Notified: May 28, 2003 Updated: June 24, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Apache 2.0.46 Released The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the ninth public release of the Apache 2.0
HTTP Server. This Announcement notes the significant changes in
2.0.46 as compared to 2.0.45. This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.46 addresses two security
vulnerabilities: Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
certain circumstances. This can be triggered remotely through mod_dav
and possibly other mechanisms. The crash was originally reported by
David Endler
Notified: June 16, 2003 Updated: June 23, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : apache SUMMARY : Apache 2 vulnerability DATE : 2003-06-16 18:27:00 ID : CLA-2003:661 RELEVANT RELEASES : 9 DESCRIPTION Apache[1] is the most popular webserver in use today. This update addresses two security vulnerabilities which have been fixed in the recently released[2] 2.0.46 version: 1) CAN-2003-0245[3] iDefense published[5] an advisory about a vulnerability in the APR library used by Apache 2. This library contains a vulnerability in the apr_psprintf() function which could be used to make apache reference invalid memory. The most immediate impact of this vulnerability is a Denial of Service condition. Arbitrary command execution remains a possibility, but is deemed to be difficult to achieve outside a controlled environment. The packages provided with this update contain a fix for this vulnerability. 2) CAN-2003-0189[4] A problem with the build configuration scripts caused the Apache basic authentication module to not be thread-safe. Systems running a threaded server would then be vulnerable to a Denial of Service condition when authenticating users using this module. Apache in Conectiva Linux 9 is *not* vulnerable to this issue because it is not built with threads support. However, the packages available through this update have been patched to fix this problem to allow users to recompile Apache with threads support in the event they choose to do so. SOLUTION It is recommended that all Apache users upgrade their packages. IMPORTANT: it is necessary to manually restart the httpd server after upgrading the packages. In order to do this, execute the following as root: service apache stop (wait a few seconds and check with "ps ax|grep httpd" if there are any httpd processes running. On a busy webserver this could take a little longer) service apache start REFERENCES 1. http://httpd.apache.org/ 2. http://www.apache.org/dist/httpd/Announcement2.html 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189 5. http://www.idefense.com/advisory/05.30.03.txt UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_2cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+7jZm42jd0JmAcZARAiRGAJ9YvY29fX0lFso52C6d+Je/oDHOpACg3PUl Brsx1Jmhaw3oH2SZTAMRgos= =UeI/ -----END PGP SIGNATURE-----
Notified: July 16, 2003 Updated: September 18, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 **REVISED 01**
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0307-269
Originally issued: 16 July 2003
Last Revised: 03 Sept. 2003
SSRT3587 Security Vulnerabilities in Apache HTTP Server (rev.1) NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact. The information in the following Security Bulletin should
be acted upon as soon as possible. Hewlett-Packard
Company will not be liable for any consequences to any
customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon
as possible. PROBLEM: 1. Apache 2.0.40 through 2.0.45 do not properly handle
threads correctly, potentially allowing a remote
denial of service. More details are available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189 2. A defect in Apache 2.0.37 through 2.0.45 potentially
allows a remote denial of service. More details are available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245 IMPACT: Potential remote Denial of Service PLATFORM: HP-UX releases B.11.00, B.11.11 and B.11.22 with
versions of the following products are affected: - HPApache/B9416AA and HPApache/B9416BA (all versions) - hp-ux apache-based web server, (product hpuxwsAPACHE or
hpuxwsApache) v.1.0.05.01 or earlier
This product includes Apache 2.0.45. - hp apache-based web server, 2.0.43.04 or earlier
(HPApache/B9416AA, HPApache/B9416BA)
This product includes Apache 2.0.43. - hp-ux apache-based web server, v.1.0.05.01 or earlier
(hpuxwsAPACHE/hpuxwsApache)
This product includes Apache 2.0.45. AFFECTED FILESETS: The affected filesets are: (product.fileset)
HPApache.APACHE2 2.0.39.01.02 HP Apache 2.0.39
hpuxwsAPACHE.APACHE2 A.1.0.05.01 2.0.45 base (IPF Binaries) SOLUTION: For HP-UX releases B.11.00, B.11.11 and B.11.22: 1. Remove HPApache/B9416AA and HPApache/B9416BA if they
are installed. 2. Download and install: hp-ux apache-based web server, v.1.0.06.01 or later
(product hpuxwsAPACHE or bundle hpuxwsApache) NOTE: The product install location and structure has changed
between HPApache/B9416*A and hpuxwsAPACHE/hpuxwsApache. This product includes Apache 2.0.46 and is available
from: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/
cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE **REVISED 01** --->> NOTE: The IPv6 solution is now available. Please refer to
--->> documentation and depot's available from software.hp.com
--->> Click on "internet ready and networking"
--->> and look for "hp-ux apache-based web server
--->> v.1.0.07.01 for ipv6 powered by apache, tomcat, webmin. MANUAL ACTIONS: Yes - Update
Install the product containing the fix. For customers with HPApache/B9416AA or
HPApache/B9416BA installed, the fix requires
migration to hpuxwsAPACHE/hpuxwsApache and
removing the affected products from the system. AVAILABILITY: Complete product bundles are available now on
Notified: June 02, 2003 Updated: June 24, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Mandrake Linux Security Update Advisory Package name: apache2
Advisory ID: MDKSA-2003:063-1
Date: June 2nd, 2003
Original Advisory Date: May 30th, 2003
Affected versions: 9.1 Problem Description: Two vulnerabilities were discovered in the Apache web server that
affect all 2.x versions prior to 2.0.46. The first, discovered by John
Hughes, is a build system problem that allows remote attackers to
prevent access to authenticated content when a threaded server is used. This only affects versions of Apache compiled with threaded server
"httpd.worker", which is not the default for Mandrake Linux. The second vulnerability, discovered by iDefense, allows remote
attackers to cause a DoS (Denial of Service) condition and may also
allow the execution of arbitrary code. The provided packages include back-ported fixes to correct these
vulnerabilities and MandrakeSoft encourages all users to upgrade
immediately. Update: The previous update mistakenly listed apache-conf packages which were
never included, nor intended to be included, as part of the update. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245 Updated Packages: Mandrake Linux 9.1: d65381a88fcdd109974daf439d91484a 9.1/RPMS/apache2-2.0.45-4.3mdk.i586.rpm
b55e4f36efee37b6055dd4f6534701e8 9.1/RPMS/apache2-common-2.0.45-4.3mdk.i586.rpm
036667cc64f93c6227044eda60c010a1 9.1/RPMS/apache2-devel-2.0.45-4.3mdk.i586.rpm
d09e6bbcfabb98d1fbda5bef3f88d832 9.1/RPMS/apache2-manual-2.0.45-4.3mdk.i586.rpm
142a503a5cb05acbb351a6c381bb2a73 9.1/RPMS/apache2-mod_dav-2.0.45-4.3mdk.i586.rpm
84f2b3a67b727d4c4bf5959298e06c4e 9.1/RPMS/apache2-mod_ldap-2.0.45-4.3mdk.i586.rpm
b9b1060a89d663c312856939ff719e95 9.1/RPMS/apache2-mod_ssl-2.0.45-4.3mdk.i586.rpm
5c3186603f9c3f6ac37c90e5bf37f268 9.1/RPMS/apache2-modules-2.0.45-4.3mdk.i586.rpm
844ed273c5d02670336411c3886dc015 9.1/RPMS/apache2-source-2.0.45-4.3mdk.i586.rpm
138e432240b8cf43616b3dbcc028ab45 9.1/RPMS/libapr0-2.0.45-4.3mdk.i586.rpm
d31a62ca9bd9af08336b9a582246e22a 9.1/SRPMS/apache2-2.0.45-4.3mdk.src.rpm Mandrake Linux 9.1/PPC: 3c04b040befea94653749da370d1fd24 ppc/9.1/RPMS/apache2-2.0.45-4.3mdk.ppc.rpm
7a2b57a3817fd9b9b12ba1ab18fc149c ppc/9.1/RPMS/apache2-common-2.0.45-4.3mdk.ppc.rpm
628f0ddb0eeeb9c8ab1c438c4fcc11e5 ppc/9.1/RPMS/apache2-devel-2.0.45-4.3mdk.ppc.rpm
4dfd352417f72f57a6fdec6375ce2fc5 ppc/9.1/RPMS/apache2-manual-2.0.45-4.3mdk.ppc.rpm
c2c75171b467a740e5a460c9c204a8c3 ppc/9.1/RPMS/apache2-mod_dav-2.0.45-4.3mdk.ppc.rpm
9f5af5607b729d0d34761f3b55527901 ppc/9.1/RPMS/apache2-mod_ldap-2.0.45-4.3mdk.ppc.rpm
5dda8212a4a2f7a7f85f5cf38903f2ab ppc/9.1/RPMS/apache2-mod_ssl-2.0.45-4.3mdk.ppc.rpm
7359a27567cab1add4dec16ca0599c72 ppc/9.1/RPMS/apache2-modules-2.0.45-4.3mdk.ppc.rpm
24abd44e8ecd2ca256d9918e3238f13d ppc/9.1/RPMS/apache2-source-2.0.45-4.3mdk.ppc.rpm
1fb5c53305d7bdc52850b9adff612a7e ppc/9.1/RPMS/libapr0-2.0.45-4.3mdk.ppc.rpm
d31a62ca9bd9af08336b9a582246e22a ppc/9.1/SRPMS/apache2-2.0.45-4.3mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5
checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of
FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command: rpm --checksig
Notified: May 28, 2003 Updated: June 24, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat Security Advisory Synopsis: Updated httpd packages fix Apache security vulnerabilities
Advisory ID: RHSA-2003:186-01
Issue date: 2003-05-28
Updated on: 2003-05-28
Product: Red Hat Linux
Keywords: Apache httpd auth remote
Cross references: Obsoletes: CVE Names: CAN-2003-0189 CAN-2003-0245 1. Topic: Updated httpd packages that fix two security issues are now available for
Red Hat Linux 8.0 and 9. 2. Relevant releases/architectures: Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386 3. Problem description: The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server. A bug in Apache 2.0 through 2.0.45 allows remote attackers to cause a
denial of service, and may allow execution of arbitrary code. This bug
affects both Red Hat Linux 8.0 and 9. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0245 to
this issue. A build system problem in Apache 2.0 through 2.0.45 allows remote attackers
to cause a denial of access to authenticated content when a threaded
server is used. This bug affects only Red Hat Linux 9 when the threaded
server "httpd.worker" has been configured, which is not the default. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0189 to this issue. All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues, and applied to Apache version 2.0.40. After the errata packages are installed, restart the Web service by running
the following command: /sbin/service httpd restart Red Hat would like to thank iDefense who initially discovered CAN-2003-0245
and John Hughes for CAN-2003-0189. 4. Solution: Before applying this update, make sure all previously released errata
relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs. Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 88575 - Byte Range implementation fix
89170 - fullstatus segfaults apachectl
89179 - mod_proxy (forward proxy) inserts empty line before header 6. RPMs required: Red Hat Linux 8.0: SRPMS: ftp://updates.redhat.com/8.0/en/os/SRPMS/httpd-2.0.40-11.5.src.rpm i386: ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-devel-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-manual-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mod_ssl-2.0.40-11.5.i386.rpm Red Hat Linux 9: SRPMS: ftp://updates.redhat.com/9/en/os/SRPMS/httpd-2.0.40-21.3.src.rpm i386: ftp://updates.redhat.com/9/en/os/i386/httpd-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-devel-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-manual-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mod_ssl-2.0.40-21.3.i386.rpm 7. Verification: MD5 sum Package Name 904aee1a576c1e0aa8db130f38ff4944 8.0/en/os/SRPMS/httpd-2.0.40-11.5.src.rpm
2f19f8a77ec3b3d176e2dca39b0c0afe 8.0/en/os/i386/httpd-2.0.40-11.5.i386.rpm
cb1e6c56201c66be08f0154160f6e853 8.0/en/os/i386/httpd-devel-2.0.40-11.5.i386.rpm
65953249119902e90b5064f9a5682622 8.0/en/os/i386/httpd-manual-2.0.40-11.5.i386.rpm
8e32d341bd26b8d31fbba3955c03fe41 8.0/en/os/i386/mod_ssl-2.0.40-11.5.i386.rpm
a0a8e23c41fd1ca6ddb1be41e00f3ed9 9/en/os/SRPMS/httpd-2.0.40-21.3.src.rpm
414838fb1cd03bfe0c528361c4d1efa2 9/en/os/i386/httpd-2.0.40-21.3.i386.rpm
36584099d7e1f4a560bd4ce2ada65f4e 9/en/os/i386/httpd-devel-2.0.40-21.3.i386.rpm
346e7032c5d1b89dd3545e9f5218577b 9/en/os/i386/httpd-manual-2.0.40-21.3.i386.rpm
b86192fe630b4797b0e176abe22e2cba 9/en/os/i386/mod_ssl-2.0.40-21.3.i386.rpm These packages are GPG signed by Red Hat for security. Our key is
available at http://www.redhat.com/solutions/security/news/publickey/ You can verify each package with the following command: rpm --checksig -v