drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Apache
Name: |
Mehrere Probleme in Apache
|
|
ID: |
CSSA-2002-056.0 |
|
Distribution: |
Caldera |
|
Plattformen: |
Caldera Server 3.1, Caldera Workstation 3.1, Caldera Server 3.1.1, Caldera Workstation 3.1.1 |
|
Datum: |
Sa, 7. Dezember 2002, 12:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
Apache |
|
Originalnachricht |
--UFHRwCdBEJvubb2X Content-Disposition: inline
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: apache vulnerabilities in shared memory, DNS, and ApacheBench Advisory number: CSSA-2002-056.0 Issue date: 2002 December 05 Cross reference: ______________________________________________________________________________
1. Problem Description
The shared memory scoreboard in the HTTP daemon for Apache allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard.
Cross-site scripting (XSS) vulnerability in the default error page of Apache when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header.
Buffer overflows in the ApacheBench support program (ab.c) in Apache allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.
2. Vulnerable Supported Versions
System Package ----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to apache-1.3.27-1.0.i386.rpm prior to apache-devel-1.3.27-1.0.i386.rpm prior to apache-doc-1.3.27-1.0.i386.rpm
OpenLinux 3.1.1 Workstation prior to apache-1.3.27-1.0.i386.rpm prior to apache-devel-1.3.27-1.0.i386.rpm prior to apache-doc-1.3.27-1.0.i386.rpm
OpenLinux 3.1 Server prior to apache-1.3.27-1.0.i386.rpm prior to apache-devel-1.3.27-1.0.i386.rpm prior to apache-doc-1.3.27-1.0.i386.rpm
OpenLinux 3.1 Workstation prior to apache-1.3.27-1.0.i386.rpm prior to apache-devel-1.3.27-1.0.i386.rpm prior to apache-doc-1.3.27-1.0.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-056.0/RPMS
4.2 Packages
c7b17000acd9101eee8c37d3b4601ec8 apache-1.3.27-1.0.i386.rpm d857c04c257932ae2a4eaeb1aed19e8c apache-devel-1.3.27-1.0.i386.rpm 68c4e2eb95a1ca1493f4eb0c8b54fff2 apache-doc-1.3.27-1.0.i386.rpm
4.3 Installation
rpm -Fvh apache-1.3.27-1.0.i386.rpm rpm -Fvh apache-devel-1.3.27-1.0.i386.rpm rpm -Fvh apache-doc-1.3.27-1.0.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-056.0/SRPMS
4.5 Source Packages
593f46d5622a2191ee9affda05b96b7c apache-1.3.27-1.0.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-056.0/RPMS
5.2 Packages
afe15920bac4b43bda8c9c3e78d30067 apache-1.3.27-1.0.i386.rpm 962f0f2c795b1012fe1c3d36981a732d apache-devel-1.3.27-1.0.i386.rpm 2f7bd182f5e458a228edd03b487466d0 apache-doc-1.3.27-1.0.i386.rpm
5.3 Installation
rpm -Fvh apache-1.3.27-1.0.i386.rpm rpm -Fvh apache-devel-1.3.27-1.0.i386.rpm rpm -Fvh apache-doc-1.3.27-1.0.i386.rpm
5.4 Source Package Location
SRPMS
5.5 Source Packages
89d64819da7385209cca310c4ce097a1 apache-1.3.27-1.0.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-056.0/RPMS
6.2 Packages
5bb492139575fb1908c29777242c89db apache-1.3.27-1.0.i386.rpm 1a28bc1f4d8e27761da8623385cfd430 apache-devel-1.3.27-1.0.i386.rpm 18774c4e1c471d3c0532203e3053035a apache-doc-1.3.27-1.0.i386.rpm
6.3 Installation
rpm -Fvh apache-1.3.27-1.0.i386.rpm rpm -Fvh apache-devel-1.3.27-1.0.i386.rpm rpm -Fvh apache-doc-1.3.27-1.0.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-056.0/SRPMS
6.5 Source Packages
6a329cad378b982f7864722cd8bc7b71 apache-1.3.27-1.0.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-056.0/RPMS
7.2 Packages
96b47bab30d5a625917fa37536904765 apache-1.3.27-1.0.i386.rpm 0b6e58d39dfbc52daf6662b51116e3db apache-devel-1.3.27-1.0.i386.rpm d29dabf7e838b143006c32122547f7dc apache-doc-1.3.27-1.0.i386.rpm
7.3 Installation
rpm -Fvh apache-1.3.27-1.0.i386.rpm rpm -Fvh apache-devel-1.3.27-1.0.i386.rpm rpm -Fvh apache-doc-1.3.27-1.0.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-056.0/SRPMS
7.5 Source Packages
146818586bde204a4d0eaf44e32d23e3 apache-1.3.27-1.0.src.rpm
8. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr870244, fz526296, erg712139.
9. Disclaimer
SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products.
______________________________________________________________________________
--UFHRwCdBEJvubb2X Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SCO_SV) Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3v7sUACgkQbluZssSXDTHCHgCgmlx1yb/OESslQy/+VX++oHPw 5KMAnidkofjD5ao29dohhgbfH5EMPhoo =OCH7 -----END PGP SIGNATURE-----
--UFHRwCdBEJvubb2X--
|
|
|
|