[CVS] OpenPKG: openpkg-web/security OpenPKG-SA-2002.009-apache.txt

[Ralf S. Engelschall]

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   04-Oct-2002 21:42:11
  Branch: HEAD                             Handle: 2002100420421000

  Modified files:
    openpkg-web/security    OpenPKG-SA-2002.009-apache.txt

  Log:
    more polishing

  Summary:
    Revision    Changes     Path
    1.2         +40 -43     openpkg-web/security/OpenPKG-SA-2002.009-apache.txt
  ____________________________________________________________________________

  Index: openpkg-web/security/OpenPKG-SA-2002.009-apache.txt
  ============================================================
  $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2002.009-apache.txt
  --- openpkg-web/security/OpenPKG-SA-2002.009-apache.txt       4 Oct 2002 18:18:44 
-0000       1.1
  +++ openpkg-web/security/OpenPKG-SA-2002.009-apache.txt       4 Oct 2002 19:42:10 
-0000       1.2
  @@ -7,40 +7,34 @@
   ________________________________________________________________________
   
   Package:             apache
  -Vulnerability:       denial of service
  +Vulnerability:       local root exploit, denial of service
   OpenPKG Specific:    no
   
   Affected  Releases:  OpenPKG 1.0             OpenPKG 1.1
  -Affected  Packages:  <= apache-1.3.22-1.0.0  <= apache-1.3.26-1.1.0
  -Corrected Packages:  >= apache-1.3.22-1.0.X  >= apache-1.3.26-1.1.1
  -Dependent Packages:  None.
  +Affected  Packages:  <= apache-1.3.22-1.0.4  <= apache-1.3.26-1.1.0
  +Corrected Packages:  >= apache-1.3.22-1.0.5  >= apache-1.3.26-1.1.1
  +Dependent Packages:  none                    none
   
   Description:
  -  According to the Apache HTTP Server Project [1] [2], there are several remotely
  -  exploitable vulnerabilities which could allow an attacker to enact a denial
  -  of service against a server running one of the affected OpenPKG packages
  -  (see above). The Common Vulnerabilities and Exposures (CVE) project assigned
  -  the IDs CAN-2002-0839 [3], CAN-2002-0840 [4], and CAN-2002-0843 [5] to the
  -  following security issues.
  +  According to the Apache HTTP Server Project [1][2], there are
  +  several remotely exploitable vulnerabilities which could allow an
  +  attacker to enact a denial of service against a server. The Common
  +  Vulnerabilities and Exposures (CVE) project identified the following
  +  three vulnerabilities:
     
  -  CAN-2002-0839 (cve.mitre.org)[3]: A vulnerability exists in all versions
  -  of Apache prior to 1.3.27 on platforms using System V shared memory based
  -  scoreboards. This vulnerability allows an attacker who can execute under
  -  the Apache UID to exploit the Apache shared memory scoreboard format and
  -  send a signal to any process as root or cause a local denial of service
  -  attack. We thank iDefense for their responsible notification and
  -  disclosure of this issue.
  -
  -  CAN-2002-0840 (cve.mitre.org)[4]: Apache is susceptible to a cross site
  -  scripting vulnerability in the default 404 page of any web server hosted
  -  on a domain that allows wildcard DNS lookups. We thank Matthew Murphy
  -  for notification of this issue.
  -
  -  CAN-2002-0843 (cve.mitre.org)[5]: There were some possible overflows
  -  in ab.c which could be exploited by a malicious server. Note that this
  -  vulnerability is not in Apache itself, but rather one of the support
  -  programs bundled with Apache. We thank David Wagner for the responsible
  -  notification and disclosure of this issue.
  +  1. CAN-2002-0839 [3]: A vulnerability exists on platforms using System
  +  V shared memory based scoreboards. This vulnerability allows an
  +  attacker who can execute under the Apache UID to exploit the Apache
  +  shared memory scoreboard format and send a signal to any process as
  +  root or cause a local denial of service attack.
  +
  +  2. CAN-2002-0840 [4]: Apache is susceptible to a cross site scripting
  +  vulnerability in the default 404 page of any web server hosted on a
  +  domain that allows wildcard DNS lookups.
  +
  +  3. CAN-2002-0843 [5]: There were some possible overflows in the
  +  utility ApacheBench (ab) which could be exploited by a malicious
  +  server.
   
     Please check whether you are affected by running "<prefix>/bin/rpm -q
     apache". If you have an affected version of the "apache" package (see
  @@ -48,12 +42,13 @@
     rebuild and reinstall any dependent OpenPKG packages. [6]
   
   Solution:
  -  Select the updated source RPM appropriate for your OpenPKG release [7],
  -  fetch it from the OpenPKG FTP service [8] or a mirror location, verify
  -  its integrity [9], build a corresponding binary RPM from it and update
  -  your OpenPKG installation by finally installing the binary RPM [6]. For
  -  the latest OpenPKG 1.1 release, perform the following operations to
  -  permanently fix the security problem (for other releases adjust accordingly).
  +  Select the updated source RPM appropriate for your OpenPKG release
  +  [7][9], fetch it from the OpenPKG FTP service [8][10] or a mirror
  +  location, verify its integrity [11], build a corresponding binary RPM
  +  from it and update your OpenPKG installation by finally installing
  +  the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the
  +  following operations to permanently fix the security problem (for
  +  other releases adjust accordingly).
   
     $ ftp ftp.openpkg.org
     ftp> bin
  @@ -68,15 +63,17 @@
   ________________________________________________________________________
   
   References:
  -  [1] http://httpd.apache.org/
  -  [2] http://www.apache.org/dist/httpd/Announcement.html
  -  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
  -  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
  -  [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
  -  [6] http://www.openpkg.org/tutorial.html#regular-source
  -  [7] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm
  -  [8] ftp://ftp.openpkg.org/release/1.1/UPD/
  -  [9] http://www.openpkg.org/security.html#signature
  +  [1]  http://httpd.apache.org/
  +  [2]  http://www.apache.org/dist/httpd/Announcement.html
  +  [3]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
  +  [4]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
  +  [5]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
  +  [6]  http://www.openpkg.org/tutorial.html#regular-source
  +  [7]  ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm
  +  [8]  ftp://ftp.openpkg.org/release/1.1/UPD/
  +  [9]  ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.5.src.rpm
  +  [10] ftp://ftp.openpkg.org/release/1.0/UPD/
  +  [11] http://www.openpkg.org/security.html#signature
   ________________________________________________________________________
   
   For security reasons, this advisory was digitally signed with
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]