1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200403-04 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: Multiple security vulnerabilities in Apache 2 |
9 |
Date: March 22, 2004 |
10 |
Bugs: #45206 |
11 |
ID: 200403-04 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
A memory leak in mod_ssl allows a remote denial of service attack |
19 |
against an SSL-enabled server via plain HTTP requests. Another flaw |
20 |
was found when arbitrary client-supplied strings can be written to the |
21 |
error log, allowing the exploit of certain terminal emulators. A third |
22 |
flaw exists with the mod_disk_cache module. |
23 |
|
24 |
Background |
25 |
========== |
26 |
|
27 |
The Apache HTTP Server Project is an effort to develop and maintain an |
28 |
open-source HTTP server for modern operating systems. The goal of this |
29 |
project is to provide a secure, efficient and extensible server that |
30 |
provides services in tune with the current HTTP standards. |
31 |
|
32 |
Affected packages |
33 |
================= |
34 |
|
35 |
------------------------------------------------------------------- |
36 |
Package / Vulnerable / Unaffected |
37 |
------------------------------------------------------------------- |
38 |
net-www/apache <= 2.0.48 == 1.3* |
39 |
net-www/apache <= 2.0.48 >= 2.0.49 |
40 |
|
41 |
Description |
42 |
=========== |
43 |
|
44 |
Three vulnerabilities were found: |
45 |
|
46 |
1. A memory leak in ssl_engine_io.c for mod_ssl in Apache 2.0.48 and |
47 |
below allows remote attackers to cause a denial of service attack |
48 |
via plain HTTP requests to the SSL port of an SSL-enabled server. |
49 |
|
50 |
2. Apache fails to filter terminal escape sequences from error logs |
51 |
that begin with the ASCII (0x1B) sequence and are followed by a |
52 |
series of arguments. If a remote attacker could inject escape |
53 |
sequences into an Apache error log, the attacker could take |
54 |
advantages of weaknesses in various terminal emulators, launching |
55 |
attacks against remote users including further denial of service |
56 |
attacks, file modification, and the execution of arbitrary commands. |
57 |
|
58 |
3. The Apache mod_disk_cache has been found to be vulnerable to a |
59 |
weakness that allows attackers to gain access to authentication |
60 |
credentials through the issue of caching HTTP hop-by-hop headers |
61 |
which would contain plaintext user passwords. There is no available |
62 |
resolution for this issue yet. |
63 |
|
64 |
Impact |
65 |
====== |
66 |
|
67 |
No special privileges are required for these vulnerabilities. As a |
68 |
result, all users are recommended to upgrade their Apache |
69 |
installations. |
70 |
|
71 |
Workaround |
72 |
========== |
73 |
|
74 |
There is no immediate workaround; a software upgrade is required. There |
75 |
is no workaround for the mod_disk_cache issue; users are recommended to |
76 |
disable the feature on their servers until a patched version is |
77 |
released. |
78 |
|
79 |
Resolution |
80 |
========== |
81 |
|
82 |
Users are urged to upgrade to Apache 2.0.49: |
83 |
|
84 |
# emerge sync |
85 |
# emerge -pv ">=net-www/apache-2.0.49" |
86 |
# emerge ">=net-www/apache-2.0.49" |
87 |
|
88 |
# ** IMPORTANT ** |
89 |
|
90 |
# If you are migrating from Apache 2.0.48-r1 or earlier versions, |
91 |
# it is important that the following directories are removed. |
92 |
|
93 |
# The following commands should cause no data loss since these |
94 |
# are symbolic links. |
95 |
|
96 |
# rm /etc/apache2/lib /etc/apache2/logs /etc/apache2/modules |
97 |
# rm /etc/apache2/modules |
98 |
|
99 |
# ** ** ** ** ** |
100 |
|
101 |
# ** ALSO NOTE ** |
102 |
|
103 |
# Users who use mod_disk_cache should edit their Apache |
104 |
# configuration and disable mod_disk_cache. |
105 |
|
106 |
References |
107 |
========== |
108 |
|
109 |
[ 1 ] http://www.securityfocus.com/bid/9933/info/ |
110 |
[ 2 ] http://www.apache.org/dist/httpd/Announcement2.html |
111 |
|
112 |
Concerns? |
113 |
========= |
114 |
|
115 |
Security is a primary focus of Gentoo Linux and ensuring the |
116 |
confidentiality and security of our users machines is of utmost |
117 |
importance to us. Any security concerns should be addressed to |
118 |
security@g.o or alternatively, you may file a bug at |
119 |
http://bugs.gentoo.org. |