httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwool...@apache.org
Subject cvs commit: httpd-site/xdocs/info security_bulletin_20020617.txt
Date Mon, 17 Jun 2002 18:25:10 GMT
jwoolley    2002/06/17 11:25:10

  Modified:    docs     index.html
               docs/docs-project index.html
               xdocs    index.xml
  Added:       docs/info security_bulletin_20020617.txt
               xdocs/info security_bulletin_20020617.txt
  Log:
  Add security bulletin to site and update the xdocs transforms
  
  Revision  Changes    Path
  1.26      +30 -0     httpd-site/docs/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/index.html,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -d -u -r1.25 -r1.26
  --- index.html	23 May 2002 20:18:35 -0000	1.25
  +++ index.html	17 Jun 2002 18:25:10 -0000	1.26
  @@ -75,6 +75,36 @@
              <table border="0" cellspacing="0" cellpadding="2" width="100%">
    <tr><td bgcolor="#525D76">
     <font color="#ffffff" face="arial,helvetica,sanserif">
  +   <a name="Security"><strong>SECURITY ADVISORY: June 17, 2002</strong></a>
  +  </font>
  + </td></tr>
  + <tr><td>
  +  <blockquote>
  +<p>Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
  +and including 2.0.36 contain a bug in the routines which deal with invalid
  +requests which are encoded using chunked encoding.  This bug can be
  +triggered remotely by sending a carefully crafted invalid request. This
  +functionality is enabled by default.</p>
  +<p>In most cases the outcome of the invalid request is that the child process
  +dealing with the request will terminate.  At the least, this could help a
  +remote attacker launch a denial of service attack as the parent process
  +will eventually have to replace the terminated child process and starting
  +new children uses non-trivial amounts of resources.</p>
  +<p>We were also notified today by ISS that they had published the same issue
  +which has forced the early release of this advisory.  Please note that the
  +patch provided by ISS does not correct this vulnerability.</p>
  +<p>The Apache Software Foundation are currently working on new releases that
  +fix this issue, please stay tuned here at http://httpd.apache.org/ for
  +updated versions as they become available.</p>
  +<p align="center">
  +<a href="info/security_bulletin_20020617.txt">Full Advisory</a>
  +</p>
  +  </blockquote>
  + </td></tr>
  +</table>
  +           <table border="0" cellspacing="0" cellpadding="2" width="100%">
  + <tr><td bgcolor="#525D76">
  +  <font color="#ffffff" face="arial,helvetica,sanserif">
      <a name="2.0.36"><strong>Apache 2.0.36 Released</strong></a>
     </font>
    </td></tr>
  
  
  
  1.17      +1 -1      httpd-site/docs/docs-project/index.html
  
  Index: index.html
  ===================================================================
  RCS file: /home/cvs/httpd-site/docs/docs-project/index.html,v
  retrieving revision 1.16
  retrieving revision 1.17
  diff -u -d -u -r1.16 -r1.17
  --- index.html	29 May 2002 13:51:11 -0000	1.16
  +++ index.html	17 Jun 2002 18:25:10 -0000	1.17
  @@ -132,7 +132,7 @@
   <p>Some of the participants are:</p>
   <ul>
   <li><a href="http://www.ntrnet.net/~rbb/">Ryan Bloom</a></li>
  -<li><a href="http://www.coopermcgregor.com/">Rich Bowen</a></li>
  +<li><a href="http://www.rcbowen.com/">Rich Bowen</a></li>
   <li><a href="http://Golux.Com/coar/">Ken Coar</a></li>
   <li><a href="http://www.logilune.com/eric/">Eric Cholet</a></li>
   <li><a href="http://dotat.at/">Tony Finch</a></li>
  
  
  
  1.1                  httpd-site/docs/info/security_bulletin_20020617.txt
  
  Index: security_bulletin_20020617.txt
  ===================================================================
  Date: June 17, 2002
  Product: Apache Web Server
  Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
  up to 2.0.36
  
  Introduction:
  
  While testing for Oracle vulnerabilities, Mark Litchfield discovered a
  denial of service attack for Apache on Windows.  Investigation by the
  Apache Software Foundation showed that this issue has a wider scope, which
  on some platforms results in a denial of service vulnerability, while on
  some other platforms presents a potential a remote exploit vulnerability.  
  
  We were also notified today by ISS that they had published the same issue
  which has forced the early release of this advisory.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2002-0392 to this issue.
  
  Description:
  
  Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
  and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines
  which deal with invalid requests which are encoded using chunked encoding.
  This bug can be triggered remotely by sending a carefully crafted invalid
  request. This functionality is enabled by default.
  
  In most cases the outcome of the invalid request is that the child process
  dealing with the request will terminate.  At the least, this could help a
  remote attacker launch a denial of service attack as the parent process
  will eventually have to replace the terminated child process and starting
  new children uses non-trivial amounts of resources.
  
  On the Windows and Netware platforms, Apache runs one multithreaded child
  process to service requests.  The teardown and subsequent setup time to
  replace the lost child process presents a significant interruption of
  service.  As the Windows and Netware ports create a new process and reread
  the configuration, rather than fork a child process, this delay is much
  more pronounced than on other platforms.
  
  In Apache 2.0 the error condition is correctly detected, so it will not
  allow an attacker to execure arbitrary code on the server. However
  platforms could be using a multithreaded model of multiple concurrent
  requests per child process (although the default preference remains
  multiple processes with a single thread and request per process, and most
  multithreaded models continue to create multiple child processes).  Using
  any multithreaded model, all concurrent requests currently served by the
  affected child process will be lost.
  
  In Apache 1.3 the issue causes a stack overflow.  Due to the nature of the
  overflow on 32-bit Unix platforms this will cause a segmentation violation
  and the child will terminate.  However on 64-bit platforms the overflow
  can be controlled and so for platforms that store return addresses on the
  stack it is likely that it is further exploitable. This could allow
  arbitrary code to be run on the server as the user the Apache children are
  set to run as.
  
  We have been made aware that Apache 1.3 on Windows is exploitable in this
  way.
  
  Please note that the patch provided by ISS does not correct this
  vulnerability.
  
  The Apache Software Foundation are currently working on new releases that
  fix this issue, please see http://httpd.apache.org/ for updated
  versions.
  
  
  
  1.15      +28 -0     httpd-site/xdocs/index.xml
  
  Index: index.xml
  ===================================================================
  RCS file: /home/cvs/httpd-site/xdocs/index.xml,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -d -u -r1.14 -r1.15
  --- index.xml	6 May 2002 21:35:39 -0000	1.14
  +++ index.xml	17 Jun 2002 18:25:10 -0000	1.15
  @@ -25,6 +25,34 @@
   
   </section>
   
  +<section id="Security">
  +<title>SECURITY ADVISORY: June 17, 2002</title>
  +
  +<p>Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
  +and including 2.0.36 contain a bug in the routines which deal with invalid
  +requests which are encoded using chunked encoding.  This bug can be
  +triggered remotely by sending a carefully crafted invalid request. This
  +functionality is enabled by default.</p>
  +
  +<p>In most cases the outcome of the invalid request is that the child process
  +dealing with the request will terminate.  At the least, this could help a
  +remote attacker launch a denial of service attack as the parent process
  +will eventually have to replace the terminated child process and starting
  +new children uses non-trivial amounts of resources.</p>
  +
  +<p>We were also notified today by ISS that they had published the same issue
  +which has forced the early release of this advisory.  Please note that the
  +patch provided by ISS does not correct this vulnerability.</p>
  +
  +<p>The Apache Software Foundation are currently working on new releases that
  +fix this issue, please stay tuned here at http://httpd.apache.org/ for
  +updated versions as they become available.</p>
  +
  +<p align="center">
  +<a href="info/security_bulletin_20020617.txt">Full Advisory</a>
  +</p>
  +</section>
  +
   <section id="2.0.36">
   <title>Apache 2.0.36 Released</title>
   
  
  
  
  1.1                  httpd-site/xdocs/info/security_bulletin_20020617.txt
  
  Index: security_bulletin_20020617.txt
  ===================================================================
  Date: June 17, 2002
  Product: Apache Web Server
  Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
  up to 2.0.36
  
  Introduction:
  
  While testing for Oracle vulnerabilities, Mark Litchfield discovered a
  denial of service attack for Apache on Windows.  Investigation by the
  Apache Software Foundation showed that this issue has a wider scope, which
  on some platforms results in a denial of service vulnerability, while on
  some other platforms presents a potential a remote exploit vulnerability.  
  
  We were also notified today by ISS that they had published the same issue
  which has forced the early release of this advisory.
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2002-0392 to this issue.
  
  Description:
  
  Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
  and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines
  which deal with invalid requests which are encoded using chunked encoding.
  This bug can be triggered remotely by sending a carefully crafted invalid
  request. This functionality is enabled by default.
  
  In most cases the outcome of the invalid request is that the child process
  dealing with the request will terminate.  At the least, this could help a
  remote attacker launch a denial of service attack as the parent process
  will eventually have to replace the terminated child process and starting
  new children uses non-trivial amounts of resources.
  
  On the Windows and Netware platforms, Apache runs one multithreaded child
  process to service requests.  The teardown and subsequent setup time to
  replace the lost child process presents a significant interruption of
  service.  As the Windows and Netware ports create a new process and reread
  the configuration, rather than fork a child process, this delay is much
  more pronounced than on other platforms.
  
  In Apache 2.0 the error condition is correctly detected, so it will not
  allow an attacker to execure arbitrary code on the server. However
  platforms could be using a multithreaded model of multiple concurrent
  requests per child process (although the default preference remains
  multiple processes with a single thread and request per process, and most
  multithreaded models continue to create multiple child processes).  Using
  any multithreaded model, all concurrent requests currently served by the
  affected child process will be lost.
  
  In Apache 1.3 the issue causes a stack overflow.  Due to the nature of the
  overflow on 32-bit Unix platforms this will cause a segmentation violation
  and the child will terminate.  However on 64-bit platforms the overflow
  can be controlled and so for platforms that store return addresses on the
  stack it is likely that it is further exploitable. This could allow
  arbitrary code to be run on the server as the user the Apache children are
  set to run as.
  
  We have been made aware that Apache 1.3 on Windows is exploitable in this
  way.
  
  Please note that the patch provided by ISS does not correct this
  vulnerability.
  
  The Apache Software Foundation are currently working on new releases that
  fix this issue, please see http://httpd.apache.org/ for updated
  versions.
  
  
  

Mime
View raw message