httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject cvs commit: httpd-site/xdocs/info security_bulletin_20020809a.txt
Date Fri, 09 Aug 2002 17:15:52 GMT
mjc         2002/08/09 10:15:52

  Added:       docs/info security_bulletin_20020809a.txt
               xdocs/info security_bulletin_20020809a.txt
  Log:
  Put this in it's place.  I put an (a) in case we do a (b) for the other
  security issues today
  
  Revision  Changes    Path
  1.1                  httpd-site/docs/info/security_bulletin_20020809a.txt
  
  Index: security_bulletin_20020809a.txt
  ===================================================================
  -----BEGIN PGP SIGNED MESSAGE-----
  
  For Immediate Disclosure
  
  =============== SUMMARY ================
  
          Title: Apache 2.0 vulnerability affects non-Unix platforms
           Date: 9th August 2002
        Version: 1
   Product Name: Apache web server 2.0
    OS/Platform: Windows, OS2, Netware
  Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
    Vendor Name: Apache Software Foundation
     Vendor URL: http://www.apache.org/
        Affects: All Released versions of 2.0 through 2.0.39
       Fixed in: 2.0.40
    Identifiers: CAN-2002-0661
  
  =============== BACKGROUND ================
  
  Apache is a powerful, full-featured, efficient, and freely-available Web
  server.  On the 7th August 2002, The Apache Software Foundation was
  notified of the discovery of a significant vulnerability, identified by
  Auriemma Luigi <bugtest@sitoverde.com>.
  
  This vulnerability has the potential to allow an attacker to inflict
  serious damage to a server, and reveal sensitive data.  This vulnerability
  affects default installations of the Apache web server.
  
  Unix and other variant platforms appear unaffected.  Cygwin users are
  likely to be affected.
  
  A simple one line workaround in the httpd.conf file will close the
  vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
  the following directive to the global server configuration:
  
     RedirectMatch 400 "\\\.\."
  
  Fixes for this vulnerability are also included in Apache version 2.0.40.
  Apache 2.0.40 also contains some less serious security fixes.
  
  More information will be made available by the Apache Software
  Foundation and Auriemma Luigi <bugtest@sitoverde.com> in the
  coming weeks.
  
  =============== REFERENCES ================
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2002-0661 to this issue.  
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
  
  
  
  
  
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.0.6 (GNU/Linux)
  Comment: For info see http://www.gnupg.org
  
  iQCVAwUBPVQBxu6tTP1JpWPZAQHCwAP9HVzSAMMrXadmRdPfEe9eFUKOxpQA4v8d
  mKrLciDXnVpPlaKc7/1OHUcCwPu0IucHGUN5sF93Dw3X2BKoAjJFHnmS123r/CP6
  WnHAaM+Hl17pPVxI3dXJXbiDvmpBB6b9SNCrsmf0RLykLHVZqoekOh2902Y7+Fts
  NpKuwE7xzdA=
  =mEuL
  -----END PGP SIGNATURE-----
  
  
  
  
  1.1                  httpd-site/xdocs/info/security_bulletin_20020809a.txt
  
  Index: security_bulletin_20020809a.txt
  ===================================================================
  -----BEGIN PGP SIGNED MESSAGE-----
  
  For Immediate Disclosure
  
  =============== SUMMARY ================
  
          Title: Apache 2.0 vulnerability affects non-Unix platforms
           Date: 9th August 2002
        Version: 1
   Product Name: Apache web server 2.0
    OS/Platform: Windows, OS2, Netware
  Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
    Vendor Name: Apache Software Foundation
     Vendor URL: http://www.apache.org/
        Affects: All Released versions of 2.0 through 2.0.39
       Fixed in: 2.0.40
    Identifiers: CAN-2002-0661
  
  =============== BACKGROUND ================
  
  Apache is a powerful, full-featured, efficient, and freely-available Web
  server.  On the 7th August 2002, The Apache Software Foundation was
  notified of the discovery of a significant vulnerability, identified by
  Auriemma Luigi <bugtest@sitoverde.com>.
  
  This vulnerability has the potential to allow an attacker to inflict
  serious damage to a server, and reveal sensitive data.  This vulnerability
  affects default installations of the Apache web server.
  
  Unix and other variant platforms appear unaffected.  Cygwin users are
  likely to be affected.
  
  A simple one line workaround in the httpd.conf file will close the
  vulnerability.  Prior to the first 'Alias' or 'Redirect' directive, add
  the following directive to the global server configuration:
  
     RedirectMatch 400 "\\\.\."
  
  Fixes for this vulnerability are also included in Apache version 2.0.40.
  Apache 2.0.40 also contains some less serious security fixes.
  
  More information will be made available by the Apache Software
  Foundation and Auriemma Luigi <bugtest@sitoverde.com> in the
  coming weeks.
  
  =============== REFERENCES ================
  
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2002-0661 to this issue.  
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
  
  
  
  
  
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.0.6 (GNU/Linux)
  Comment: For info see http://www.gnupg.org
  
  iQCVAwUBPVQBxu6tTP1JpWPZAQHCwAP9HVzSAMMrXadmRdPfEe9eFUKOxpQA4v8d
  mKrLciDXnVpPlaKc7/1OHUcCwPu0IucHGUN5sF93Dw3X2BKoAjJFHnmS123r/CP6
  WnHAaM+Hl17pPVxI3dXJXbiDvmpBB6b9SNCrsmf0RLykLHVZqoekOh2902Y7+Fts
  NpKuwE7xzdA=
  =mEuL
  -----END PGP SIGNATURE-----
  
  
  
  

Mime
View raw message