Overview

A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.

Description

The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_rewrite, provides a rule-based rewriting engine to rewrite requested URLs “on the fly” based regular expressions. A buffer overflow has been discovered in the way that mod_rewrite handles regular expressions containing more than 9 captures (stored strings matching a particular pattern). This flaw results in a remotely exploitable vulnerability on web servers that specify such a regular expression to the mod_rewrite module in their configuration files.

---

Impact

An attacker may be able to execute arbitrary code in the context of the web server user (e.g., “apache”, “httpd”, “nobody”, etc.). The attacker would have to have the ability to supply a specially crafted configuration file (e.g., .htaccess or httpd.conf) to the Apache server in order to mount this attack.

---

Solution

Apply a patch from the vendor

Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.

---

Workarounds

Disable mod_rewrite if it is not required in your web server configuration. Instructions for doing this can be found in the Apache HTTP server documentation. Sites, particularly those that are not able to apply the patches, are encouraged to consider implementing this workaround.

---

Vendor Information

434566

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apache Software Foundation __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Apache Software Foundation has released versions 1.3.29 and 2.0.48 of the Apache httpd server in response to this issue. These patched versions of the software are available at:

<<http://www.apache.org/dist/httpd/&gt;&gt;
Because this software is commonly repackaged by third-party vendors, users are encouraged to review the Systems Affected section of VU#434566 first to determine whether their vendor has produced an update for their systems.

Users who compile the Apache httpd software from source code are encouraged to upgrade to one of the patched versions listed above (or newer). Users are also encouraged to verify the PGP signatures on the software distribution before compiling and installing it on their systems.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Conectiva __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT

• --------------------------------------------------------------------------`

PACKAGE : apache SUMMARY : Fix for some vulnerabilities DATE : 2003-11-05 19:18:00 ID : CLA-2003:775 RELEVANT RELEASES : 7.0, 8, 9

- -------------------------------------------------------------------------

`DESCRIPTION
Apache[1] is the most popular webserver in use today.

New versions of the Apache web server have been made available[2][3]
with the following security fixes:

1. Buffer overflow in mod_alias and mod_rewrite (CAN-2003-0542) [4]
   A buffer overflow could occur in mod_alias and mod_rewrite when a
   regular expression with more than 9 captures is configured. Users who
   can create or modify configuration files (httpd.conf or .htaccess,
   for example) could trigger this. This vulnerability affects Apache
   1.3.x and Apache 2.0.x.

2. mod_cgid mishandling of CGI redirect paths (CAN-2003-0789) [5]
   mod_cgid mishandling of CGI redirect paths could result in CGI output
   going to the wrong client when a threaded MPM is used. The packages
   provided with Conectiva Linux 9 are not vulnerable to this issue
   because they are not compiled with that MPM, but the fix has been
   included because new packages for Conectiva Linux 9 were already
   being built for the suexec problem (see below).

In addition to the above security fixes, “suexec” has been correctly built in the Conectiva Linux 9 packages, fixing[6] the problem where
CGI scripts could not be run from the user’s home directory.`

`SOLUTION
It is recommended that all Apache users upgrade their packages.

IMPORTANT: it is necessary to manually restart the httpd server after
upgrading the packages. In order to do this, execute the following as
root:

service httpd stop

(wait a few seconds and check with “pidof httpd” if there are any
httpd processes running. On a busy webserver this could take a little
longer)

service httpd start

REFERENCES

1. <http://apache.httpd.org/&gt;
2. <http://www.apache.org/dist/httpd/Announcement2.html&gt;
3. <http://www.apache.org/dist/httpd/Announcement.html&gt;
4. <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542&gt;
5. <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789&gt;
6. <http://bugzilla.conectiva.com.br/show_bug.cgi?id=8754&gt; (pt_BR only)`

UPDATED PACKAGES <ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/apache-1.3.28-1U70_2cl.src.rpm> <ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.28-1U70_2cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.28-1U70_2cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.28-1U70_2cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/8/SRPMS/apache-1.3.28-1U80_2cl.src.rpm> <ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.28-1U80_2cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.28-1U80_2cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.28-1U80_2cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_5cl.src.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_5cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_5cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_5cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_5cl.i386.rpm>
<ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_5cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_5cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_5cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_5cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_5cl.i386.rpm>

ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades:

` - run: apt-get update

• after that, execute: apt-get upgrade`

Detailed instructions reagarding the use of apt and upgrade examples can be found at <http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en>

- ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at <http://distro.conectiva.com.br/seguranca/chave/?idioma=en> Instructions on how to check the signatures of the RPM packages can be found at <http://distro.conectiva.com.br/seguranca/politica/?idioma=en>

- ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at <http://distro.conectiva.com.br/atualizacoes/?idioma=en>

- ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. <http://www.conectiva.com>

- ------------------------------------------------------------------------- subscribe: [email protected] unsubscribe: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see <http://www.gnupg.org>

iD8DBQE/qWk/42jd0JmAcZARAkF2AJsGfA3n7v7l8f4A8ik+Ao6uqB9NYACfZnQ4 qf3SjmMxGkqRYyXuBBragEE= =zsxK -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Gentoo Linux __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03

• ---------------------------------------------------------------------------`

PACKAGE : net-www/apache SUMMARY : buffer overflow DATE : Tue Oct 28 16:43:46 UTC 2003 EXPLOIT : local VERSIONS AFFECTED : <apache-1.3.29 FIXED VERSION : >=apache-1.3.29 CVE : CAN-2003-0542 (under review at time of GLSA)

- ---------------------------------------------------------------------------

Quote from <<http://httpd.apache.org/dev/dist/Announcement>>:

This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.29 addresses and fixes 1 potential security issue:

o CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures.

We consider Apache 1.3.29 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family.

SOLUTION

It is recommended that all Gentoo Linux users who are running net-misc/apache 1.x upgrade:

emerge sync emerge -pv apache emerge '>=net-www/apache-1.3.29' emerge clean /etc/init.d/apache restart

// end

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk RyV+5R/BFsdAzsMYZp9dT8A= =ym4e -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Guardian Digital Inc. __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Guardian Digital, Inc. has published Guardian Digital Security Advisory ESA-20031105-030 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Hewlett-Packard Company __ Affected

Updated: March 08, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

` -----------------------------------------------------------------
REVISED 01
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0311-301
Originally issued: 18 November 2003
Last revised: 19 November 2003
SSRT3663 Apache HTTP Server mod_cgid, mod_alias, mod_rewrite

NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.`

The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible.

----------------------------------------------------------------- PROBLEM: 1. mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used.

More details are available at: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789>

2. A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured.

More details are available at: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542>

IMPACT: Potential Denial of Service or execute arbitrary code.

PLATFORM: HP9000 Servers running HP-UX release B.11.00, B.11.11, B.11.20, B.11.22, and B.11.23 with versions of the following products are affected, and represented as: product-name, version (product-tag/bundle-tag)

product-name, version (product-tag/bundle-tag)

- hp apache-based web server, 2.0.43.04 or earlier (HPApache/B9416AA) This product includes Apache 2.0.43.

- hp-ux apache-based web server, v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.47.

- hp apache-based web server (with IPv6 support), 2.0.43.04 or earlier (HPApache/B9416BA) This product includes Apache 2.0.43.

- hp-ux apache-based web server(with IPv6 support), v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.47.

SOLUTION: For HP-UX releases B.11.00, B.11.11, B.11.20, B.11.22 and B.11.23 download new HP Apache product from <http://www.software.hp.com/:>

For HPApache/B9416AA, HPApache/B9416BA and hpuxwsAPACHE/hpuxwsApache download the following:

- hp-ux apache-based web server (with IPv4) v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.48. <http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/> cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE

- hp-ux apache-based web server(with IPv6 support), v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.48. <http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/> cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE

MANUAL ACTIONS: Yes - Non-Update Install the product containing the fix. For customers with HPApache/B9416AA HPApache/B9416BA installed, the fix requires migration to hpuxwsAPACHE/hpuxwsApache and removing the affected products from the system.

AVAILABILITY: Complete product bundles are available now on <<http://www.software.hp.com/>>

`CHANGE SUMMARY: Rev. 01 Corrected typo in version number

REVISED 01
A. Background
The Common Vulnerabilities and Exposures project
<<http://cve.mitre.org/&gt;&gt; has identified potential
vulnerabilities in the Apache HTTP Server (CAN-2003-0789, and
CAN-2003-0542). It affects the following HP product
numbers/versions on HP-UX releases B.11.00, B.11.11, B.11.20,
B.11.22, and B.11.23:`

- hp apache-based web server, 2.0.43.04 or earlier (HPApache/B9416AA)

- hp-ux apache-based web server, v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache)

- hp apache-based web server, 2.0.43.04 (with IPv6 support) or earlier (HPApache/B9416BA)

- hp-ux apache-based web server (with IPv6 support), v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache)

AFFECTED VERSIONS

The following is a list of affected filesets or patches and fix information. To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset or patch, then determine if a fixed revision or applicable patch is installed.

` HP-UX B.11.00
HP-UX B.11.11
HP-UX B.11.20
HP-UX B.11.22
HP-UX B.11.23

HPApache.APACHE2
hpuxwsAPACHE.APACHE2
—>> fix: install hp-ux apache-based web server, v.1.0.10.01
or later.`

END AFFECTED VERSIONS

B. Recommended solution The Apache Software Foundation has released Apache 2.0.48 as the best known version that fixes the problems identified in the above mentioned issues.

` For customers using HPApache/B9416AA HPApache/B9416BA and
hpuxwsAPACHE/hpuxwsApache, HP has incorporated Apache 2.0.48
in the following product:

• hp-ux apache-based web server v.1.0.10.01 or later
  <http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/&gt;
  displayProductInfo.pl?productNumber=HPUXWSSUITE`

` Check for Apache Installation

To determine if the Apache web server from HP is installed on
your system, use Software Distributor’s swlist command. All
three versions products may co-exist on a single system.`

For example, the results of the command swlist -l product | grep -i apache

HPApache 2.0.39.01.02 HP Apache-based Web Server hpuxwsAPACHE A.1.0.09.01 HP-UX Apache-based Web Server

` Stop Apache

Before updating, make sure to stop any previous Apache binary.
Otherwise, the previous binary will continue running,
preventing the new one from starting, although the installation
would be successful.`

After determining which Apache is installed, stop Apache with the following commands:

for HPApache: /opt/hpapache2/bin/apachectl stop for hpuxwsAPACHE: /opt/hpws/apache/bin/apachectl stop

` Download and Install Apache

• Download Apache from Software Depot using the previously
  mentioned links.
• Verify successful download by comparing the cksum with the
  value specified on the installation web page.
• Use SD to swinstall the depot.
• For customers with HPApache/B9416BA installed, migrate to
  hpuxwsAPACHE/hpuxwsApache and remove the affected products
  from the system.`

Installation of this new version of HP Apache over an existing HP Apache installation is supported, while installation over a non-HP Apache is NOT supported.

` Removing Apache Installation

If you rather remove Apache from your system than install a
newer version to resolve the security problem, use both
Software Distributor’s “swremove” command and also “rm -rf” the
home location as specified in the rc.config.d file “HOME”
variables.`

To find the files containing HOME variables in the /etc/rc.config.d directory:

%ls /etc/rc.config.d | grep apache hpapache2conf hpws_apacheconf

C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:

Use your browser to get to the HP IT Resource Center page at:

<http://itrc.hp.com>

Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password.

In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of the page), select "Support Information Digests".

To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page.

or

To -review- bulletins already released, select the link (in the middle column) for the appropriate digest.

NOTE: Using your itrc account security bulletins can be found here: <http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin>

To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems. Please note that installing the patches listed in the Security Patch Matrix will completely implement a security bulletin _only_ if the MANUAL ACTIONS field specifies "No."

The Security Patch Check tool can verify that a security bulletin has been implemented on HP-UX 11.XX systems providing that the fix is completely implemented in a patch with no manual actions required. The Security Patch Check tool cannot verify fixes implemented via a product upgrade.

For information on the Security Patch Check tool, see: <http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/> displayProductInfo.pl?productNumber=B6834AA

The security patch matrix is also available via anonymous ftp:

<ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/>

On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive".

The PGP key used to sign this bulletin is available from several PGP Public Key servers. The key identification information is:

2D2A7D59 HP Security Response Team (Security Bulletin signing only) <[email protected]> Fingerprint = 6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59

If you have problems locating the key please write to [email protected]. Please note that this key is for signing bulletins only and is not the key returned by sending 'get key' to [email protected].

D. To report new security vulnerabilities, send email to

[email protected]

Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to [email protected].

-----------------------------------------------------------------

(c)Copyright 2003 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners.

` ________________________________________________________________

• –`

-----BEGIN PGP SIGNATURE----- Version: PGP 8.0

iQA/AwUBP7wcI+AfOvwtKn1ZEQLrYACg57hw7CsQg63mHb936Iv7mb4ZB1cAoNi5 S6ApYHc0R0qvXKQTDOvx0K2X =Iijo -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

MandrakeSoft __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2003:103 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

OpenPKG __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The OpenPKG development team has published OpenPKG Security Advisory OpenPKG-SA-2003.046 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Red Hat Inc. __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat, Inc. has published the following Red Hat Security Advisories in response to this issue:

* [RHSA-2003:320](<http://rhn.redhat.com/errata/RHSA-2003-320.html>)
* [RHSA-2003:360](<http://rhn.redhat.com/errata/RHSA-2003-360.html>)
* [RHSA-2003:405](<http://rhn.redhat.com/errata/RHSA-2003-405.html>)
* [RHSA-2004:015](<http://rhn.redhat.com/errata/RHSA-2004-015.html>)

Users are encouraged to review the information provided in these advisories and apply the patches they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

SCO __ Affected

Updated: March 08, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SCO Group has published SCO Security Advisory CSSA-2003-SCO.28 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

SGI __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has published SGI Advanced Linux Environment security update #7 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Slackware __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

[slackware-security] apache security update (SSA:2003-308-01)

Apache httpd is a hypertext transfer protocol server, and is used by over two thirds of the Internet's web sites.

Upgraded Apache packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix local vulnerabilities that could allow users who can create or edit Apache config files to gain additional privileges. Sites running Apache should upgrade to the new packages.

`In addition, new mod_ssl packages have been prepared for all platforms,
and new PHP packages have been prepared for Slackware 8.1, 9.0, and

• -current (9.1 already uses PHP 4.3.3). In -current, these packages
  also move the Apache module directory from /usr/libexec to
  /usr/libexec/apache. Links for all of these related packages are
  provided below.`

More details about the Apache issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542>

Here are the details from the Slackware 9.1 ChangeLog: +--------------------------+ Mon Nov 3 20:06:29 PST 2003 patches/packages/apache-1.3.29-i486-1.tgz: Upgraded to apache-1.3.29. This fixes the following local security issue: o CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. This vulnerability requires the attacker to create or modify certain Apache configuration files, and is not a remote hole. However, it could possibly be used to gain additional privileges if access to the Apache administrator account can be gained through some other means. All sites running Apache should upgrade. (* Security fix *) +--------------------------+

WHERE TO FIND THE NEW PACKAGES: +-----------------------------+

Updated packages for Slackware 8.1: <ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.29-i386-1.tgz> <ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz> <ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.3-i386-1.tgz>

Updated packages for Slackware 9.0: <ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.29-i386-1.tgz> <ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz> <ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.3-i386-1.tgz>

Updated packages for Slackware 9.1: <ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.29-i486-1.tgz> <ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.16_1.3.29-i486-1.tgz>

Updated packages for Slackware -current: <ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.29-i486-1.tgz> <ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.16_1.3.29-i486-1.tgz> <ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.3-i486-3.tgz>

MD5 SIGNATURES: +-------------+

Slackware 8.1 packages: 1a8190a214c052f0707bd5a6b005a7cd apache-1.3.29-i386-1.tgz eb74afbc99295c01d418b576e92e83bb mod_ssl-2.8.16_1.3.29-i386-1.tgz b41a44c3ce2a3a09873b5d0930faf4c1 php-4.3.3-i386-1.tgz

Slackware 9.0 packages: bb34ae622245f57bdca747ac5d8f73cf apache-1.3.29-i386-1.tgz c84af5778a5667a06a60a274f2fe1edb mod_ssl-2.8.16_1.3.29-i386-1.tgz 7660e36f2cfb30cc339734369cca7719 php-4.3.3-i386-1.tgz

Slackware 9.1 packages: 9b494bb3f03cb4a4cb8c28f4fcc76666 apache-1.3.29-i486-1.tgz 938412e01daf55fee37293a5790d907f mod_ssl-2.8.16_1.3.29-i486-1.tgz

Slackware -current packages: 091c22d398c51fee820dd0d0b7d514e3 apache-1.3.29-i486-1.tgz cd260439c9f1373329ba2224ace0451d mod_ssl-2.8.16_1.3.29-i486-1.tgz cc90540cc07e840e5a0513ffbb308102 php-4.3.3-i486-3.tgz

INSTALLATION INSTRUCTIONS: +------------------------+

First, stop apache:

# apachectl stop

Next, upgrade these packages as root:

`# upgradepkg apache-1.3.29-i486-1.tgz

upgradepkg mod_ssl-2.8.16_1.3.29-i486-1.tgz

upgradepkg php-4.3.3-i486-3.tgz`

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl

+-----+

Slackware Linux Security Team <http://slackware.com/gpg-key> [email protected]

+------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to [email protected] with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/qEKrakRjwEAQIjMRArvcAKCMB2tJJVmHitflS/Rc0yG9kksiPACeP0Dd 7HXUeO3O/cg1yufkh2Zvrqg= =YQdI -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Sun Microsystems Inc. __ Affected

Updated: March 08, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems, Inc. has published Sun Security Alert #57496 in response to this issue. Users are encouraged to review this alert and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

Trustix __ Affected

Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Trustix development team has published Trustix Secure Linux Security Advisory #2003-0041 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23434566 Feedback>).

View all 13 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.secunia.com/advisories/10153/&gt;
• <http://www.secunia.com/advisories/10114/&gt;
• <http://www.secunia.com/advisories/10112/&gt;
• <http://www.secunia.com/advisories/10102/&gt;
• <http://www.secunia.com/advisories/10098/&gt;
• <http://www.secunia.com/advisories/10096/&gt;
• <http://www.secunia.com/advisories/10260/&gt;
• <http://www.secunia.com/advisories/10264/&gt;
• <http://www.secunia.com/advisories/10463/&gt;

Acknowledgements

The Apache Software Foundation credits André Malo with the discovery of this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2003-0542
Severity Metric:	0.61 Date Public: