Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote: If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? Fixing bogus user apps and taking backups on regular basis are two orthogonal approaches. I'm sure you remember the recent debate about the meaning of `security'. The former is a preventive, while the latter is a corrective measure. Moreover, not only data manipulation can be performed by the means of an exploited user app. For instance, sending funny faked emails to your manager can be quite embarrassing just as well :) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 07:49:30PM -0500, Phillip Hofmeister wrote: If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? Fixing bogus user apps and taking backups on regular basis are two orthogonal approaches. I'm sure you remember the recent debate about the meaning of `security'. The former is a preventive, while the latter is a corrective measure. Moreover, not only data manipulation can be performed by the means of an exploited user app. For instance, sending funny faked emails to your manager can be quite embarrassing just as well :) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: apache security issue (with upstream new release)
On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote: My opinion is that if a security bug is discovered it should be fixed ASAP. It's really simple. The argument: We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). is equivalent to: yes, we know that our .deb is vulnerable but we are not going to fix it because it is difficult to exploit or the exploitability is limited. With any security issue, the risk of exploitation is weighed against the risk of an update (instability, introducing new bugs, human errors, etc.). If the risk of an update is greater than the risk of the bug itself, an update is not desirable. I agree with that in general terms. Apply to this particular case: - I trust the Apache team. I mean, they're usually cool maintaining and fixing Apache bugs. I suppose it's a responsability when your software is very highly used on Internet.- in other words, the quality of this kind of fix would be high - the bug is quite serious (local root, at minimun) - bug risk is medium/high.- summary: risk of bug risk of update. Yes, this is my point of view, but I've also heard similar comments from many more people. I also wanted you knew it. I'm not trying to create a flamewar or similar. This is my last post regarding this issue is nobody throws light to us :-) For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I also agree with that. But this is not clearly the case. Some typical scenario are buffer overflows in games (clients, not servers) and other client apps (although depending of the particular cases could also be abused/exploited). I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet. - It is a server so it could be remotely attacked and it's the perfect door for any hacker.- The bug discovered could be used to obtain root remotely (well, the terms remote and local could be confussing; I'm pretty sure you follow Bugtraq and have seen recent posts regarding this; it's not a new issue though :-)). I am not as well-versed on the internals of Apache as our Apache maintainers, so I am trusting their word that this does not put our users at risk. Do you know any page which I could trust with last Apache releases for woody/3.0 (=reliable backports)? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
Ups, my apologies. You're completely right. I meant remote access with apache user rights. -R On Saturday, 2003-11-01 at 11:03:16 +0100, [EMAIL PROTECTED] wrote: - the bug is quite serious (local root, at minimun) I wonder how a user would obtain root priviledges by overrunning an Apache worker process. Unless, of course, the admin was clever enough to run Apache with User root. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote: For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I also agree with that. But this is not clearly the case. Some typical scenario are buffer overflows in games (clients, not servers) and other client apps (although depending of the particular cases could also be abused/exploited). I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet. - It is a server so it could be remotely attacked and it's the perfect door for any hacker.- The bug discovered could be used to obtain root remotely (well, the Perhaps, in the co-existance of a bug in a suid root binary (let's say traceroute. Anyone?) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 01 Nov 2003 at 05:15:34PM -0500, Adam ENDRODI wrote: I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I really hate to be the voice of technicality...but... If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #247: Your process is not ISO 9000 compliant -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/pFSVS3Jybf3L5MQRAsB6AJwNyi+JmzHRueapkrpwTbh6XT9IkACfRLBe LJi14tZl/pCqLaiyoiCTf8Y= =X0Xy -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
Ups, my apologies. You're completely right. I meant remote access with apache user rights. -R On Saturday, 2003-11-01 at 11:03:16 +0100, [EMAIL PROTECTED] wrote: - the bug is quite serious (local root, at minimun) I wonder how a user would obtain root priviledges by overrunning an Apache worker process. Unless, of course, the admin was clever enough to run Apache with User root. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett |
Re: apache security issue (with upstream new release)
On Sat, Nov 01, 2003 at 11:03:16AM +0100, [EMAIL PROTECTED] wrote: For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I also agree with that. But this is not clearly the case. Some typical scenario are buffer overflows in games (clients, not servers) and other client apps (although depending of the particular cases could also be abused/exploited). I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet. - It is a server so it could be remotely attacked and it's the perfect door for any hacker.- The bug discovered could be used to obtain root remotely (well, the Perhaps, in the co-existance of a bug in a suid root binary (let's say traceroute. Anyone?) bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: apache security issue (with upstream new release)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sat, 01 Nov 2003 at 05:15:34PM -0500, Adam ENDRODI wrote: I tend to disagree, I'm afraid. The presence of remotely exploitable bugs in user applications (be it a client of some networked game, or a PDF viewer) impose a great risk on the user, i.e. not on the system (which protects its integrity), but the user who is actually running the program. For the sake of assurance, just imagine how an accidentally executed `rm -rf /' on behalf of your desktop uid would affect the rest of the day for you.. I really hate to be the voice of technicality...but... If you are really looking for assurance than 'rm -rf /' would not affect your day because weekly full backups and nightly incremental should be made. If you don't have valid off system, perhaps off-site backups, then what kind of assurance do you really have? - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #247: Your process is not ISO 9000 compliant -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/pFSVS3Jybf3L5MQRAsB6AJwNyi+JmzHRueapkrpwTbh6XT9IkACfRLBe LJi14tZl/pCqLaiyoiCTf8Y= =X0Xy -END PGP SIGNATURE-
Re: apache security issue (with upstream new release)
On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote: My opinion is that if a security bug is discovered it should be fixed ASAP. It's really simple. The argument: We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). is equivalent to: yes, we know that our .deb is vulnerable but we are not going to fix it because it is difficult to exploit or the exploitability is limited. With any security issue, the risk of exploitation is weighed against the risk of an update (instability, introducing new bugs, human errors, etc.). If the risk of an update is greater than the risk of the bug itself, an update is not desirable. I agree with that in general terms. Apply to this particular case: - I trust the Apache team. I mean, they're usually cool maintaining and fixing Apache bugs. I suppose it's a responsability when your software is very highly used on Internet.- in other words, the quality of this kind of fix would be high - the bug is quite serious (local root, at minimun) - bug risk is medium/high.- summary: risk of bug risk of update. Yes, this is my point of view, but I've also heard similar comments from many more people. I also wanted you knew it. I'm not trying to create a flamewar or similar. This is my last post regarding this issue is nobody throws light to us :-) For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I also agree with that. But this is not clearly the case. Some typical scenario are buffer overflows in games (clients, not servers) and other client apps (although depending of the particular cases could also be abused/exploited). I stated this is not the case because:- Apache Httpd is a very spreaded software on Internet. - It is a server so it could be remotely attacked and it's the perfect door for any hacker.- The bug discovered could be used to obtain root remotely (well, the terms remote and local could be confussing; I'm pretty sure you follow Bugtraq and have seen recent posts regarding this; it's not a new issue though :-)). I am not as well-versed on the internals of Apache as our Apache maintainers, so I am trusting their word that this does not put our users at risk. Do you know any page which I could trust with last Apache releases for woody/3.0 (=reliable backports)?
Re: apache security issue (with upstream new release)
Quoting Phillip Hofmeister [EMAIL PROTECTED]: I believe your justification can be found: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188 I'm not saying I agree fully with it...but I do understand it... Given that some of the affected directives can be used in .htaccess files, the potential for an ordinary user to exploit this is there. This allows access to the user the Apache work processes run as. Not much, but depending on local setup, this can be harmful. So I believe it should be fixed. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
On Fri, Oct 31, 2003 at 09:07:57PM +0900, Hideki Yamane wrote: I checked woody's apache source and I cannot find any patches for mod_alias.c in apache-1.3.26/debian/patches directory. So I guess debian's apache is effected by this vulnerability. Do I misunderstand this? Does apache package in debian not require security update? please tell me. thanks. We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). If a malicious user has access to those configuration files, they can do many other Bad Things to apache anyway. So this is not worth fixing. In the other case, an admin who unintentionally sets up a rule that would cause this buffer overflow also seems terribly unlikely. Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. Therefore, we believe no security update is warranted. [And I'm getting bored of answering this question.] -- It's not Hollywood. War is real, war is primarily not about defeat or victory, it is about death. I've seen thousands and thousands of dead bodies. Do you think I want to have an academic debate on this subject? -- Robert Fisk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
Hey, morons, don't drop people from the CC. Otherwise they'll never know what you're saying. On Fri, Oct 31, 2003 at 03:07:26PM +0100, Lupe Christoph wrote: Quoting Phillip Hofmeister [EMAIL PROTECTED]: I believe your justification can be found: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188 I'm not saying I agree fully with it...but I do understand it... Given that some of the affected directives can be used in .htaccess files, the potential for an ordinary user to exploit this is there. This allows access to the user the Apache work processes run as. Not much, but depending on local setup, this can be harmful. But if a malicious user has access to .htaccess, you're already fucked five ways from sunday. -- It's not Hollywood. War is real, war is primarily not about defeat or victory, it is about death. I've seen thousands and thousands of dead bodies. Do you think I want to have an academic debate on this subject? -- Robert Fisk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
Sorry, I missunderstood your answer. I thought you were redirecting me to the other ml. I've also read the answer sent by Matthew Wilcox [EMAIL PROTECTED] to this same thread (amongst other related messages and likes). My opinion is that if a security bug is discovered it should be fixed ASAP. It's really simple. The argument: We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). is equivalent to: yes, we know that our .deb is vulnerable but we are not going to fix it because it is difficult to exploit or the exploitability is limited. Wrong, wrong, wrong. We're talking about a known security issue. Why not fixing it? All security issues should be taken into account and should be fixed!!! What would it happen if someone has discovered a different attack vector for the *same* bug? Should we wait for this event to occur? Not really a good idea... Regards, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] On Thu, 30 Oct 2003 14:04:35 -0500, you wrote: On Thu, Oct 30, 2003 at 07:58:50PM +0100, Roman Medina wrote: On Thu, 30 Oct 2003 12:21:09 -0500, you wrote: Ask [EMAIL PROTECTED] See above. I'm not subscribed to debian-apache neither I'm going to subscribe only to ask this. If this is a security issue in Debian, why not to discuss it in a Debian security ml? I repeat it: I have segfaults in my apache error-logs and this happened only recently (this week) so I probably have reasons to be scared... or not? I didn't say that you should subscribe. I told you where the decision came from so that you could ask someone who could give you a more specific answer, and in exchange for this, you keep complaining to me about your server error logs. If you cared enough about this issue, you would make the effort to investigate it yourself. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
Please respect my Mail-Followup-To header and the Debian mailing list guidelines, and do not CC me on replies. On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote: My opinion is that if a security bug is discovered it should be fixed ASAP. It's really simple. The argument: We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). is equivalent to: yes, we know that our .deb is vulnerable but we are not going to fix it because it is difficult to exploit or the exploitability is limited. Wrong, wrong, wrong. We're talking about a known security issue. Why not fixing it? All security issues should be taken into account and should be fixed!!! What would it happen if someone has discovered a different attack vector for the *same* bug? Should we wait for this event to occur? Not really a good idea... With any security issue, the risk of exploitation is weighed against the risk of an update (instability, introducing new bugs, human errors, etc.). If the risk of an update is greater than the risk of the bug itself, an update is not desirable. For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I am not as well-versed on the internals of Apache as our Apache maintainers, so I am trusting their word that this does not put our users at risk. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
Hi, Do you know about apache security issue? Yes. According to the Apache maintainers, woody does not require an update. Really? mod_alias is so much old(*), I think all of apache would be effected by this vulnerability. Ask [EMAIL PROTECTED] I checked woody's apache source and I cannot find any patches for mod_alias.c in apache-1.3.26/debian/patches directory. So I guess debian's apache is effected by this vulnerability. Do I misunderstand this? Does apache package in debian not require security update? please tell me. thanks. -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp
Re: apache security issue (with upstream new release)
Quoting Phillip Hofmeister [EMAIL PROTECTED]: I believe your justification can be found: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188 I'm not saying I agree fully with it...but I do understand it... Given that some of the affected directives can be used in .htaccess files, the potential for an ordinary user to exploit this is there. This allows access to the user the Apache work processes run as. Not much, but depending on local setup, this can be harmful. So I believe it should be fixed. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Violence is the resort of the violent Lu Tze | | Thief of Time, Terry Pratchett | This message was sent using IMP, the Internet Messaging Program.
Re: apache security issue (with upstream new release)
On Fri, Oct 31, 2003 at 09:07:57PM +0900, Hideki Yamane wrote: I checked woody's apache source and I cannot find any patches for mod_alias.c in apache-1.3.26/debian/patches directory. So I guess debian's apache is effected by this vulnerability. Do I misunderstand this? Does apache package in debian not require security update? please tell me. thanks. We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). If a malicious user has access to those configuration files, they can do many other Bad Things to apache anyway. So this is not worth fixing. In the other case, an admin who unintentionally sets up a rule that would cause this buffer overflow also seems terribly unlikely. Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. Therefore, we believe no security update is warranted. [And I'm getting bored of answering this question.] -- It's not Hollywood. War is real, war is primarily not about defeat or victory, it is about death. I've seen thousands and thousands of dead bodies. Do you think I want to have an academic debate on this subject? -- Robert Fisk
Re: apache security issue (with upstream new release)
Hey, morons, don't drop people from the CC. Otherwise they'll never know what you're saying. On Fri, Oct 31, 2003 at 03:07:26PM +0100, Lupe Christoph wrote: Quoting Phillip Hofmeister [EMAIL PROTECTED]: I believe your justification can be found: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188 I'm not saying I agree fully with it...but I do understand it... Given that some of the affected directives can be used in .htaccess files, the potential for an ordinary user to exploit this is there. This allows access to the user the Apache work processes run as. Not much, but depending on local setup, this can be harmful. But if a malicious user has access to .htaccess, you're already fucked five ways from sunday. -- It's not Hollywood. War is real, war is primarily not about defeat or victory, it is about death. I've seen thousands and thousands of dead bodies. Do you think I want to have an academic debate on this subject? -- Robert Fisk
Re: apache security issue (with upstream new release)
Sorry, I missunderstood your answer. I thought you were redirecting me to the other ml. I've also read the answer sent by Matthew Wilcox [EMAIL PROTECTED] to this same thread (amongst other related messages and likes). My opinion is that if a security bug is discovered it should be fixed ASAP. It's really simple. The argument: We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). is equivalent to: yes, we know that our .deb is vulnerable but we are not going to fix it because it is difficult to exploit or the exploitability is limited. Wrong, wrong, wrong. We're talking about a known security issue. Why not fixing it? All security issues should be taken into account and should be fixed!!! What would it happen if someone has discovered a different attack vector for the *same* bug? Should we wait for this event to occur? Not really a good idea... Regards, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] On Thu, 30 Oct 2003 14:04:35 -0500, you wrote: On Thu, Oct 30, 2003 at 07:58:50PM +0100, Roman Medina wrote: On Thu, 30 Oct 2003 12:21:09 -0500, you wrote: Ask [EMAIL PROTECTED] See above. I'm not subscribed to debian-apache neither I'm going to subscribe only to ask this. If this is a security issue in Debian, why not to discuss it in a Debian security ml? I repeat it: I have segfaults in my apache error-logs and this happened only recently (this week) so I probably have reasons to be scared... or not? I didn't say that you should subscribe. I told you where the decision came from so that you could ask someone who could give you a more specific answer, and in exchange for this, you keep complaining to me about your server error logs. If you cared enough about this issue, you would make the effort to investigate it yourself. -- - mdz
Re: apache security issue (with upstream new release)
Please respect my Mail-Followup-To header and the Debian mailing list guidelines, and do not CC me on replies. On Fri, Oct 31, 2003 at 06:06:15PM +0100, Roman Medina wrote: My opinion is that if a security bug is discovered it should be fixed ASAP. It's really simple. The argument: We believe that there is no security update required because intentionally exploiting this vulnerability requires access to apache's configuration (either http.conf or .htaccess). is equivalent to: yes, we know that our .deb is vulnerable but we are not going to fix it because it is difficult to exploit or the exploitability is limited. Wrong, wrong, wrong. We're talking about a known security issue. Why not fixing it? All security issues should be taken into account and should be fixed!!! What would it happen if someone has discovered a different attack vector for the *same* bug? Should we wait for this event to occur? Not really a good idea... With any security issue, the risk of exploitation is weighed against the risk of an update (instability, introducing new bugs, human errors, etc.). If the risk of an update is greater than the risk of the bug itself, an update is not desirable. For example, people sometimes file bugs about buffer overflows in simple programs (which run with no privileges and do not act on any untrusted input) just because they are buffer overflows, a type of bug which is associated with many security exposures. While these are bugs, no privileges can be gained from them, so they do not represent a security exposure. I am not as well-versed on the internals of Apache as our Apache maintainers, so I am trusting their word that this does not put our users at risk. -- - mdz
Re: apache security issue (with upstream new release)
thanks to your reply. Do you know about apache security issue? Yes. According to the Apache maintainers, woody does not require an update. Really? mod_alias is so much old(*), I think all of apache would be effected by this vulnerability. * Revision: 1.17, Tue Jul 8 03:45:28 1997 UTC (6 years, 3 months ago) by akosut http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_alias.c?rev=1.17content-type=text/vnd.viewcvs-markup Have woody's apache patched to mod_alias anything ? if so, why upstream left it? -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
On Thu, Oct 30, 2003 at 12:12:27AM +0900, Hideki Yamane wrote: Do you know about apache security issue? Yes. According to the Apache maintainers, woody does not require an update. -- - mdz
Re: apache security issue (with upstream new release)
thanks to your reply. Do you know about apache security issue? Yes. According to the Apache maintainers, woody does not require an update. Really? mod_alias is so much old(*), I think all of apache would be effected by this vulnerability. * Revision: 1.17, Tue Jul 8 03:45:28 1997 UTC (6 years, 3 months ago) by akosut http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_alias.c?rev=1.17content-type=text/vnd.viewcvs-markup Have woody's apache patched to mod_alias anything ? if so, why upstream left it? -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp
Re: apache security issue (with upstream new release)
On Thu, Oct 30, 2003 at 05:03:36PM +0900, Hideki Yamane wrote: Do you know about apache security issue? Yes. According to the Apache maintainers, woody does not require an update. Really? mod_alias is so much old(*), I think all of apache would be effected by this vulnerability. Ask [EMAIL PROTECTED] -- - mdz
Re: apache security issue (with upstream new release)
On Thu, 30 Oct 2003 12:21:09 -0500, you wrote: On Thu, Oct 30, 2003 at 05:49:34PM +0100, [EMAIL PROTECTED] wrote: It's a Woody 3.0 up-to-date machine. Are you sure Apache shipped on Debian is actually secure? These segfaults scare me... it smells like 0day-exploit... [...] Ask [EMAIL PROTECTED] See above. I'm not subscribed to debian-apache neither I'm going to subscribe only to ask this. If this is a security issue in Debian, why not to discuss it in a Debian security ml? I repeat it: I have segfaults in my apache error-logs and this happened only recently (this week) so I probably have reasons to be scared... or not? Saludos, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
Re: apache security issue (with upstream new release)
On Thu, Oct 30, 2003 at 07:58:50PM +0100, Roman Medina wrote: On Thu, 30 Oct 2003 12:21:09 -0500, you wrote: Ask [EMAIL PROTECTED] See above. I'm not subscribed to debian-apache neither I'm going to subscribe only to ask this. If this is a security issue in Debian, why not to discuss it in a Debian security ml? I repeat it: I have segfaults in my apache error-logs and this happened only recently (this week) so I probably have reasons to be scared... or not? I didn't say that you should subscribe. I told you where the decision came from so that you could ask someone who could give you a more specific answer, and in exchange for this, you keep complaining to me about your server error logs. If you cared enough about this issue, you would make the effort to investigate it yourself. -- - mdz
Re: apache security issue (with upstream new release)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 30 Oct 2003 at 01:59:01PM -0500, Roman Medina wrote: I'm not subscribed to debian-apache neither I'm going to subscribe only to ask this. If this is a security issue in Debian, why not to discuss it in a Debian security ml? I repeat it: I have segfaults in my apache error-logs and this happened only recently (this week) so I probably have reasons to be scared... or not? I believe your justification can be found: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188 I'm not saying I agree fully with it...but I do understand it... - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #227: You must've hit the wrong anykey. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/ofGVS3Jybf3L5MQRAsmrAJ4w10DScjzozMIoP3FwEos0GiDEqACfbZQB ldPevKRBm+kss/AuWzG/Eyw= =4tp+ -END PGP SIGNATURE-
apache security issue (with upstream new release)
Hi list, Do you know about apache security issue? apache 1.3.29 release announcement is here. http://www.apache.org/dist/httpd/Announcement.txt this apache 1.3 release includes security fix. Apache 1.3.29 Major changes Security vulnerabilities * CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. apache 2.0.48 release announcement is here. http://www.apache.org/dist/httpd/Announcement2.txt and apache 2.0.48 also includes security fix. Apache 2.0.48 Major changes Security vulnerabilities closed since Apache 2.0.47 *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [Andre' Malo] and I want to know how it goes in Debian. I cannot find any posts in BTS and debian-apache lists. # and when I posted apache 2.0.47 release announce with vulnerabitliy issue to BTS, maintainer said Kindly don't submit new version bugs with in about 10 minutes of the release. It's childish and unhelpful. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593archive=yes so I don't want to post it to BTS... -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Apache: Apears to be vulnerable to CAN-2003-0542 (WAS: apache security issue (with upstream new release))
Cc: [EMAIL PROTECTED] Package: apache Version: 1.3.26-0woody3 Tags: security Severity: grave I have checked th full bug list also. It does not appear a bug has been filed yet. Therefore I have filed a bug with this email. If you have anything additional to add please wait until it shows up on BTS and send the info to [EMAIL PROTECTED] Thanks On Wed, 29 Oct 2003 at 10:13:57AM -0500, Hideki Yamane wrote: Hi list, Do you know about apache security issue? apache 1.3.29 release announcement is here. http://www.apache.org/dist/httpd/Announcement.txt this apache 1.3 release includes security fix. Apache 1.3.29 Major changes Security vulnerabilities * CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. My *guess* is Woody is vulnerable to this. apache 2.0.48 release announcement is here. http://www.apache.org/dist/httpd/Announcement2.txt and apache 2.0.48 also includes security fix. Apache 2.0.48 Major changes Security vulnerabilities closed since Apache 2.0.47 *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [Andre' Malo] I would be less likly to believe woody is vulnerable to these since these seem to be explicitly aimed at 2.0 and I want to know how it goes in Debian. I cannot find any posts in BTS and debian-apache lists. # and when I posted apache 2.0.47 release announce with vulnerabitliy issue to BTS, maintainer said Kindly don't submit new version bugs with in about 10 minutes of the release. It's childish and unhelpful. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593archive=yes so I don't want to post it to BTS... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #113: Daemons loose in system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache security issue (with upstream new release)
On Thu, Oct 30, 2003 at 12:12:27AM +0900, Hideki Yamane wrote: Do you know about apache security issue? Yes. According to the Apache maintainers, woody does not require an update. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apache security issue (with upstream new release)
Hi list, Do you know about apache security issue? apache 1.3.29 release announcement is here. http://www.apache.org/dist/httpd/Announcement.txt this apache 1.3 release includes security fix. Apache 1.3.29 Major changes Security vulnerabilities * CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. apache 2.0.48 release announcement is here. http://www.apache.org/dist/httpd/Announcement2.txt and apache 2.0.48 also includes security fix. Apache 2.0.48 Major changes Security vulnerabilities closed since Apache 2.0.47 *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [Andre' Malo] and I want to know how it goes in Debian. I cannot find any posts in BTS and debian-apache lists. # and when I posted apache 2.0.47 release announce with vulnerabitliy issue to BTS, maintainer said Kindly don't submit new version bugs with in about 10 minutes of the release. It's childish and unhelpful. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593archive=yes so I don't want to post it to BTS... -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp
Apache: Apears to be vulnerable to CAN-2003-0542 (WAS: apache security issue (with upstream new release))
Cc: [EMAIL PROTECTED] Package: apache Version: 1.3.26-0woody3 Tags: security Severity: grave I have checked th full bug list also. It does not appear a bug has been filed yet. Therefore I have filed a bug with this email. If you have anything additional to add please wait until it shows up on BTS and send the info to [EMAIL PROTECTED] Thanks On Wed, 29 Oct 2003 at 10:13:57AM -0500, Hideki Yamane wrote: Hi list, Do you know about apache security issue? apache 1.3.29 release announcement is here. http://www.apache.org/dist/httpd/Announcement.txt this apache 1.3 release includes security fix. Apache 1.3.29 Major changes Security vulnerabilities * CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. My *guess* is Woody is vulnerable to this. apache 2.0.48 release announcement is here. http://www.apache.org/dist/httpd/Announcement2.txt and apache 2.0.48 also includes security fix. Apache 2.0.48 Major changes Security vulnerabilities closed since Apache 2.0.47 *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [Andre' Malo] I would be less likly to believe woody is vulnerable to these since these seem to be explicitly aimed at 2.0 and I want to know how it goes in Debian. I cannot find any posts in BTS and debian-apache lists. # and when I posted apache 2.0.47 release announce with vulnerabitliy issue to BTS, maintainer said Kindly don't submit new version bugs with in about 10 minutes of the release. It's childish and unhelpful. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=200593archive=yes so I don't want to post it to BTS... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #113: Daemons loose in system.
