Last modified: 2004-09-24 21:14:21 UTC
apache has to be upgraded to 2.0.51 to resolve security issues.
Here are the security vulnerabilities from the apache 2.0.51 release announcement: ( http://www.apache.org/dist/httpd/Announcement2.html ) 1. An input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy. [CAN-2004-0786] 2. A buffer overflow in configuration file parsing could allow a local user to gain the privileges of a httpd child if the server can be forced to parse a carefully crafted . htaccess file. [CAN-2004-0747] 3. A segfault in mod_ssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured. [CAN-2004-0751] 4. A potential infinite loop in mod_ssl which could be triggered given particular timing of a connection abort. [CAN-2004-0748] 5. A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh request. [CAN-2004-0809] 3 and 4 don't apply because we're not using mod_ssl. 2 doesn't matter 5 doesn't apply since mod_dav_fs is not installed 1) from http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786 "The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool." I don't know if these IPv6 routines are compiled in to the apache2 on albert, but even if they are it will just result in a child process crash, and is not a big concern. 2) Doesn't matter, because any local user can make a much bigger mess in other ways. 3) & 4) we're not using mod_ssl 5) from http://rhn.redhat.com/errata/RHSA-2004-463.html "An issue was discovered in the mod_dav module which could be triggered for a location where WebDAV authoring access has been configured. A malicious remote client which is authorized to use the LOCK method could force an httpd child process to crash by sending a particular sequence of LOCK requests. This issue does not allow execution of arbitrary code. This issue also does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes." This is not risky besides being a possibly mild DOS. Also, the relevant modules are not enabled: #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so So, none of these 5 issues are much of a problem, and I suggest we go on using 2.0.50, and upgrade to 2.0.51 when it becomes available via yum.
Ignore this bit from the above; it was part of my draft which I forgot to remove. > 3 and 4 don't apply because we're not using mod_ssl. > 2 doesn't matter > 5 doesn't apply since mod_dav_fs is not installed
Red Hat has released 2.0.51 packages for Fedora Core 2, so just make sure 'yum update' has been run on any remaining machines running 2.0. (Already did albert.)
Updated apache2 redhat packages on all machines. The most recent RPM version available for zwinger, which has RH9, is 2.0.40 but we don't use it. I'd remove it, but I seem to remember that it causes problems if you uninstall it, so I've renamed the binary in /usr/sbin from `httpd' to `httpd-do-not-use'. Did the same for the binary in /usr/local/ apache2/bin.
