[gentoo-announce] [ GLSA 200406-16 ] Apache 1.3: Buffer overflow in mod_proxy - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200406-16 ] Apache 1.3: Buffer overflow in mod_proxy
Date:	Mon, 21 Jun 2004 21:05:12
Message-Id:	`40D74D3F.7060401@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200406-16

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Apache 1.3: Buffer overflow in mod_proxy

12

      Date: June 21, 2004

13

      Bugs: #53544

14

        ID: 200406-16

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

A bug in mod_proxy may allow a remote attacker to execute arbitrary

22

code when Apache is configured a certain way.

23

24

Background

25

==========

26

27

The Apache HTTP Server Project is an effort to develop and maintain an

28

open-source HTTP server for modern operating systems. The goal of this

29

project is to provide a secure, efficient and extensible server that

30

provides services in tune with the current HTTP standards.

31

32

Affected packages

33

=================

34

35

    -------------------------------------------------------------------

36

     Package         /    Vulnerable    /                   Unaffected

37

    -------------------------------------------------------------------

38

  1  net-www/apache      <= 1.3.31-r1                     >= 1.3.31-r2

39

40

Description

41

===========

42

43

A bug in the proxy_util.c file may lead to a remote buffer overflow. To

44

trigger the vulnerability an attacker would have to get mod_proxy to

45

connect to a malicous server which returns an invalid (negative)

46

Content-Length.

47

48

Impact

49

======

50

51

An attacker could cause a Denial of Service as the Apache child

52

handling the request, which will die and under some circumstances

53

execute arbitrary code as the user running Apache, usually "apache".

54

55

Workaround

56

==========

57

58

There is no known workaround at this time. All users are encouraged to

59

upgrade to the latest available version:

60

61

Resolution

62

==========

63

64

Apache 1.x users should upgrade to the latest version of Apache:

65

66

    # emerge sync

67

68

    # emerge -pv ">=net-www/apache-1.3.31-r2"

69

    # emerge ">=net-www/apache-1.3.31-r2"

70

71

References

72

==========

73

74

  [ 1 ] Georgi Guninski security advisory #69, 2004

75

        http://www.guninski.com/modproxy1.html

76

  [ 2 ] CAN-2004-0492

77

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492

78

79

Availability

80

============

81

82

This GLSA and any updates to it are available for viewing at

83

the Gentoo Security Website:

84

85

     http://security.gentoo.org/glsa/glsa-200406-16.xml

86

87

Concerns?

88

=========

89

90

Security is a primary focus of Gentoo Linux and ensuring the

91

confidentiality and security of our users machines is of utmost

92

importance to us. Any security concerns should be addressed to

93

security@g.o or alternatively, you may file a bug at

94

http://bugs.gentoo.org.

95

96

License

97

=======

98

99

Copyright 2004 Gentoo Technologies, Inc; referenced text

100

belongs to its owner(s).

101

102

The contents of this document are licensed under the

103

Creative Commons - Attribution / Share Alike license.

104

105

http://creativecommons.org/licenses/by-sa/1.0

106

107

-----BEGIN PGP SIGNATURE-----

108

Version: GnuPG v1.2.4 (GNU/Linux)

109

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

110

111

iD8DBQFA100/vcL1obalX08RAhswAKCQ3EJPyzBXKSvsP0GaCbrAfWvm/QCfe9/+

112

ony5ZwKQQ34i1LK1JHwQ5wA=

113

=W2E1

114

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200406-16
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Apache 1.3: Buffer overflow in mod_proxy
12	Date: June 21, 2004
13	Bugs: #53544
14	ID: 200406-16
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	A bug in mod_proxy may allow a remote attacker to execute arbitrary
22	code when Apache is configured a certain way.
23
24	Background
25	==========
26
27	The Apache HTTP Server Project is an effort to develop and maintain an
28	open-source HTTP server for modern operating systems. The goal of this
29	project is to provide a secure, efficient and extensible server that
30	provides services in tune with the current HTTP standards.
31
32	Affected packages
33	=================
34
35	-------------------------------------------------------------------
36	Package / Vulnerable / Unaffected
37	-------------------------------------------------------------------
38	1 net-www/apache <= 1.3.31-r1 >= 1.3.31-r2
39
40	Description
41	===========
42
43	A bug in the proxy_util.c file may lead to a remote buffer overflow. To
44	trigger the vulnerability an attacker would have to get mod_proxy to
45	connect to a malicous server which returns an invalid (negative)
46	Content-Length.
47
48	Impact
49	======
50
51	An attacker could cause a Denial of Service as the Apache child
52	handling the request, which will die and under some circumstances
53	execute arbitrary code as the user running Apache, usually "apache".
54
55	Workaround
56	==========
57
58	There is no known workaround at this time. All users are encouraged to
59	upgrade to the latest available version:
60
61	Resolution
62	==========
63
64	Apache 1.x users should upgrade to the latest version of Apache:
65
66	# emerge sync
67
68	# emerge -pv ">=net-www/apache-1.3.31-r2"
69	# emerge ">=net-www/apache-1.3.31-r2"
70
71	References
72	==========
73
74	[ 1 ] Georgi Guninski security advisory #69, 2004
75	http://www.guninski.com/modproxy1.html
76	[ 2 ] CAN-2004-0492
77	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
78
79	Availability
80	============
81
82	This GLSA and any updates to it are available for viewing at
83	the Gentoo Security Website:
84
85	http://security.gentoo.org/glsa/glsa-200406-16.xml
86
87	Concerns?
88	=========
89
90	Security is a primary focus of Gentoo Linux and ensuring the
91	confidentiality and security of our users machines is of utmost
92	importance to us. Any security concerns should be addressed to
93	security@g.o or alternatively, you may file a bug at
94	http://bugs.gentoo.org.
95
96	License
97	=======
98
99	Copyright 2004 Gentoo Technologies, Inc; referenced text
100	belongs to its owner(s).
101
102	The contents of this document are licensed under the
103	Creative Commons - Attribution / Share Alike license.
104
105	http://creativecommons.org/licenses/by-sa/1.0
106
107	-----BEGIN PGP SIGNATURE-----
108	Version: GnuPG v1.2.4 (GNU/Linux)
109	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
110
111	iD8DBQFA100/vcL1obalX08RAhswAKCQ3EJPyzBXKSvsP0GaCbrAfWvm/QCfe9/+
112	ony5ZwKQQ34i1LK1JHwQ5wA=
113	=W2E1
114	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce