Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Fwd: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
  • From: JW <jw@xxxxxxxxxxxxxxxxxx>
  • Date: Sat, 22 Jun 2002 14:14:43 -0500
  • Message-id: <>
Seems that the version of Apache that SuSE just released ( must still be vulnerable: "The Apache Software Foundation has released versions 1.3.26 and 2.0.39
that address and fix this issue".

Is another version coming soon?

>Subject: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
>X-Spam-Rating: 1.6.2 0/1000/N
> [[ Note: this issue affects both 32-bit and 64-bit platforms; the
> subject of this message emphasizes 32-bit platforms since that
> is the most important information not announced in our previous
> advisory. ]]
>Date: June 20, 2002
>Product: Apache Web Server
>Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
>up to 2.0.36; Apache 1.2 all versions.
>CAN-2002-0392 ( [CERT VU#944335]
> ------------UPDATED ADVISORY------------
>While testing for Oracle vulnerabilities, Mark Litchfield discovered a
>denial of service attack for Apache on Windows. Investigation by the
>Apache Software Foundation showed that this issue has a wider scope, which
>on some platforms results in a denial of service vulnerability, while on
>some other platforms presents a potential remote exploit vulnerability.
>This follow-up to our earlier advisory is to warn of known-exploitable
>conditions related to this vulnerability on both 64-bit platforms and
>32-bit platforms alike. Though we previously reported that 32-bit
>platforms were not remotely exploitable, it has since been proven by
>Gobbles that certain conditions allowing exploitation do exist.
>Successful exploitation of this vulnerability can lead to the execution of
>arbitrary code on the server with the permissions of the web server child
>process. This can facilitate the further exploitation of vulnerabilities
>unrelated to Apache on the local system, potentially allowing the intruder
>root access.
>Note that early patches for this issue released by ISS and others do not
>address its full scope.
>Due to the existence of exploits circulating in the wild for some platforms,
>the risk is considered high.
>The Apache Software Foundation has released versions 1.3.26 and 2.0.39
>that address and fix this issue, and all users are urged to upgrade
>immediately; updates can be downloaded from .
>As a reminder, we respectfully request that anyone who finds a potential
>vulnerability in our software reports it to security@xxxxxxxxxxx
>The full text of this advisory including additional details is available
>at .

Jonathan Wilson
System Administrator
Cedar Creek Software

< Previous Next >