-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2004.021 12-May-2004 ________________________________________________________________________ Package: apache Vulnerability: privilege escalation, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.29-20040421 >= apache-1.3.31-20040511 OpenPKG 2.0 <= apache-1.3.29-2.0.0 >= apache-1.3.29-2.0.1 OpenPKG 1.3 <= apache-1.3.28-1.3.2 >= apache-1.3.28-1.3.3 Dependent Packages: none Description: With the release of the Apache HTTP Server [0] version 1.3.31, four security issues were fixed [1]: 1. Access Control List (ACL) Handling: mod_access in Apache 1.3 before 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow remote attackers to bypass intended access restrictions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0993 [2] to the problem. 2. Error Log Escape Sequence Filtering: Apache 1.3 before 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators (of administrators viewing the error logs) containing vulnerabilities related to escape sequence handling. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0020 [3] to the problem. 3. Nonce Verification in Digest Authentication: mod_digest in Apache 1.3 before 1.3.31 did not properly verify the nonce of a client response by using a AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0987 [4] to the problem. 4. Starvation Issue in Serialized accept(2) Handling: Apache 1.3 before 1.3.30, when using multiple listening sockets on certain platforms, allows remote attackers to cause a Denial of Service (blocked new connections) via a short-lived connection on a rarely-accessed listening socket. This starvation situation caused a child to hold the accept(2) mutual exclusion lock and block out new connections (on any socket) until another connection arrives on that rarely-accessed listening socket. The source of the problem seems to be that under some Unix platforms accept(2) unexpectedly blocks after select(2) flagged a socket as readable. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0174 [5] to the problem. Please check whether you are affected by running "<prefix>/bin/rpm -q apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [6][7]. Solution: Select the updated source RPM appropriate for your OpenPKG release [8][9], fetch it from the OpenPKG FTP service [10][11] or a mirror location, verify its integrity [12], build a corresponding binary RPM from it [6] and update your OpenPKG installation by applying the binary RPM [7]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get apache-1.3.29-2.0.1.src.rpm ftp> bye $ <prefix>/bin/openpkg rpm -v --checksig apache-1.3.29-2.0.1.src.rpm $ <prefix>/bin/openpkg rpm --rebuild apache-1.3.29-2.0.1.src.rpm $ su - # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/apache-1.3.29-2.0.1.*.rpm ________________________________________________________________________ References: [0] http://httpd.apache.org/ [1] http://www.apache.org/dist/httpd/CHANGES_1.3 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174 [6] http://www.openpkg.org/tutorial.html#regular-source [7] http://www.openpkg.org/tutorial.html#regular-binary [8] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.3.src.rpm [9] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.1.src.rpm [10] ftp://ftp.openpkg.org/release/1.3/UPD/ [11] ftp://ftp.openpkg.org/release/2.0/UPD/ [12] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQFAoh68gHWT4GPEy58RAj8AAKDAS62t6ZsSCS7TpVD8P96QboDy9gCfTea5 X7ToXybIkgWSavmLEQUwoBg= =wAmy -----END PGP SIGNATURE----- ______________________________________________________________________ The OpenPKG Project www.openpkg.org Project Announcement List [EMAIL PROTECTED]
