اطلاعیه

Collapse
No announcement yet.

Apache 2.x multiple vulnerabilities

Collapse
X
 
  • Filter
  • زمان
  • Show
Clear All
new posts

  • Apache 2.x multiple vulnerabilities

    Apache 2.x multiple vulnerabilities
    Several vulnerabilities have been discovered in Apache 2.0 through 2.045 which, if
    exploited, could allow an attacker to issue denial-of-service attacks or run arbitrary
    code.

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - - ---------------------------------------------------------------------
    GENTOO LINUX SECURITY ANNOUNCEMENT 200305-13
    - - - ---------------------------------------------------------------------

    PACKAGE : apache-2.x
    SUMMARY : denial of service
    DATE : 2003-06-01 12:01 UTC
    EXPLOIT : remote
    VERSIONS AFFECTED : <apache-2.0.46
    FIXED VERSION : >=apache-2.0.46
    CVE : CAN-2003-0245 CAN-2003-0189

    - - - ---------------------------------------------------------------------

    - From announcement:

    "Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
    certain circumstances. This can be triggered remotely through mod_dav
    and possibly other mechanisms. The crash was originally reported by
    David Endler <[email protected]> and was researched and fixed by
    Joe Orton <[email protected]>. Specific details and an analysis of the
    crash will be published Friday, May 30. No more specific information
    is disclosed at this time, but all Apache 2.0 users are encouraged to
    upgrade now."

    "Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
    vulnerable to a denial-of-service attack on the basic authentication
    module, which was reported by John Hughes <[email protected]>.
    A bug in the configuration ******s caused the apr_password_validate()
    function to be thread-unsafe on platforms with crypt_r(), including
    AIX and Linux. All versions of Apache 2.0 have this thread-safety
    problem on platforms with no crypt_r() and no thread-safe crypt(),
    such as Mac OS X and possibly others. When using a threaded MPM (which
    is not the default on these platforms), this allows remote attackers
    to create a denial of service which causes valid usernames and
    passwords for Basic Authentication to fail until Apache is restarted.
    We do not believe this bug could allow unauthorized users to gain
    access to protected resources."

    Read the full advisories at:
    http://www.apache.org/dist/httpd/Announcement2.html
    http://www.idefense.com/advisory/05.30.03.txt

    SOLUTION

    It is recommended that all Gentoo Linux users who are running
    net-www/apache-2.x upgrade to apache-2.0.46 as follows

    emerge sync
    emerge apache
    emerge clean

    - - - ---------------------------------------------------------------------
    [email protected] - GnuPG key is available at http://cvs.gentoo.org/~aliz
    [email protected]
    - - - ---------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQE+2esxfT7nyhUpoZMRAujeAJ9vVDtNJaOylL/ZoDkmtUC1MOcC9ACfTRoq
    IEClHmpHv3V8Rt4BwINKyTA=
    =o3qS
    -----END PGP SIGNATURE-----
    http://blxk.shabgard.org
Working...
X