(Gentoo Issues Fix) Re: Apache mod_rewrite Contains a Buffer Overflow
|
|
SecurityTracker Alert ID: 1008260
|
|
CVE Reference: CAN-2003-0542
(Links to External Site)
|
Date: Nov 20 2003
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.47 and prior versions
|
Description: A vulnerability was reported in the Apache mod_rewrite component. A remote user may be able to trigger a buffer overflow.
It is reported that both mod_alias and mod_rewrite contain a buffer overflow. If the administrator has configured a regular expression
with more than 9 captures, the overflow can be triggered.
[Editor's note: The Apache notice did not indicate the impact of the
buffer overflow.]
|
Impact: [Editor's note: The Apache notice did not indicate the impact of the buffer overflow.]
|
Solution: Gentoo has issued a fix and recommends that Gentoo Linux users that are running net-misc/apache 1.x upgrade:
emerge sync
emerge -pv apache
emerge '>=net-www/apache-1.3.29'
emerge clean
/etc/init.d/apache restart
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Gentoo)
|
Reported By: Rajiv Aaron Manglani <rajiv@gentoo.org>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 20 Nov 2003 02:21:10 -0500
From: Rajiv Aaron Manglani <rajiv@gentoo.org>
Subject: [gentoo-announce] GLSA: apache (200310-03)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03
- ---------------------------------------------------------------------------
PACKAGE : net-www/apache
SUMMARY : buffer overflow
DATE : Tue Oct 28 16:43:46 UTC 2003
EXPLOIT : local
VERSIONS AFFECTED : <apache-1.3.29
FIXED VERSION : >=apache-1.3.29
CVE : CAN-2003-0542 (under review at time of GLSA)
- ---------------------------------------------------------------------------
Quote from <http://httpd.apache.org/dev/dist/Announcement>:
This version of Apache is principally a bug and security fix release.
A partial summary of the bug fixes is given at the end of this document.
A full listing of changes can be found in the CHANGES file. Of
particular note is that 1.3.29 addresses and fixes 1 potential
security issue:
o CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures.
We consider Apache 1.3.29 to be the best version of Apache 1.3 available
and we strongly recommend that users of older versions, especially of
the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-misc/apache 1.x upgrade:
emerge sync
emerge -pv apache
emerge '>=net-www/apache-1.3.29'
emerge clean
/etc/init.d/apache restart
// end
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk
RyV+5R/BFsdAzsMYZp9dT8A=
=ym4e
-----END PGP SIGNATURE-----
|
|
