Jeremy wrote:
The DoS is caused by a buffer overflow that kills the child process, forcing the parent httpd process to spawn a new child. This spawing requires resources, which is your DoS. According to what I've read, that buffer overflow is the same one that some are now using to gain root access. So if the overflow is fixed, the DoS and remote root are
fixed.
That is my understanding as well. I'm just trying to resolve that "if". The two exerpts below are taken from posts by Cliff Woolley on Yahoo Groups new-httpd. He appears to be directly involved in creating the Apache fixes... Both posts imply that it is risky to try to migrate the patch from 1.3.26 to the earlier versions. The second post indicates that ISS only addressed the erroneous code in one place, leaving multiple instances of the problem unaddressed. Given that SuSE had an incomplete picture of the problem when they were (apparently) backporting the Apache fixes for the SuSE 7.x patches, I wonder whether they have also left some instances unpatched. A simple statement on this subject from SuSE might go a long way toward easing my concerns.... ======================================================================== Exerpt from first post ========================================================================
As far as I understand, the changes included backporting chunked encoding handling (http_protocol.c: 1.316 -> 1.317), and using ap_strtol() instead of strtol(). Is that all? I need this because I would just like to apply this fix to my local apache source tree, which is version 1.3.20.
No, there's much more to it than that. Several patches went in to several files, including http_protocol.c and several files in the proxy, possibly others. Anyway, it's much safer just to upgrade to 1.3.26. --Cliff ======================================================================== = Exerpt from second post ======================================================================== =
1) My first question is why patch wrote by ISS doesn't correct this bug ?
Because they only casted the value in one place, but type conversions happen on that value in other places as well.
2) My second : how could I correct my proxy apache, is there a patch to correct this bug ? Or have I to re-install apache with the 1.3.26 distribution.
The safest thing by far is to upgrade to 1.3.26, which includes a patch for the proxy as well as for the core for this issue. --Cliff