dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Conectiva Linux Advisory: apache

Jul 22, 2003, 03:57 (0 Talkback[s])
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : apache
SUMMARY : Denial of service vulnerabilities
DATE : 2003-07-21 18:34:00
ID : CLA-2003:698
RELEVANT RELEASES : 9

DESCRIPTION
Apache[1] is the most popular webserver in use today.

This update addresses the following issues:

  1. SSL renegotiations (CAN-2003-0192 [2]) Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one.
  2. Denial of service (CAN-2003-0253 [3]) Saheed Akhtar reported that a denial of service condition exists in the prefork MPM when accept() on rarely accessed port returns certain errors. The prefork MPM is the default mode for Apache as shipped with Conectiva Linux 9.
  3. Ftp proxy denial of service (CAN-2003-0254 [4]) Yoshioka Tsuneo reported a denial of service condition in the ftp proxy which happens when the target host is IPv6 but the proxy server itself cannot create an IPv6 socket.
  4. Denial of service (VU#379828 [5]) Ryan O'Neill reported that it is possible to make the httpd server enter infinite loops and crash under certain circumstances. A new configuration directive has been created (LimitInternalRecursion) to avoid these infinite loops and abort the request which caused them if the configured limit has been reached.

SOLUTION
It is recommended that all Apache users upgrade their packages.

IMPORTANT: it is necessary to manually restart the httpd server after upgrading the packages. In order to do this, execute the following as root:

service apache stop

(wait a few seconds and check with "ps ax|grep httpd" if there are any httpd processes running. On a busy webserver this could take a little longer)

service apache start

REFERENCES

  1. http://httpd.apache.org/
  2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192
  3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253
  4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254
  5. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19753

UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_3cl.i386.rpm

ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

  • run: apt-get update
  • after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com