Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Fwd: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
  • From: JW <jw@xxxxxxxxxxxxxxxxxx>
  • Date: Sat, 22 Jun 2002 14:14:43 -0500
  • Message-id: <5.1.0.14.0.20020622141207.017d85e0@xxxxxxxxxxxxxxxxxxxxxxx>
Seems that the version of Apache that SuSE just released (ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/apache-1.3.23-120.i386.rpm) must still be vulnerable: "The Apache Software Foundation has released versions 1.3.26 and 2.0.39
that address and fix this issue".

Is another version coming soon?

>Subject: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
>X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
>
>
> [[ Note: this issue affects both 32-bit and 64-bit platforms; the
> subject of this message emphasizes 32-bit platforms since that
> is the most important information not announced in our previous
> advisory. ]]
>
>
>SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt
>
>Date: June 20, 2002
>Product: Apache Web Server
>Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
>up to 2.0.36; Apache 1.2 all versions.
>
>CAN-2002-0392 (mitre.org) [CERT VU#944335]
>
>----------------------------------------------------------
> ------------UPDATED ADVISORY------------
>----------------------------------------------------------
>Introduction:
>
>While testing for Oracle vulnerabilities, Mark Litchfield discovered a
>denial of service attack for Apache on Windows. Investigation by the
>Apache Software Foundation showed that this issue has a wider scope, which
>on some platforms results in a denial of service vulnerability, while on
>some other platforms presents a potential remote exploit vulnerability.
>
>This follow-up to our earlier advisory is to warn of known-exploitable
>conditions related to this vulnerability on both 64-bit platforms and
>32-bit platforms alike. Though we previously reported that 32-bit
>platforms were not remotely exploitable, it has since been proven by
>Gobbles that certain conditions allowing exploitation do exist.
>
>Successful exploitation of this vulnerability can lead to the execution of
>arbitrary code on the server with the permissions of the web server child
>process. This can facilitate the further exploitation of vulnerabilities
>unrelated to Apache on the local system, potentially allowing the intruder
>root access.
>
>Note that early patches for this issue released by ISS and others do not
>address its full scope.
>
>Due to the existence of exploits circulating in the wild for some platforms,
>the risk is considered high.
>
>The Apache Software Foundation has released versions 1.3.26 and 2.0.39
>that address and fix this issue, and all users are urged to upgrade
>immediately; updates can be downloaded from http://httpd.apache.org/ .
>
>As a reminder, we respectfully request that anyone who finds a potential
>vulnerability in our software reports it to security@xxxxxxxxxxx
>
>----------------------------------------------------------
>
>The full text of this advisory including additional details is available
>at http://httpd.apache.org/info/security_bulletin_20020620.txt .

----------------------------------------------------
Jonathan Wilson
System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com


< Previous Next >