-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org firstname.lastname@example.org email@example.com OpenPKG-SA-2004.021 12-May-2004 ________________________________________________________________________ Package: apache Vulnerability: privilege escalation, denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= apache-1.3.29-20040421 >= apache-1.3.31-20040511 OpenPKG 2.0 <= apache-1.3.29-2.0.0 >= apache-1.3.29-2.0.1 OpenPKG 1.3 <= apache-1.3.28-1.3.2 >= apache-1.3.28-1.3.3 Dependent Packages: none Description: With the release of the Apache HTTP Server  version 1.3.31, four security issues were fixed : 1. Access Control List (ACL) Handling: mod_access in Apache 1.3 before 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow remote attackers to bypass intended access restrictions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0993  to the problem. 2. Error Log Escape Sequence Filtering: Apache 1.3 before 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators (of administrators viewing the error logs) containing vulnerabilities related to escape sequence handling. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0020  to the problem. 3. Nonce Verification in Digest Authentication: mod_digest in Apache 1.3 before 1.3.31 did not properly verify the nonce of a client response by using a AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0987  to the problem. 4. Starvation Issue in Serialized accept(2) Handling: Apache 1.3 before 1.3.30, when using multiple listening sockets on certain platforms, allows remote attackers to cause a Denial of Service (blocked new connections) via a short-lived connection on a rarely-accessed listening socket. This starvation situation caused a child to hold the accept(2) mutual exclusion lock and block out new connections (on any socket) until another connection arrives on that rarely-accessed listening socket. The source of the problem seems to be that under some Unix platforms accept(2) unexpectedly blocks after select(2) flagged a socket as readable. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0174  to the problem. Please check whether you are affected by running "
/bin/rpm -q apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) . Solution: Select the updated source RPM appropriate for your OpenPKG release , fetch it from the OpenPKG FTP service  or a mirror location, verify its integrity , build a corresponding binary RPM from it  and update your OpenPKG installation by applying the binary RPM . For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get apache-1.3.29-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig apache-1.3.29-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild apache-1.3.29-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/apache-1.3.29-2.0.1.*.rpm ________________________________________________________________________ References:  http://httpd.apache.org/  http://www.apache.org/dist/httpd/CHANGES_1.3  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174  http://www.openpkg.org/tutorial.html#regular-source  http://www.openpkg.org/tutorial.html#regular-binary  ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.3.src.rpm  ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.1.src.rpm  ftp://ftp.openpkg.org/release/1.3/UPD/  ftp://ftp.openpkg.org/release/2.0/UPD/  http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG "(ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAoh68gHWT4GPEy58RAj8AAKDAS62t6ZsSCS7TpVD8P96QboDy9gCfTea5 X7ToXybIkgWSavmLEQUwoBg= =wAmy -----END PGP SIGNATURE-----