[gentoo-announce] [ GLSA 200405-22 ] Apache 1.3: Multiple vulnerabilities - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200405-22 ] Apache 1.3: Multiple vulnerabilities
Date:	Wed, 26 May 2004 16:34:23
Message-Id:	`20040526163240.GR3228@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200405-22

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Apache 1.3: Multiple vulnerabilities

9

      Date: May 26, 2004

10

      Bugs: #51815

11

        ID: 200405-22

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Several security vulnerabilites have been fixed in the latest release

19

of Apache 1.3.

20

21

Background

22

==========

23

24

The Apache HTTP Server Project is an effort to develop and maintain an

25

open-source HTTP server for modern operating systems. The goal of this

26

project is to provide a secure, efficient and extensible server that

27

provides services in tune with the current HTTP standards.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package         /   Vulnerable   /                     Unaffected

34

    -------------------------------------------------------------------

35

  1  net-www/apache       < 1.3.31                           >= 1.3.31

36

37

Description

38

===========

39

40

On 64-bit big-endian platforms, mod_access does not properly parse

41

Allow/Deny rules using IP addresses without a netmask which could

42

result in failure to match certain IP addresses.

43

44

Terminal escape sequences are not filtered from error logs. This could

45

be used by an attacker to insert escape sequences into a terminal

46

emulater vulnerable to escape sequences.

47

48

mod_digest does not properly verify the nonce of a client response by

49

using a AuthNonce secret. This could permit an attacker to replay the

50

response of another website. This does not affect mod_auth_digest.

51

52

On certain platforms there is a starvation issue where listening

53

sockets fails to handle short-lived connection on a rarely-accessed

54

listening socket. This causes the child to hold the accept mutex and

55

block out new connections until another connection arrives on the same

56

rarely-accessed listening socket thus leading to a denial of service.

57

58

Impact

59

======

60

61

These vulnerabilities could lead to attackers bypassing intended access

62

restrictions, denial of service, and possibly execution of arbitrary

63

code.

64

65

Workaround

66

==========

67

68

There is no known workaround at this time.

69

70

Resolution

71

==========

72

73

All users should upgrade to the latest stable version of Apache 1.3.

74

75

    # emerge sync

76

77

    # emerge -pv ">=net-www/apache-1.3.31"

78

    # emerge ">=net-www/apache-1.3.31"

79

80

References

81

==========

82

83

  [ 1 ] CAN-2003-0993

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993

85

  [ 2 ] CAN-2003-0020

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020

87

  [ 3 ] CAN-2003-0987

88

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987

89

  [ 4 ] CAN-2004-0174

90

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174

91

92

Availability

93

============

94

95

This GLSA and any updates to it are available for viewing at

96

the Gentoo Security Website:

97

98

     http://security.gentoo.org/glsa/glsa-200405-22.xml

99

100

Concerns?

101

=========

102

103

Security is a primary focus of Gentoo Linux and ensuring the

104

confidentiality and security of our users machines is of utmost

105

importance to us. Any security concerns should be addressed to

106

security@g.o or alternatively, you may file a bug at

107

http://bugs.gentoo.org.

108

109

License

110

=======

111

112

Copyright 2004 Gentoo Technologies, Inc; referenced text

113

belongs to its owner(s).

114

115

The contents of this document are licensed under the

116

Creative Commons - Attribution / Share Alike license.

117

118

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200405-22
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Apache 1.3: Multiple vulnerabilities
9	Date: May 26, 2004
10	Bugs: #51815
11	ID: 200405-22
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Several security vulnerabilites have been fixed in the latest release
19	of Apache 1.3.
20
21	Background
22	==========
23
24	The Apache HTTP Server Project is an effort to develop and maintain an
25	open-source HTTP server for modern operating systems. The goal of this
26	project is to provide a secure, efficient and extensible server that
27	provides services in tune with the current HTTP standards.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 net-www/apache < 1.3.31 >= 1.3.31
36
37	Description
38	===========
39
40	On 64-bit big-endian platforms, mod_access does not properly parse
41	Allow/Deny rules using IP addresses without a netmask which could
42	result in failure to match certain IP addresses.
43
44	Terminal escape sequences are not filtered from error logs. This could
45	be used by an attacker to insert escape sequences into a terminal
46	emulater vulnerable to escape sequences.
47
48	mod_digest does not properly verify the nonce of a client response by
49	using a AuthNonce secret. This could permit an attacker to replay the
50	response of another website. This does not affect mod_auth_digest.
51
52	On certain platforms there is a starvation issue where listening
53	sockets fails to handle short-lived connection on a rarely-accessed
54	listening socket. This causes the child to hold the accept mutex and
55	block out new connections until another connection arrives on the same
56	rarely-accessed listening socket thus leading to a denial of service.
57
58	Impact
59	======
60
61	These vulnerabilities could lead to attackers bypassing intended access
62	restrictions, denial of service, and possibly execution of arbitrary
63	code.
64
65	Workaround
66	==========
67
68	There is no known workaround at this time.
69
70	Resolution
71	==========
72
73	All users should upgrade to the latest stable version of Apache 1.3.
74
75	# emerge sync
76
77	# emerge -pv ">=net-www/apache-1.3.31"
78	# emerge ">=net-www/apache-1.3.31"
79
80	References
81	==========
82
83	[ 1 ] CAN-2003-0993
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
85	[ 2 ] CAN-2003-0020
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
87	[ 3 ] CAN-2003-0987
88	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
89	[ 4 ] CAN-2004-0174
90	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
91
92	Availability
93	============
94
95	This GLSA and any updates to it are available for viewing at
96	the Gentoo Security Website:
97
98	http://security.gentoo.org/glsa/glsa-200405-22.xml
99
100	Concerns?
101	=========
102
103	Security is a primary focus of Gentoo Linux and ensuring the
104	confidentiality and security of our users machines is of utmost
105	importance to us. Any security concerns should be addressed to
106	security@g.o or alternatively, you may file a bug at
107	http://bugs.gentoo.org.
108
109	License
110	=======
111
112	Copyright 2004 Gentoo Technologies, Inc; referenced text
113	belongs to its owner(s).
114
115	The contents of this document are licensed under the
116	Creative Commons - Attribution / Share Alike license.
117
118	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce