__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities
[Apache 2.0.48 Released]
October 29, 2003 19:00 GMT Number O-015
______________________________________________________________________________
PROBLEM: There exist two security vulnerabilities:
1) mod_cgid mishandling of CGI redirect paths could result in
CGI output going to the wrong client when a threaded Multi-
processing Module (MPM) is used.
2) A buffer overflow could occur in mod_alias and mod_rewrite
when a regular expression with more than 9 captures is configured.
PLATFORM: Apache 2.0.47
DAMAGE: 1) Information for one user could be directed to another.
2) A buffer overflow could cause a system crash or be used to take
control of a system.
SOLUTION: Upgrade to Apache 2.0.48.
______________________________________________________________________________
VULNERABILITY The risk is LOW. The first problem is unlikely to expose a
ASSESSMENT: system to additional compromise. For the second problem, a
mod_rewrite regular expression is unlikely to be configured to
have more than 9 captures.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-015.shtml
ORIGINAL BULLETIN: http://www.apache.org/dist/httpd/Announcement2.html
CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2003-0789 CVE-2003-0542
______________________________________________________________________________
[***** Start Apache 2.0.48 Released *****]
Apache HTTP Server 2.0.48 Released
The Apache Software Foundation and the Apache HTTP Server Project are pleased to
announce the eleventh public release of the Apache 2.0 HTTP Server. This Announcement
notes the significant changes in 2.0.48 as compared to 2.0.47.
This version of Apache is principally a bug fix release. A summary of the bug fixes
is given at the end of this document. Of particular note is that 2.0.48 addresses two
security vulnerabilities:
mod_cgid mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
[CAN-2003-0789]
A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression
with more than 9 captures is configured.
[CAN-2003-0542]
This release is compatible with modules compiled for 2.0.42 and later versions. We
consider this release to be the best version of Apache available and encourage users
of all prior versions to upgrade.
Apache 2.0.48 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the
1.3 codebase. For an overview of new features introduced after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must ensure that the
modules (and the libraries they depend on) that you will be using are thread-safe.
Please contact the vendors of these modules to obtain this information.
Apache 2.0.48 Major changes
Security vulnerabilities closed since Apache 2.0.47
* SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket
used to communicate with the cgid daemon and the CGI script. [Jeff Trawick]
* SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which
occurred if one configured a regular expression with more than 9 captures. [André
Malo]
Bugs fixed and features added since Apache 2.0.47
* mod_include: fix segfault which occured if the filename was not set, for example,
when processing some error conditions. PR 23836. [Brian Akins <bakins@web.turner.com>,
André Malo]
* fix the config parser to support <Foo>..</Foo> containers (no arguments in the opening
tag) supported by httpd 1.3. Without this change mod_perl 2.0's <Perl> sections are
broken. ["Philippe M. Chiasson" <gozer@cpan.org>]
* mod_cgid: fix a hash table corruption problem which could result in the wrong script
being cleaned up at the end of a request. [Jeff Trawick]
* Update httpd-*.conf to be clearer in describing the connection between AddType and
AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding]
* mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André
Malo]
* mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request
using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI.
PR: 13946. [Eider Oliveira <eider@bol.com.br>]
* cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as
directed in RFC 2616. [Thomas Castelle <tcastelle@generali.fr>]
* Ensure that ssl-std.conf is generated at configure time, and switch to using the
expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May]
* mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil <Hartmut.
Keil@adnovum.ch>]
* mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive,
the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane
Holden <dpejesh@yahoo.com>]
* Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's
name. PR 16661. [Manni Wood <manniwood@planet-save.com>]
* mod_cache: Fix the cache code so that responses can be cached if they have an Expires
header but no Etag or Last-Modified headers. PR 23130. [bjorn@exoweb.net]
* mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g.
with 304 or 204 response codes). [Astrid Keßler]
* Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz]
* Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the
Accept-Encoding header contained only other tokens than "gzip" (such as "deflate").
PR 21523. [Joe Orton, André Malo]
* Avoid an infinite recursion, which occured if the name of an included config file or
directory contained a wildcard character. PR 22194. [André Malo]
* mod_ssl: Fix a problem setting variables that represent the client certificate chain.
PR 21371 [Jeff Trawick]
* Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_
mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff
Trawick]
* ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick]
* Fix a misleading message from the some of the threaded MPMs when MaxClients has to be
lowered due to the setting of ServerLimit. [Jeff Trawick]
* Lower the severity of the "listener thread didn't exit" message to debug, as it is of
interest only to developers. PR 9011 [Jeff Trawick]
* MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley,
Jean-Jacques Clar]
* Install config.nice into the build/ directory to make minor version upgrades easier.
[Joshua Slive]
* Fix mod_deflate so that it does not call deflate() without checking first whether it
has something to deflate. (Currently this causes deflate to generate a fatal error
according to the zlib spec.) PR 22259. [Stas Bekman]
* mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is
encountered. [Sander Striker]
* mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the
.htaccess file is requested without a trailing slash. PR 20195. [André Malo]
* ab: Overlong credentials given via command line no longer clobber the buffer. [André
Malo]
* mod_deflate: Don't attempt to hold all of the response until we're done. [Justin
Erenkrantz]
* Assure that we block properly when reading input bodies with SSL. PR 19242. [David
Deaves <David.Deaves@dd.id.au>, William Rowe]
* Update mime.types to include latest IANA and W3C types. [Roy Fielding]
* mod_ext_filter: Set additional environment variables for use by the external filter.
PR 20944. [Andrew Ho, Jeff Trawick]
* Fix buildconf errors when libtool version changes. [Jeff Trawick]
* Remember an authenticated user during internal redirects if the redirection target is
not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment
variable. PR 10678, 11602. [André Malo]
* mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed
bytes to omit portions of the output stream. PR 21095. [Ron Park <ronald.park@cnet.com>,
André Malo, Cliff Woolley]
* Update the header token parsing code to allow LWS between the token word and the ':'
seperator. [PR 16520] [Kris Verbeeck <kris.verbeeck@advalvas.be>, Nicel KM <mnicel@yahoo.
com>]
* Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer
<joe+gmane@sunstarsys.com>]
* Added FreeBSD directory layout. PR 21100. [Sander Holthaus <info@orangexl.com>, André
Malo]
* Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085.
[Glenn Nielsen <glenn@apache.org>, André Malo]
* mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log
corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick]
* Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy
requests any such field is from the origin server; otherwise it will have our server info
as controlled by the ServerTokens directive. [Jeff Trawick]
[***** End Apache 2.0.48 Released *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Apache for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability
O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability
O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability
O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities
O-010: Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability
O-011: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Admin Script
O-012: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Server Daemon
O-013: Buffer Overflow in Oracle Binary
O-014: SGI Wildcard Exportfs Issue in Network File SYstem (NFS)
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
