-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : apache SUMMARY : Denial of service vulnerabilities DATE : 2003-07-24 14:16:00 ID : CLA-2003:704 RELEVANT RELEASES : 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION Apache[1] is the most popular webserver in use today. The Apache Software Foundation and The Apache Server Project released[2] a new version of the Apache webserver which addresses the following security vulnerabilities: 1. Rotatelogs program (CAN-2003-0460)[3] The Hitachi Incident Response team reported that, on Win32 and OS/2, the rotatelogs support program did not ignore special control characters received over the pipe. These characters could cause the program to quit logging and exit. This issue does not affect Conectiva Linux. 2. Denial of service (VU #379828)[4] Ryan O'Neill reported that it is possible to make the httpd server enter infinite loops and crash under certain circumstances. A new configuration directive has been created (LimitInternalRecursion) to avoid these infinite loops and abort the request which caused them if the configured limit has been reached. 3. File descriptor leak Leaks of several file descriptors to child processes, such as CGI scripts, were fixed. SOLUTION It is recommended that all Apache users upgrade their packages. IMPORTANT: it is necessary to manually restart the httpd server after upgrading the packages. In order to do this, execute the following as root: service httpd stop (wait a few seconds and check with "ps ax|grep httpd" if there are any httpd processes running. On a busy webserver this could take a little longer) service apache start REFERENCES 1. http://httpd.apache.org/ 2. http://www.apache.org/dist/httpd/Announcement.html 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0460 4. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19753 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/apache-1.3.28-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.28-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.28-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.28-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/apache-1.3.28-1U80_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.28-1U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.28-1U80_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.28-1U80_1cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribeat_private unsubscribe: conectiva-updates-unsubscribeat_private -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/IBTL42jd0JmAcZARAqq8AJ9Zdrqval4Uy3jDMwqZi5ZKFerhuQCeK/Dk cAbzjciSFuMPqlhbi26zx68= =qP+J -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 12:12:07 PDT