Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


SOT Linux Advisory: apache

Jun 20, 2002, 16:26 (0 Talkback[s])

[ Thanks to SOT Security Team for this link. ]

---------------------------------------------------------------------
                   SOT Linux Security Advisory

Subject:           Updated apache package for SOT Linux 2002
Advisory ID:       SLSA-2002:8
Date:              Wednesday, June 19, 2002
Product:           SOT Linux 2002
---------------------------------------------------------------------

1. Problem description

Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
and including 2.0.36 contain a bug in the routines which deal with invalid
requests which are encoded using chunked encoding.  This bug can be
triggered remotely by sending a carefully crafted invalid request. This
functionality is enabled by default.

In most cases the outcome of the invalid request is that the child process
dealing with the request will terminate.  At the least, this could help a
remote attacker launch a denial of service attack as the parent process
will eventually have to replace the terminated child process, and starting
new children uses non-trivial amounts of resources.


2. Updated packages

SOT Linux 2002 Server:
 
i386:
ftp://ftp.sot.com/updates/2002/Server/i386/apache-1.3.19-15.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/apache-devel-1.3.19-15.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/apache-manual-1.3.19-15.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/apache-ssl-1.3.19_1.44-11.i386.rpm
SRPMS:
ftp://ftp.sot.com/updates/2002/Server/SRPMS/apache-1.3.19-15.src.rpm
ftp://ftp.sot.com/updates/2002/Server/SRPMS/apache-ssl-1.3.19_1.44-11.src.rpm

3. Upgrading package

Use up2date to automatically upgrade the fixed packages.
 
If you want to upgrade manually, download the updated package from
the SOT Linux FTP site (use the links above) or from one of our mirrors.
The list of mirrors can be obtained at www.sot.com/en/linux
 
Update the package with the following command:
rpm -Uvh 


4. Verification

All packages are PGP signed by SOT for security.
 
You can verify each package with the following command:
rpm --checksig  
 
If you wish to verify the integrity of the downloaded package, run
"md5sum " and compare the output with data given below.
 
 
Package Name                                    MD5 sum
--------------------------------------------------------------------------------
/Server/i386/apache-1.3.19-15.i386.rpm          724493b10693eb7af8b5997d3e2f6072
/Server/i386/apache-devel-1.3.19-15.i386.rpm    328c18b65c7671dc6b4566b4aa55ff0e
/Server/i386/apache-manual-1.3.19-15.i386.rpm   da21112cb66ec4883268ada7c4d0655d
/Server/i386/apache-ssl-1.3.19_1.44-11.i386.rpm 253cedbb6b5395eba90ae1df1ad05092
/Server/SRPMS/apache-1.3.19-15.src.rpm          1edca1886806d701895403764aa5d5f3
/Server/SRPMS/apache-ssl-1.3.19_1.44-11.src.rpm 90c9905655ee7d2c436e7cdf4089c3db

5. References

http://httpd.apache.org/info/security_bulletin_20020617.txt

Copyright(c) 2001, 2002 SOT