[CVS] OpenPKG: openpkg-web/security OpenPKG-SA-2002.009-apache.txt

[Michael Schloh]

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Michael Schloh
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   04-Oct-2002 20:18:44
  Branch: HEAD                             Handle: 2002100419184400

  Added files:
    openpkg-web/security    OpenPKG-SA-2002.009-apache.txt

  Log:
    Add today's Apache package security advisory text.

  Summary:
    Revision    Changes     Path
    1.1         +90 -0      openpkg-web/security/OpenPKG-SA-2002.009-apache.txt
  ____________________________________________________________________________

  Index: openpkg-web/security/OpenPKG-SA-2002.009-apache.txt
  ============================================================
  $ cvs update -p -r1.1 OpenPKG-SA-2002.009-apache.txt
  ________________________________________________________________________
  
  OpenPKG Security Advisory                            The OpenPKG Project
  http://www.openpkg.org/security.html              http://www.openpkg.org
  [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  OpenPKG-SA-2002.009                                          04-Oct-2002
  ________________________________________________________________________
  
  Package:             apache
  Vulnerability:       denial of service
  OpenPKG Specific:    no
  
  Affected  Releases:  OpenPKG 1.0             OpenPKG 1.1
  Affected  Packages:  <= apache-1.3.22-1.0.0  <= apache-1.3.26-1.1.0
  Corrected Packages:  >= apache-1.3.22-1.0.X  >= apache-1.3.26-1.1.1
  Dependent Packages:  None.
  
  Description:
    According to the Apache HTTP Server Project [1] [2], there are several remotely
    exploitable vulnerabilities which could allow an attacker to enact a denial
    of service against a server running one of the affected OpenPKG packages
    (see above). The Common Vulnerabilities and Exposures (CVE) project assigned
    the IDs CAN-2002-0839 [3], CAN-2002-0840 [4], and CAN-2002-0843 [5] to the
    following security issues.
    
    CAN-2002-0839 (cve.mitre.org)[3]: A vulnerability exists in all versions
    of Apache prior to 1.3.27 on platforms using System V shared memory based
    scoreboards. This vulnerability allows an attacker who can execute under
    the Apache UID to exploit the Apache shared memory scoreboard format and
    send a signal to any process as root or cause a local denial of service
    attack. We thank iDefense for their responsible notification and
    disclosure of this issue.
  
    CAN-2002-0840 (cve.mitre.org)[4]: Apache is susceptible to a cross site
    scripting vulnerability in the default 404 page of any web server hosted
    on a domain that allows wildcard DNS lookups. We thank Matthew Murphy
    for notification of this issue.
  
    CAN-2002-0843 (cve.mitre.org)[5]: There were some possible overflows
    in ab.c which could be exploited by a malicious server. Note that this
    vulnerability is not in Apache itself, but rather one of the support
    programs bundled with Apache. We thank David Wagner for the responsible
    notification and disclosure of this issue.
  
    Please check whether you are affected by running "<prefix>/bin/rpm -q
    apache". If you have an affected version of the "apache" package (see
    above), upgrade it according to the solution below. Remember to also
    rebuild and reinstall any dependent OpenPKG packages. [6]
  
  Solution:
    Select the updated source RPM appropriate for your OpenPKG release [7],
    fetch it from the OpenPKG FTP service [8] or a mirror location, verify
    its integrity [9], build a corresponding binary RPM from it and update
    your OpenPKG installation by finally installing the binary RPM [6]. For
    the latest OpenPKG 1.1 release, perform the following operations to
    permanently fix the security problem (for other releases adjust accordingly).
  
    $ ftp ftp.openpkg.org
    ftp> bin
    ftp> cd release/1.1/UPD
    ftp> get apache-1.3.26-1.1.1.src.rpm
    ftp> bye
    $ <prefix>/bin/rpm --checksig apache-1.3.26-1.1.1.src.rpm
    $ <prefix>/bin/rpm --rebuild apache-1.3.26-1.1.1.src.rpm
    $ su -
    # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.26-1.1.1.*.rpm
    # <prefix>/etc/rc apache stop start
  ________________________________________________________________________
  
  References:
    [1] http://httpd.apache.org/
    [2] http://www.apache.org/dist/httpd/Announcement.html
    [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
    [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
    [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
    [6] http://www.openpkg.org/tutorial.html#regular-source
    [7] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm
    [8] ftp://ftp.openpkg.org/release/1.1/UPD/
    [9] http://www.openpkg.org/security.html#signature
  ________________________________________________________________________
  
  For security reasons, this advisory was digitally signed with
  the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F)
  of the OpenPKG project which you can find under the official URL
  http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
  check the integrity of this advisory, verify its digital signature by
  using GnuPG (http://www.gnupg.org/). For example, pipe this message to
  the command "gpg --verify --keyserver keyserver.pgp.com".
  ________________________________________________________________________
  
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]