Fwd: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Seems that the version of Apache that SuSE just released (ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/apache-1.3.23-120.i386.rpm) must still be vulnerable: "The Apache Software Foundation has released versions 1.3.26 and 2.0.39 that address and fix this issue". Is another version coming soon?
Subject: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
[[ Note: this issue affects both 32-bit and 64-bit platforms; the subject of this message emphasizes 32-bit platforms since that is the most important information not announced in our previous advisory. ]]
SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt
Date: June 20, 2002 Product: Apache Web Server Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions up to 2.0.36; Apache 1.2 all versions.
CAN-2002-0392 (mitre.org) [CERT VU#944335]
---------------------------------------------------------- ------------UPDATED ADVISORY------------ ---------------------------------------------------------- Introduction:
While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential remote exploit vulnerability.
This follow-up to our earlier advisory is to warn of known-exploitable conditions related to this vulnerability on both 64-bit platforms and 32-bit platforms alike. Though we previously reported that 32-bit platforms were not remotely exploitable, it has since been proven by Gobbles that certain conditions allowing exploitation do exist.
Successful exploitation of this vulnerability can lead to the execution of arbitrary code on the server with the permissions of the web server child process. This can facilitate the further exploitation of vulnerabilities unrelated to Apache on the local system, potentially allowing the intruder root access.
Note that early patches for this issue released by ISS and others do not address its full scope.
Due to the existence of exploits circulating in the wild for some platforms, the risk is considered high.
The Apache Software Foundation has released versions 1.3.26 and 2.0.39 that address and fix this issue, and all users are urged to upgrade immediately; updates can be downloaded from http://httpd.apache.org/ .
As a reminder, we respectfully request that anyone who finds a potential vulnerability in our software reports it to security@apache.org.
----------------------------------------------------------
The full text of this advisory including additional details is available at http://httpd.apache.org/info/security_bulletin_20020620.txt .
---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com
As I've said on the SLE and on this list... "SuSE patches the version number that came with the distribution as to not break deps. It may be numbered the same as the "vunerable" version on the softwares site...but SuSE wouldn't make new pkgs with the same problems. This would be silly" * JW (jw@centraltexasit.com) [020622 12:11]: ::Seems that the version of Apache that SuSE just released (ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/apache-1.3.23-120.i386.rpm) must still be vulnerable: "The Apache Software Foundation has released versions 1.3.26 and 2.0.39 ::that address and fix this issue". :: ::Is another version coming soon? :: -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- Tell me what you believe..I tell you what you should see. -DP --=====-----=====--
On Sat, Jun 22, 2002 at 01:11:51PM -0700, Ben Rosenberg wrote:
As I've said on the SLE and on this list...
"SuSE patches the version number that came with the distribution as to not break deps. It may be numbered the same as the "vunerable" version on the softwares site...but SuSE wouldn't make new pkgs with the same problems. This would be silly"
And is there a way to find out that the fix is in from the *binary* rpm? I've just looked but haven't found a Changelog for the Susespecific patches or something. If not, I think that this should be fixed. Ciao JÖrg -- Joerg Mayer <jmayer@loplof.de> I found out that "pro" means "instead of" (as in proconsul). Now I know what proactive means.
* Joerg Mayer (jmayer@loplof.de) [020622 14:27]: ::On Sat, Jun 22, 2002 at 01:11:51PM -0700, Ben Rosenberg wrote: ::> As I've said on the SLE and on this list... ::> ::> "SuSE patches the version number that came with the distribution as to ::> not break deps. It may be numbered the same as the "vunerable" version ::> on the softwares site...but SuSE wouldn't make new pkgs with the same ::> problems. This would be silly" :: ::And is there a way to find out that the fix is in from the *binary* rpm? ::I've just looked but haven't found a Changelog for the Susespecific ::patches or something. If not, I think that this should be fixed. Don't be a smartass. Of course you couldn't just get it from the binary. You might want to look in the src directory under updates for the patched src. ncftp ...se/i386/update/8.0/zq1 > ls -la apache* -rw-r--r-- 1 suse susewww 2619848 Jun 18 13:27 apache-1.3.23-120.src.rpm lrwxrwxrwx 1 suse susewww 25 Jun 19 16:06 apache.spm -> apache-1.3.23-120.src.rpm ncftp ...se/i386/update/8.0/zq1 > There is also a patches directory... I said the patched the current version...not that they were secretive and didn't give the src for you to look at "apache-1.3.23-120.i386_en.info" in the n2 directory which contains the new pkg. If you can't figure out ftp..here's the text... -- apache: The Apache Web server ---------------------------------------------------------------------- File: apache-1.3.23-120.i386.rpm Patchrpm: apache-1.3.23-120.i386.patch.rpm Version: 1.3.23 Size: 764 kB Patchsize: 180 kB Date: Tue 18 Jun 2002 03:20:41 PM CEST Source: apache-1.3.23-120.src.rpm Security: Yes ---------------------------------------------------------------------- Description: Security update: This update fixes a buffer overflow in the Apache web server. -- -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- Tell me what you believe..I tell you what you should see. -DP --=====-----=====--
On Sat, Jun 22, 2002 at 02:36:33PM -0700, Ben Rosenberg wrote:
* Joerg Mayer (jmayer@loplof.de) [020622 14:27]: ::And is there a way to find out that the fix is in from the *binary* rpm? ::I've just looked but haven't found a Changelog for the Susespecific ::patches or something. If not, I think that this should be fixed.
Don't be a smartass. Of course you couldn't just get it from the binary. You might want to look in the src directory under updates for the patched src.
Oops, sorry if you understood it that way - hmm, maybe I should have left out the "And" at the beginning. What I was aiming at is, that if Suse (and all other rpm providers as well) change the behaviour of a well know package (such as apache-1.2.23) they should make the documentation of theses changes available to binary rpm users. I don't care when they change something that is relevant to the packaging process only, but otherwise, I'd like to know. Ciao Jörg -- Joerg Mayer <jmayer@loplof.de> I found out that "pro" means "instead of" (as in proconsul). Now I know what proactive means.
On Sat, Jun 22, 2002 at 11:57:19PM +0200, Joerg Mayer wrote:
On Sat, Jun 22, 2002 at 02:36:33PM -0700, Ben Rosenberg wrote:
* Joerg Mayer (jmayer@loplof.de) [020622 14:27]: ::And is there a way to find out that the fix is in from the *binary* rpm? ::I've just looked but haven't found a Changelog for the Susespecific ::patches or something. If not, I think that this should be fixed.
Don't be a smartass. Of course you couldn't just get it from the binary. You might want to look in the src directory under updates for the patched src.
Oops, sorry if you understood it that way - hmm, maybe I should have left out the "And" at the beginning. What I was aiming at is, that if Suse (and all other rpm providers as well) change the behaviour of a well know package (such as apache-1.2.23) they should make the documentation of theses changes available to binary rpm users. I don't care when they change something that is relevant to the packaging process only, but otherwise, I'd like to know.
Ciao Jörg
lars@johann:~> rpm --help [ ... ] Information selection options: -i - display package information --changelog - display the package's change log [ ... ] lars@johann:~> rpm -qp --changelog SuSE-updates/i386/update/7.3/n2/apache-1.3.20-65.i386.rpm | head * Mon Mar 04 2002 - okir@suse.de - security fix (buffer overflow in session cache) * Sun Sep 23 2001 - fischer@suse.de - change SuSEconfig.apache to use the modules in a deterministic order * Thu Sep 20 2001 - poeml@suse.de Cheers, Lars
lars@johann:~> rpm -qp --changelog SuSE-updates/i386/update/7.3/n2/apache-1.3.20-65.i386.rpm | head
Oops, sorry for that, I meant lars@johann:~> rpm -qp --changelog SuSE-updates/i386/update/7.3/n2/apache-1.3.20-66.i386.rpm | head * Tue Jun 18 2002 - okir@suse.de - Fixed security problem in the handling of chunked requests (CERT CA-2002-17) * Mon Mar 04 2002 - okir@suse.de - security fix (buffer overflow in session cache) * Sun Sep 23 2001 - fischer@suse.de /Lars
On Sun, Jun 23, 2002 at 12:22:30AM +0200, l.g.e@web.de wrote:
lars@johann:~> rpm -qp --changelog SuSE-updates/i386/update/7.3/n2/apache-1.3.20-65.i386.rpm | head
Great! That was, what I was looking for. Thanks Jörg -- Joerg Mayer <jmayer@loplof.de> I found out that "pro" means "instead of" (as in proconsul). Now I know what proactive means.
On Saturday 22 June 2002 15:11, Ben Rosenberg wrote:
As I've said on the SLE and on this list...
"SuSE patches the version number that came with the distribution as to not break deps. It may be numbered the same as the "vunerable" version on the softwares site...but SuSE wouldn't make new pkgs with the same problems. This would be silly"
Ben, Yes, but I was comming from this perspective: _after_ SuSE released the "new" version, it was announced that32 bit architechtures were [potentially] exploitable too. I though, in effect, that this could be a "second" problem that wasn't dealt with in the former versions. Not that my method of thinking is worth anyting :-D JW
On Sat, Jun 22, 2002 at 02:14:43PM -0500, JW wrote:
Seems that the version of Apache that SuSE just released (ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/apache-1.3.23-120.i386.rpm) must still be vulnerable: "The Apache Software Foundation has released versions 1.3.26 and 2.0.39 that address and fix this issue".
Is another version coming soon?
It's not the label of our package that matters -- but what's inside :) Peter -- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
Peter Poeml <poeml@suse.de> writes:
It's not the label of our package that matters -- but what's inside :)
So do SuSE package the latest version but keep the RPM name the same, or just apply sufficient patches to overcome the security problem?
* Graham Murray (graham@barnowl.demon.co.uk) [020624 23:06]: :: ::or just apply sufficient patches to overcome the security problem? This is what they do. Certain pieces of software have functionality added to them with each release. If the newer releases are not tested and they've changed how things work..then many other packages can break horribly. So it's best to just patch the hole in the currently tested pkg. -=Ben --=====-----=====-- mailto:ben@whack.org --=====-- Tell me what you believe..I tell you what you should see. -DP --=====-----=====--
participants (6)
-
Ben Rosenberg -
Graham Murray -
Joerg Mayer -
JW -
l.g.e@web.de -
Peter Poeml