U.S.A. > > > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > > EDT(GMT-4) Monday through Friday; they are on call for emergencies > > during other hours, on U.S. holidays, and on weekends. > > > >Using encryption > > > > We strongly urge you to encrypt sensitive information sent by email. > > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > > > If you prefer to use DES, please call the CERT hotline for more > > information. > > > >Getting security information > > > > CERT publications and other security information are available from > > our web site > > http://www.cert.org/ > > > > To subscribe to the CERT mailing list for advisories and bulletins, > > send email to [EMAIL PROTECTED] Please include in the body of your > > message > > > > subscribe cert-advisory > > > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > > Patent and Trademark Office. > > ______________________________________________________________________ > > > > NO WARRANTY > > Any material furnished by Carnegie Mellon University and the Software > > Engineering Institute is furnished on an "as is" basis. Carnegie > > Mellon University makes no warranties of any kind, either expressed or > > implied as to any matter including, but not limited to, warranty of > > fitness for a particular purpose or merchantability, exclusivity or > > results obtained from use of the material. Carnegie Mellon University > > does not make any warranty of any kind with respect to freedom from > > patent, trademark, or copyright infringement. > > _________________________________________________________________ > > > > Conditions for use, disclaimers, and sponsorship information > > > > Copyright 2002 Carnegie Mellon University. > > > > Revision History > >June 17, 2002: Initial release > > > >-----BEGIN PGP SIGNATURE----- > >Version: PGP 6.5.8 > > > >iQCVAwUBPQ6RhKCVPMXQI2HJAQHQ7AQAs7nkN3DoS3utJlLUSOrT30PD5FDjSHmu > >F3jrO6goHJVpyL5GuliDgrdP1rqZOLr19vbExKo+YMOAGo1R9FQfn6URQMiOsGG7 > >KeZGGk/fZBf3n8wrA3fu8CXAW5pTi0lu3kGcLYyBU8cqEEkunEFx/nQPsANcu+fR > >FnqtSf7LhQI= > >=mZEs > >-----END PGP SIGNATURE----- > > > _______________________________________________ > cobalt-developers mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-developers > -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax 707.766.8989 http://www.obsidian-studios.com _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
