Last modified: 2004-09-24 21:14:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 560 - apache upgrade required
apache upgrade required
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
Other Linux
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-22 16:25 UTC by River Tarnell
Modified: 2004-09-24 21:14 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description River Tarnell 2004-09-22 16:25:50 UTC
apache has to be upgraded to 2.0.51 to resolve security issues.
Comment 1 Jerome Jamnicky 2004-09-24 09:47:26 UTC
Here are the security vulnerabilities from the apache 2.0.51 release announcement: ( 
http://www.apache.org/dist/httpd/Announcement2.html )

1. An input validation issue in IPv6 literal address parsing which can result in a 
negative length parameter being passed to memcpy.
[CAN-2004-0786]

2. A buffer overflow in configuration file parsing could allow a local user to gain the 
privileges of a httpd child if the server can be forced to parse a carefully crafted .
htaccess file.
[CAN-2004-0747]

3. A segfault in mod_ssl which can be triggered by a malicious remote server, if 
proxying to SSL servers has been configured.
[CAN-2004-0751]

4. A potential infinite loop in mod_ssl which could be triggered given particular timing 
of a connection abort.
[CAN-2004-0748]

5. A segfault in mod_dav_fs which can be remotely triggered by an indirect lock refresh 
request.
[CAN-2004-0809]

3 and 4 don't apply because we're not using mod_ssl.
2 doesn't matter
5 doesn't apply since mod_dav_fs is not installed

1) from http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786
"The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier 
allow remote attackers to cause a denial of service (child process crash) via a certain 
URI, as demonstrated using the Codenomicon HTTP Test Tool."
I don't know if these IPv6 routines are compiled in to the apache2 on albert, but even 
if they are it will just result in a child process crash, and is not a big concern.

2) Doesn't matter, because any local user can make a much bigger mess in other ways.

3) & 4) we're not using mod_ssl

5) from http://rhn.redhat.com/errata/RHSA-2004-463.html
"An issue was discovered in the mod_dav module which could be triggered for
a location where WebDAV authoring access has been configured. A malicious
remote client which is authorized to use the LOCK method could force an
httpd child process to crash by sending a particular sequence of LOCK
requests. This issue does not allow execution of arbitrary code. This
issue also does not represent a significant Denial of Service attack as
requests will continue to be handled by other Apache child processes."

This is not risky besides being a possibly mild DOS.
Also, the relevant modules are not enabled:

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so

So, none of these 5 issues are much of a problem, and I suggest we go on using 2.0.50, 
and upgrade to 2.0.51 when it becomes available via yum.
Comment 2 Jerome Jamnicky 2004-09-24 09:49:50 UTC
Ignore this bit from the above; it was part of my draft which I forgot to remove.

> 3 and 4 don't apply because we're not using mod_ssl.
> 2 doesn't matter
> 5 doesn't apply since mod_dav_fs is not installed
Comment 3 Brion Vibber 2004-09-24 10:03:32 UTC
Red Hat has released 2.0.51 packages for Fedora Core 2, so just make sure 'yum update' has been run on any remaining machines running 
2.0. (Already did albert.)
Comment 4 Jerome Jamnicky 2004-09-24 21:14:21 UTC
Updated apache2 redhat packages on all machines.

The most recent RPM version available for zwinger, which has RH9, is 2.0.40 but we don't use it.  I'd 
remove it, but I seem to remember that it causes problems if you uninstall it, so I've renamed the 
binary in /usr/sbin from `httpd' to `httpd-do-not-use'.  Did the same for the binary in /usr/local/
apache2/bin.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links