Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
Anyone know how to see if UseCannocialName is on or off by default? I am
using Apache 1.3.26.
Thanks,
Roger
On Mon, 2002-11-04 at 10:26, Martin Schulze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 187-1 security@debian.org
> http://www.debian.org/security/ Martin Schulze
> November 4th, 2002 http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package : apache
> Vulnerability : several
> Problem-Type : remote, local
> Debian-specific: no
> CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 CAN-2002-1233
> BugTraq ID : 5847 5884 5887
>
> According to David Wagner, iDEFENSE and the Apache HTTP Server
> Project, several remotely exploitable vulnerabilities have been found
> in the Apache package, a commonly used webserver. These
> vulnerabilities could allow an attacker to enact a denial of service
> against a server or execute a cross scripting attack. The Common
> Vulnerabilities and Exposures (CVE) project identified the following
> vulnerabilities:
>
> 1. CAN-2002-0839: A vulnerability exists on platforms using System V
> shared memory based scoreboards. This vulnerability allows an
> attacker who can execute under the Apache UID to exploit the Apache
> shared memory scoreboard format and send a signal to any process as
> root or cause a local denial of service attack.
>
> 2. CAN-2002-0840: Apache is susceptible to a cross site scripting
> vulnerability in the default 404 page of any web server hosted on a
> domain that allows wildcard DNS lookups.
>
> 3. CAN-2002-0843: There were some possible overflows in the utility
> ApacheBench (ab) which could be exploited by a malicious server.
>
> 4. CAN-2002-1233: A race condition in the htpasswd and htdigest
> program enables a malicious local user to read or even modify the
> contents of a password file or easily create and overwrite files as
> the user running the htpasswd (or htdigest respectively) program.
>
> 5. CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and
> others allows local users to overwrite arbitrary files via a
> symlink attack.
>
> This is the same vulnerability as CAN-2002-1233, which was fixed in
> potato already but got lost later and was never applied upstream.
>
> 5. NO-CAN: Several buffer overflows have been found in the ApacheBench
> (ab) utility that could be exploited by a remote server returning
> very long strings.
>
> These problems have been fixed in version 1.3.26-0woody3 for the
> current stable distribution (woody) and in 1.3.9-14.3 for the old
> stable distribution (potato). Corrected packages for the unstable
> distribution (sid) are expected soon.
>
> We recommend that you upgrade your Apache package immediately.
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
>
> Debian GNU/Linux 2.2 alias potato
> - ---------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.diff.gz
> Size/MD5 checksum: 345741 5f88eecddfe95c8366888bb71e0917ce
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.dsc
> Size/MD5 checksum: 666 d69af430768983c68a2d881c4c9ee236
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9.orig.tar.gz
> Size/MD5 checksum: 1691969 6758fe8b931be0b634b6737d9debf703
>
> Architecture independent components:
>
> http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.9-14.3_all.deb
> Size/MD5 checksum: 544588 95611594e54cb8bf69b5ffa47598a17d
>
> Alpha architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_alpha.deb
> Size/MD5 checksum: 409920 178a31efa994c54161515d7e5dceb32a
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_alpha.deb
> Size/MD5 checksum: 809564 102b7a7ed3be7752ff80f209c755ca8e
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_alpha.deb
> Size/MD5 checksum: 754386 39db60aedbba0afaa45015149e6cabd6
>
> ARM architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_arm.deb
> Size/MD5 checksum: 366248 3cba61971237b64017d19ed554d89d99
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_arm.deb
> Size/MD5 checksum: 738516 650be6a02b3f3dd8ede817e29ab81afa
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_arm.deb
> Size/MD5 checksum: 555462 cf94ce0aff0b69003a015e6fba73cc3c
>
> Intel IA-32 architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_i386.deb
> Size/MD5 checksum: 359946 aae786f44f00d4c62b09ccd33fbef609
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_i386.deb
> Size/MD5 checksum: 718786 33046433f742f4bf5628d82afad4c18e
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_i386.deb
> Size/MD5 checksum: 548902 86fd170a541de8c70d5abff2fca8d544
>
> Motorola 680x0 architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_m68k.deb
> Size/MD5 checksum: 349398 e508d96353523cd52d1530ab3dc90494
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_m68k.deb
> Size/MD5 checksum: 724182 8fa69e2b49a7448d94ed50a89f680eb6
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_m68k.deb
> Size/MD5 checksum: 549044 ba2ca56e2048b72b0af0abcbfa667603
>
> PowerPC architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_powerpc.deb
> Size/MD5 checksum: 372956 1a4130e6e35649062bdfe9eb31ba416f
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_powerpc.deb
> Size/MD5 checksum: 744222 abe11e9934a4aef4e518901f6f7aa514
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_powerpc.deb
> Size/MD5 checksum: 574710 6c3fe2b6c5e1ea07552da8a2e6470c7e
>
> Sun Sparc architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_sparc.deb
> Size/MD5 checksum: 369762 136624ff5072da52ead45ad5e99000bc
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_sparc.deb
> Size/MD5 checksum: 766658 b4625a1f3489dc02cb624fb9d5deffdd
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_sparc.deb
> Size/MD5 checksum: 559904 a2bf67269a3c48a036b9ac64b791ee5d
>
>
> Debian GNU/Linux 3.0 alias woody
> - --------------------------------
>
> Source archives:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3.diff.gz
> Size/MD5 checksum: 324523 41008783f82dc718ac683db882797722
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3.dsc
> Size/MD5 checksum: 668 f379e80785f1308c90da3c26f081e647
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26.orig.tar.gz
> Size/MD5 checksum: 2586182 5cd778bbe6906b5ef39dbb7ef801de61
>
> Architecture independent components:
>
> http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.26-0woody3_all.deb
> Size/MD5 checksum: 1022554 a13fce3a93f137ef243bc743e7b5a57d
>
> Alpha architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_alpha.deb
> Size/MD5 checksum: 395402 fef4da568cae603f57adbae95a76a592
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_alpha.deb
> Size/MD5 checksum: 925748 38631e1fb7f2a1e8df604eaeda11591f
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_alpha.deb
> Size/MD5 checksum: 713834 5b6bca42fbcaf810079c2654cfef2d1d
>
> ARM architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_arm.deb
> Size/MD5 checksum: 361042 f3a265c6a6e36f58a6b751095f46b0ad
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_arm.deb
> Size/MD5 checksum: 838450 b448f9c0d51e144332d3f6f19ecdb59e
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_arm.deb
> Size/MD5 checksum: 544250 e9637f6e8771c5e24cebb811cf4a3311
>
> Intel IA-32 architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_i386.deb
> Size/MD5 checksum: 353130 95d81b2239554383c56c7d193c476ddb
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_i386.deb
> Size/MD5 checksum: 813172 98146bac67cff4cf252e4ff2bbbb6560
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_i386.deb
> Size/MD5 checksum: 535652 c1159fd49c0cf0aec2bca984f93d6f25
>
> Intel IA-64 architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_ia64.deb
> Size/MD5 checksum: 436772 e0052fc13623fdf6658897af57ccfe57
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_ia64.deb
> Size/MD5 checksum: 1011984 430974e4b9b3a79ed4058289bbab6acf
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_ia64.deb
> Size/MD5 checksum: 949028 ea2448657dbe3d4ce4f8298e4d49384e
>
> HP Precision architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_hppa.deb
> Size/MD5 checksum: 386082 d1a30db030dc4bff1c81218a4a051643
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_hppa.deb
> Size/MD5 checksum: 890940 4d4a7cc736df264e3162dc809629dc65
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_hppa.deb
> Size/MD5 checksum: 586982 4ddcb6a10031dee8d29059db2ae906fe
>
> Motorola 680x0 architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_m68k.deb
> Size/MD5 checksum: 347810 9a13cf03c077aba227aa8ce40aabd7e7
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_m68k.deb
> Size/MD5 checksum: 820744 3e50ff2e1980cde0009e8d681ba7a1ad
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_m68k.deb
> Size/MD5 checksum: 537150 ea8b8c14ac0b198a50fc73197cdbdaab
>
> Big endian MIPS architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_mips.deb
> Size/MD5 checksum: 376358 1d82148e1e8bf0eacd544681ac668e25
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_mips.deb
> Size/MD5 checksum: 843814 e689b5b5fdcec8d6e9bf44ec672eee8b
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_mips.deb
> Size/MD5 checksum: 576300 b8a0b03fd2d119a7519a16acec316e0b
>
> Little endian MIPS architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_mipsel.deb
> Size/MD5 checksum: 376424 0e669f97720075d01ee294054da1cd1e
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_mipsel.deb
> Size/MD5 checksum: 842510 d563cfe249296461fa2aa998e7f479f6
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_mipsel.deb
> Size/MD5 checksum: 565518 54a136314491e2f9ce42d3ba9a2b148f
>
> PowerPC architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_powerpc.deb
> Size/MD5 checksum: 366902 210e698fe3f282f5a0ec0455351f0f71
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_powerpc.deb
> Size/MD5 checksum: 845816 eeb281d15a03845769ad8db36ced9f69
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_powerpc.deb
> Size/MD5 checksum: 558800 9782db00bede5da95c77fda15756e603
>
> IBM S/390 architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_s390.deb
> Size/MD5 checksum: 360932 dac73742388690f1ffe240f18e3b4d3a
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_s390.deb
> Size/MD5 checksum: 828556 e7ba2937fa91341e1dd2e1f0ab4a5fb3
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_s390.deb
> Size/MD5 checksum: 554128 630504452f6cf1067c17124e805a0f33
>
> Sun Sparc architecture:
>
> http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody3_sparc.deb
> Size/MD5 checksum: 360822 6a4bd36487e3f0e98be588eb367c3c6a
> http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody3_sparc.deb
> Size/MD5 checksum: 847188 4d3dd23c4f4e7e2245aeeb2c96b67743
> http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody3_sparc.deb
> Size/MD5 checksum: 544730 10b2d3630f525b1ec15f813540450d10
>
>
> These files will probably be moved into the stable distribution on
> its next revision.
>
> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
>
> iD8DBQE9xpHAW5ql+IAeqTIRAt8hAJ42/48N32kah2xia3lS/jQqxj7LyACgiiOg
> fM0GFwvDUde7P+lv/L0Rg/E=
> =w6Iz
> -----END PGP SIGNATURE-----
Reply to: