Overview
A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.
Description
The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_rewrite, provides a rule-based rewriting engine to rewrite requested URLs "on the fly" based regular expressions. A buffer overflow has been discovered in the way that mod_rewrite handles regular expressions containing more than 9 captures (stored strings matching a particular pattern). This flaw results in a remotely exploitable vulnerability on web servers that specify such a regular expression to the mod_rewrite module in their configuration files. |
Impact
An attacker may be able to execute arbitrary code in the context of the web server user (e.g., "apache", "httpd", "nobody", etc.). The attacker would have to have the ability to supply a specially crafted configuration file (e.g., .htaccess or httpd.conf) to the Apache server in order to mount this attack. |
Solution
Apply a patch from the vendor Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details. |
Workarounds
|
Vendor Information
Apache Software Foundation Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Apache Software Foundation has released versions 1.3.29 and 2.0.48 of the Apache httpd server in response to this issue. These patched versions of the software are available at:
Because this software is commonly repackaged by third-party vendors, users are encouraged to review the Systems Affected section of VU#434566 first to determine whether their vendor has produced an update for their systems.
Users who compile the Apache httpd software from source code are encouraged to upgrade to one of the patched versions listed above (or newer). Users are also encouraged to verify the PGP signatures on the software distribution before compiling and installing it on their systems.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : apache
SUMMARY : Fix for some vulnerabilities
DATE : 2003-11-05 19:18:00
ID : CLA-2003:775
RELEVANT
RELEASES : 7.0, 8, 9
- -------------------------------------------------------------------------
DESCRIPTION
Apache[1] is the most popular webserver in use today.
New versions of the Apache web server have been made available[2][3]
with the following security fixes:
1. Buffer overflow in mod_alias and mod_rewrite (CAN-2003-0542) [4]
A buffer overflow could occur in mod_alias and mod_rewrite when a
regular expression with more than 9 captures is configured. Users who
can create or modify configuration files (httpd.conf or .htaccess,
for example) could trigger this. This vulnerability affects Apache
1.3.x and Apache 2.0.x.
2. mod_cgid mishandling of CGI redirect paths (CAN-2003-0789) [5]
mod_cgid mishandling of CGI redirect paths could result in CGI output
going to the wrong client when a threaded MPM is used. The packages
provided with Conectiva Linux 9 are not vulnerable to this issue
because they are not compiled with that MPM, but the fix has been
included because new packages for Conectiva Linux 9 were already
being built for the suexec problem (see below).
In addition to the above security fixes, "suexec" has been correctly
built in the Conectiva Linux 9 packages, fixing[6] the problem where
CGI scripts could not be run from the user's home directory.
SOLUTION
It is recommended that all Apache users upgrade their packages.
IMPORTANT: it is necessary to manually restart the httpd server after
upgrading the packages. In order to do this, execute the following as
root:
service httpd stop
(wait a few seconds and check with "pidof httpd" if there are any
httpd processes running. On a busy webserver this could take a little
longer)
service httpd start
REFERENCES
1. http://apache.httpd.org/
2. http://www.apache.org/dist/httpd/Announcement2.html
3. http://www.apache.org/dist/httpd/Announcement.html
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789
6. http://bugzilla.conectiva.com.br/show_bug.cgi?id=8754 (pt_BR only)
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/apache-1.3.28-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.28-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.28-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.28-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/apache-1.3.28-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.28-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.28-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.28-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_5cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/qWk/42jd0JmAcZARAkF2AJsGfA3n7v7l8f4A8ik+Ao6uqB9NYACfZnQ4
qf3SjmMxGkqRYyXuBBragEE=
=zsxK
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Gentoo Linux Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03
- ---------------------------------------------------------------------------
PACKAGE : net-www/apache
SUMMARY : buffer overflow
DATE : Tue Oct 28 16:43:46 UTC 2003
EXPLOIT : local
VERSIONS AFFECTED : <apache-1.3.29
FIXED VERSION : >=apache-1.3.29
CVE : CAN-2003-0542 (under review at time of GLSA)
- ---------------------------------------------------------------------------
Quote from <http://httpd.apache.org/dev/dist/Announcement>:
This version of Apache is principally a bug and security fix release.
A partial summary of the bug fixes is given at the end of this document.
A full listing of changes can be found in the CHANGES file. Of
particular note is that 1.3.29 addresses and fixes 1 potential
security issue:
o CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
We consider Apache 1.3.29 to be the best version of Apache 1.3 available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-misc/apache 1.x upgrade:
emerge sync
emerge -pv apache
emerge '>=net-www/apache-1.3.29'
emerge clean
/etc/init.d/apache restart
// end
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk
RyV+5R/BFsdAzsMYZp9dT8A=
=ym4e
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Guardian Digital, Inc. has published Guardian Digital Security Advisory ESA-20031105-030 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Updated: March 08, 2004
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-----------------------------------------------------------------
**REVISED 01**
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0311-301
Originally issued: 18 November 2003
Last revised: 19 November 2003
SSRT3663 Apache HTTP Server mod_cgid, mod_alias, mod_rewrite
-----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.
The information in the following Security Bulletin should be
acted upon as soon as possible. Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.
-----------------------------------------------------------------
PROBLEM: 1. mod_cgid mishandling of CGI redirect paths could
result in CGI output going to the wrong client when a
threaded MPM is used.
More details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789
2. A buffer overflow could occur in mod_alias and
mod_rewrite when a regular expression with more than
9 captures is configured.
More details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
IMPACT: Potential Denial of Service or execute arbitrary code.
PLATFORM: HP9000 Servers running HP-UX release B.11.00, B.11.11,
B.11.20, B.11.22, and B.11.23 with versions of the
following products are affected, and represented as:
product-name, version (product-tag/bundle-tag)
product-name, version (product-tag/bundle-tag)
- hp apache-based web server, 2.0.43.04
or earlier (HPApache/B9416AA)
This product includes Apache 2.0.43.
- hp-ux apache-based web server, v.1.0.09.01
or earlier (hpuxwsAPACHE/hpuxwsApache)
This product includes Apache 2.0.47.
- hp apache-based web server (with IPv6 support),
2.0.43.04 or earlier (HPApache/B9416BA)
This product includes Apache 2.0.43.
- hp-ux apache-based web server(with IPv6 support),
v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache)
This product includes Apache 2.0.47.
SOLUTION: For HP-UX releases B.11.00, B.11.11, B.11.20, B.11.22
and B.11.23 download new HP Apache product from
http://www.software.hp.com/:
For HPApache/B9416AA, HPApache/B9416BA and
hpuxwsAPACHE/hpuxwsApache download the following:
- hp-ux apache-based web server (with IPv4)
v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache)
This product includes Apache 2.0.48.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/
cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE
- hp-ux apache-based web server(with IPv6 support),
v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache)
This product includes Apache 2.0.48.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/
cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE
MANUAL ACTIONS: Yes - Non-Update
Install the product containing the fix.
For customers with HPApache/B9416AA
HPApache/B9416BA installed, the fix requires
migration to hpuxwsAPACHE/hpuxwsApache and
removing the affected products from the system.
AVAILABILITY: Complete product bundles are available now on
<http://www.software.hp.com/>
CHANGE SUMMARY: Rev. 01 Corrected typo in version number
-----------------------------------------------------------------
**REVISED 01**
A. Background
The Common Vulnerabilities and Exposures project
<http://cve.mitre.org/> has identified potential
vulnerabilities in the Apache HTTP Server (CAN-2003-0789, and
CAN-2003-0542). It affects the following HP product
numbers/versions on HP-UX releases B.11.00, B.11.11, B.11.20,
B.11.22, and B.11.23:
- hp apache-based web server, 2.0.43.04 or earlier
(HPApache/B9416AA)
- hp-ux apache-based web server, v.1.0.09.01 or earlier
(hpuxwsAPACHE/hpuxwsApache)
- hp apache-based web server, 2.0.43.04 (with IPv6 support)
or earlier (HPApache/B9416BA)
- hp-ux apache-based web server (with IPv6 support),
v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache)
AFFECTED VERSIONS
The following is a list of affected filesets or patches
and fix information. To determine if a system has an
affected version, search the output of
"swlist -a revision -l fileset" for an affected fileset
or patch, then determine if a fixed revision or applicable
patch is installed.
HP-UX B.11.00
HP-UX B.11.11
HP-UX B.11.20
HP-UX B.11.22
HP-UX B.11.23
====================================
HPApache.APACHE2
hpuxwsAPACHE.APACHE2
--->> fix: install hp-ux apache-based web server, v.1.0.10.01
or later.
END AFFECTED VERSIONS
B. Recommended solution
The Apache Software Foundation has released Apache 2.0.48 as
the best known version that fixes the problems identified in
the above mentioned issues.
For customers using HPApache/B9416AA HPApache/B9416BA and
hpuxwsAPACHE/hpuxwsApache, HP has incorporated Apache 2.0.48
in the following product:
- hp-ux apache-based web server v.1.0.10.01 or later
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=HPUXWSSUITE
Check for Apache Installation
-----------------------------
To determine if the Apache web server from HP is installed on
your system, use Software Distributor's swlist command. All
three versions products may co-exist on a single system.
For example, the results of the command
swlist -l product | grep -i apache
HPApache 2.0.39.01.02 HP Apache-based Web Server
hpuxwsAPACHE A.1.0.09.01 HP-UX Apache-based Web Server
Stop Apache
-----------------------------
Before updating, make sure to stop any previous Apache binary.
Otherwise, the previous binary will continue running,
preventing the new one from starting, although the installation
would be successful.
After determining which Apache is installed, stop Apache with
the following commands:
for HPApache: /opt/hpapache2/bin/apachectl stop
for hpuxwsAPACHE: /opt/hpws/apache/bin/apachectl stop
Download and Install Apache
-----------------------------
- Download Apache from Software Depot using the previously
mentioned links.
- Verify successful download by comparing the cksum with the
value specified on the installation web page.
- Use SD to swinstall the depot.
- For customers with HPApache/B9416BA installed, migrate to
hpuxwsAPACHE/hpuxwsApache and remove the affected products
from the system.
Installation of this new version of HP Apache over an existing
HP Apache installation is supported, while installation over a
non-HP Apache is NOT supported.
Removing Apache Installation
----------------------------
If you rather remove Apache from your system than install a
newer version to resolve the security problem, use both
Software Distributor's "swremove" command and also "rm -rf" the
home location as specified in the rc.config.d file "HOME"
variables.
To find the files containing HOME variables in the
/etc/rc.config.d directory:
%ls /etc/rc.config.d | grep apache
hpapache2conf
hpws_apacheconf
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:
Use your browser to get to the HP IT Resource Center page
at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC. Remember to save the
User ID assigned to you, and your password.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.
NOTE: Using your itrc account security bulletins can be
found here:
http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin
To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive". (near the
bottom of the page) Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic. Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems. Please note that installing the patches
listed in the Security Patch Matrix will completely
implement a security bulletin _only_ if the MANUAL ACTIONS
field specifies "No."
The Security Patch Check tool can verify that a security
bulletin has been implemented on HP-UX 11.XX systems providing
that the fix is completely implemented in a patch with no
manual actions required. The Security Patch Check tool cannot
verify fixes implemented via a product upgrade.
For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA
The security patch matrix is also available via anonymous
ftp:
ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".
The PGP key used to sign this bulletin is available from
several PGP Public Key servers. The key identification
information is:
2D2A7D59
HP Security Response Team (Security Bulletin signing only)
<security-alert@hp.com>
Fingerprint =
6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59
If you have problems locating the key please write to
security-alert@hp.com. Please note that this key is
for signing bulletins only and is not the key returned
by sending 'get key' to security-alert@hp.com.
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.
-----------------------------------------------------------------
(c)Copyright 2003 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company. Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.
________________________________________________________________
- --
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBP7wcI+AfOvwtKn1ZEQLrYACg57hw7CsQg63mHb936Iv7mb4ZB1cAoNi5
S6ApYHc0R0qvXKQTDOvx0K2X
=Iijo
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
MandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2003:103 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenPKG Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The OpenPKG development team has published OpenPKG Security Advisory OpenPKG-SA-2003.046 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Red Hat, Inc. has published the following Red Hat Security Advisories in response to this issue:
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SCO Affected
Updated: March 08, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The SCO Group has published SCO Security Advisory CSSA-2003-SCO.28 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SGI has published SGI Advanced Linux Environment security update #7 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Slackware Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] apache security update (SSA:2003-308-01)
Apache httpd is a hypertext transfer protocol server, and is used
by over two thirds of the Internet's web sites.
Upgraded Apache packages are available for Slackware 8.1, 9.0, 9.1,
and -current. These fix local vulnerabilities that could allow users
who can create or edit Apache config files to gain additional
privileges. Sites running Apache should upgrade to the new packages.
In addition, new mod_ssl packages have been prepared for all platforms,
and new PHP packages have been prepared for Slackware 8.1, 9.0, and
- -current (9.1 already uses PHP 4.3.3). In -current, these packages
also move the Apache module directory from /usr/libexec to
/usr/libexec/apache. Links for all of these related packages are
provided below.
More details about the Apache issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Mon Nov 3 20:06:29 PST 2003
patches/packages/apache-1.3.29-i486-1.tgz: Upgraded to apache-1.3.29.
This fixes the following local security issue:
o CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
This vulnerability requires the attacker to create or modify certain
Apache configuration files, and is not a remote hole. However, it could
possibly be used to gain additional privileges if access to the Apache
administrator account can be gained through some other means. All sites
running Apache should upgrade.
(* Security fix *)
+--------------------------+
WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+
Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.3-i386-1.tgz
Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.3-i386-1.tgz
Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.29-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.16_1.3.29-i486-1.tgz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.29-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.16_1.3.29-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.3-i486-3.tgz
MD5 SIGNATURES:
+-------------+
Slackware 8.1 packages:
1a8190a214c052f0707bd5a6b005a7cd apache-1.3.29-i386-1.tgz
eb74afbc99295c01d418b576e92e83bb mod_ssl-2.8.16_1.3.29-i386-1.tgz
b41a44c3ce2a3a09873b5d0930faf4c1 php-4.3.3-i386-1.tgz
Slackware 9.0 packages:
bb34ae622245f57bdca747ac5d8f73cf apache-1.3.29-i386-1.tgz
c84af5778a5667a06a60a274f2fe1edb mod_ssl-2.8.16_1.3.29-i386-1.tgz
7660e36f2cfb30cc339734369cca7719 php-4.3.3-i386-1.tgz
Slackware 9.1 packages:
9b494bb3f03cb4a4cb8c28f4fcc76666 apache-1.3.29-i486-1.tgz
938412e01daf55fee37293a5790d907f mod_ssl-2.8.16_1.3.29-i486-1.tgz
Slackware -current packages:
091c22d398c51fee820dd0d0b7d514e3 apache-1.3.29-i486-1.tgz
cd260439c9f1373329ba2224ace0451d mod_ssl-2.8.16_1.3.29-i486-1.tgz
cc90540cc07e840e5a0513ffbb308102 php-4.3.3-i486-3.tgz
INSTALLATION INSTRUCTIONS:
+------------------------+
First, stop apache:
# apachectl stop
Next, upgrade these packages as root:
# upgradepkg apache-1.3.29-i486-1.tgz
# upgradepkg mod_ssl-2.8.16_1.3.29-i486-1.tgz
# upgradepkg php-4.3.3-i486-3.tgz
Finally, restart apache:
# apachectl start
Or, if you're running a secure server with mod_ssl:
# apachectl startssl
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/qEKrakRjwEAQIjMRArvcAKCMB2tJJVmHitflS/Rc0yG9kksiPACeP0Dd
7HXUeO3O/cg1yufkh2Zvrqg=
=YQdI
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Affected
Updated: March 08, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Sun Microsystems, Inc. has published Sun Security Alert #57496 in response to this issue. Users are encouraged to review this alert and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Trustix Affected
Updated: February 02, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Trustix development team has published Trustix Secure Linux Security Advisory #2003-0041 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.secunia.com/advisories/10153/
- http://www.secunia.com/advisories/10114/
- http://www.secunia.com/advisories/10112/
- http://www.secunia.com/advisories/10102/
- http://www.secunia.com/advisories/10098/
- http://www.secunia.com/advisories/10096/
- http://www.secunia.com/advisories/10260/
- http://www.secunia.com/advisories/10264/
- http://www.secunia.com/advisories/10463/
Acknowledgements
The Apache Software Foundation credits André Malo with the discovery of this vulnerability.
This document was written by Chad R Dougherty.
Other Information
| CVE IDs: | CVE-2003-0542 |
| Severity Metric: | 0.61 |
| Date Public: | 2003-10-30 |
| Date First Published: | 2004-02-03 |
| Date Last Updated: | 2004-03-19 19:59 UTC |
| Document Revision: | 29 |