Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: mk1-0772.txt

Mandrake Linux Security Advisory MDKSA-2001:077-2 Apache long pathname vulnerability




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

                Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           apache
Date:                   November 28th, 2001
Advisory ID:            MDKSA-2001:077-2

Affected versions:      Single Network Firewall 7.2
________________________________________________________________________

Problem Description:

 A problem exists with all Apache servers prior to version 1.3.19.  The
 vulnerablity could allow directory indexing and path discovery on the
 vulnerable servers with a custom crafted request consisting of a long
 path name created artificially by using numerous slashes.  This can
 cause modules to misbehave and return a listing of the directory
 contents by avoiding the error page.

 Another vulnerability found by Procheckup (www.procheckup.com) was
 that all directories, by default, were configured as browseable so
 an attacker could list all files in the targeted directories.  As
 well, Procheckup found that the perl-proxy/management software on
 port 8200 would supply dangerous information to attackers due to
 a perl status script that was enabled.  We have disabled directory
 browsing by default and have disabled the perl status scripts.

 There are a few steps required to update Apache properly for Single
 Network Firewall 7.2.  Please also note that you should not use the
 automatic update facilities of the web interface to update Apache,
 but should do this either locally or via ssh.

  1) Stop apache (service httpd stop) if running
  2) Stop httpd-naat (service httpd-naat stop)
  3) Completely backup /etc/httpd/conf/*
  4) Backup /var/log/httpd and /var/log/httpd-naat (the uninstall
     scripts of the previous apache versions may remove the log files)
  5) Remove the currently installed apache, mod_perl, mod_ssl, and php
     packages from the system.  You can do this using:

       urpme apache-common

  6) Upgrade mm/mm-devel
  7) Install the download upgrade packages of apache components using 
     "rpm -ivh *.rpm"
  8) Restore your /var/log/httpd and /var/log/httpd-naat backups
  9) Start httpd-naat (service httpd-naat start)
 10) Start apache if you were previously using it (service httpd start)

________________________________________________________________________

References:

  http://www.securityfocus.com/bid/2503
  http://bugs.apache.org/index.cgi/full/7848
  http://www.apacheweek.com/issues/01-09-28#security
  http://www.securityfocus.com/bid/3009
  http://www.procheckup.com/vulnerabilities/pr0107.html
________________________________________________________________________

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:
  rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at
  http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.

Single Network Firewall 7.2:
da7a34158c05680642da97b0a9647705  snf7.2/RPMS/HTML-Embperl-1.3b6-4.1mdk.i586.rpm
d06ffe4b205e278f81fdf0f2bcf65257  snf7.2/RPMS/apache-1.3.20-4.1mdk.i586.rpm
61959a5e986c91b8b5fc9b1151a01156  snf7.2/RPMS/apache-common-1.3.20-4.1mdk.i586.rpm
e070220acb27f21433801a54bc8a6c52  snf7.2/RPMS/apache-devel-1.3.20-4.1mdk.i586.rpm
9ea8e4dd08d8ea01a7040ef31eab3ed2  snf7.2/RPMS/apache-manual-1.3.20-4.1mdk.i586.rpm
86be2ad11f1b169d8fb99013498a4994  snf7.2/RPMS/apache-mod_perl-1.3.20_1.24-4.1mdk.i586.rpm
1eb7502d1fb78cb56d82c5f23ce4c06b  snf7.2/RPMS/apache-mod_perl-devel-1.3.20_1.24-4.1mdk.i586.rpm
1fa327b4bc3615c04cf142410563942c  snf7.2/RPMS/apache-suexec-1.3.20-4.1mdk.i586.rpm
9c1e4aa1d6dd17df146c081664d5355a  snf7.2/RPMS/httpd-naat-0.5-4.1mdk.noarch.rpm
55e269403950e662d1e7d8678caa2167  snf7.2/RPMS/mm-1.1.3-8.2mdk.i586.rpm
3cc975f6329fd90d4a5ba4b73d02ced5  snf7.2/RPMS/mm-devel-1.1.3-8.2mdk.i586.rpm
35f9a3bea810cc205a099c0ae7052c63  snf7.2/RPMS/mod_auth_external-2.1.2-6.1mdk.i586.rpm
d09fca52a502ead8f72661973efd8291  snf7.2/RPMS/mod_php-4.0.4pl1-4.1mdk.i586.rpm
4060647bda4da6ff883d1366d6327361  snf7.2/RPMS/mod_ssl-2.8.4-4.1mdk.i586.rpm
1dd86e83ed52132fa916b8d953f97e77  snf7.2/RPMS/mod_sxnet-1.2.4-4.1mdk.i586.rpm
b9904128ec8c5a06075746661ee8f65a  snf7.2/RPMS/naat-frontend-www-de-0.5-3.1mdk.noarch.rpm
90f7be4dcbb0b4e16f9588bcdb76fa33  snf7.2/RPMS/naat-frontend-www-doc-0.5-3.1mdk.noarch.rpm
3293505d1c1031cec43d0afa52fed99e  snf7.2/RPMS/naat-frontend-www-en-0.5-3.1mdk.noarch.rpm
ab6dec4f468a93a38fb0c81bf9eb208d  snf7.2/RPMS/naat-frontend-www-fr-0.5-3.1mdk.noarch.rpm
f1d1d954ae5545b4550501b2b22ee873  snf7.2/RPMS/php-4.0.4pl1-4.1mdk.i586.rpm
85b1e593713fb86f2096a37bcd3f85fc  snf7.2/RPMS/php-gd-4.0.4pl1-4.1mdk.i586.rpm
0451e537cfcd896a95b06e0e3d6cf21c  snf7.2/SRPMS/apache-1.3.20-4.1mdk.src.rpm
4c670aee57138e5443d3e76c0edac334  snf7.2/SRPMS/httpd-naat-0.5-4.1mdk.src.rpm
546c1784c586b928cea91e4a09812209  snf7.2/SRPMS/mm-1.1.3-8.2mdk.src.rpm
e745c54745b99a202c96b53353df0905  snf7.2/SRPMS/mod_auth_external-2.1.2-6.1mdk.src.rpm
b6060dc3f17b54ee85f5da89291a95ad  snf7.2/SRPMS/mod_ssl-2.8.4-4.1mdk.src.rpm
17ec81b1e003bb9192af6196db144adb  snf7.2/SRPMS/mod_sxnet-1.2.4-4.1mdk.src.rpm
135e9367bd2bc6f759ee929ccbdc0480  snf7.2/SRPMS/naat-frontend-www-0.5-3.1mdk.src.rpm
4de1678409f813c99ab6e5711c585956  snf7.2/SRPMS/php-4.0.4pl1-4.1mdk.src.rpm

________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

________________________________________________________________________

To upgrade automatically, use MandrakeUpdate.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".

You can download the updates directly from one of the mirror sites
listed at:

  http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/".  Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other security advisories for Mandrake Linux at:

  http://www.linux-mandrake.com/en/security/

If you want to report vulnerabilities, please contact

  security@linux-mandrake.com
________________________________________________________________________

Mandrake Linux has two security-related mailing list services that
anyone can subscribe to:

security-announce@linux-mandrake.com

  Mandrake Linux's security announcements mailing list.  Only
  announcements are sent to this list and it is read-only.

security-discuss@linux-mandrake.com

  Mandrake Linux's security discussion mailing list.  This list is open
  to anyone to discuss Mandrake Linux security specifically and Linux
  security in general.

To subscribe to either list, send a message to
  sympa@linux-mandrake.com
with "subscribe [listname]" in the body of the message.

To remove yourself from either list, send a message to
  sympa@linux-mandrake.com
with "unsubscribe [listname]" in the body of the message.

To get more information on either list, send a message to
  sympa@linux-mandrake.com
with "info [listname]" in the body of the message.

Optionally, you can use the web interface to subscribe to or unsubscribe
from either list:

  http://www.linux-mandrake.com/en/flists.php3#security
________________________________________________________________________

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security@linux-mandrake.com>


- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8BWLbmqjQ0CJFipgRAoiDAJ40AUu2PiYu91ltsNYvy/C7V0c7NgCgqnxg
i1+ox0DWqdF3IyopD+2KExU=
=yqBi
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH