Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security Update: [CSSA-2002-029.0] Linux: Apache Web Server Chunk Handling Vulnerability
From: security () caldera com
Date: Fri, 21 Jun 2002 17:01:28 -0700

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com

______________________________________________________________________________

                Caldera International, Inc.  Security Advisory

Subject:                Linux: Apache Web Server Chunk Handling Vulnerability
Advisory number:        CSSA-2002-029.0
Issue date:             2002 June 20
Cross reference:
______________________________________________________________________________


1. Problem Description

        There is a remotely exploitable vulnerability in the handling
        of large chunks of data in web servers that are based on Apache
        source code.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to apache-1.3.22-6.i386.rpm
                                        prior to apache-devel-1.3.22-6.i386.rpm
                                        prior to apache-doc-1.3.22-6.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to apache-1.3.22-6.i386.rpm
                                        prior to apache-devel-1.3.22-6.i386.rpm
                                        prior to apache-doc-1.3.22-6.i386.rpm

        OpenLinux 3.1 Server            prior to apache-1.3.22-6.i386.rpm
                                        prior to apache-devel-1.3.22-6.i386.rpm
                                        prior to apache-doc-1.3.22-6.i386.rpm

        OpenLinux 3.1 Workstation       prior to apache-1.3.22-6.i386.rpm
                                        prior to apache-devel-1.3.22-6.i386.rpm
                                        prior to apache-doc-1.3.22-6.i386.rpm


3. Solution

        The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

        4.2 Packages

        f2f7e9ce5ea54e69d7275393c22630fe        apache-1.3.22-6.i386.rpm
        c17b06f0057f1728a46eae1e98e68162        apache-devel-1.3.22-6.i386.rpm
        6d9e8504f28986f4a1d7a4e0e3213566        apache-doc-1.3.22-6.i386.rpm

        4.3 Installation

        rpm -Fvh apache-1.3.22-6.i386.rpm
        rpm -Fvh apache-devel-1.3.22-6.i386.rpm
        rpm -Fvh apache-doc-1.3.22-6.i386.rpm

        4.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

        4.5 Source Packages

        be49e9dd27ee59ca92047c14bd3dc170        apache-1.3.22-6.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

        5.2 Packages

        f97e188e91238ca9da0a5166a69304c4        apache-1.3.22-6.i386.rpm
        eb4d50309740a5c5a922e48357e76f93        apache-devel-1.3.22-6.i386.rpm
        a9855218c3b3e43c02315f19e76edc0b        apache-doc-1.3.22-6.i386.rpm

        5.3 Installation

        rpm -Fvh apache-1.3.22-6.i386.rpm
        rpm -Fvh apache-devel-1.3.22-6.i386.rpm
        rpm -Fvh apache-doc-1.3.22-6.i386.rpm

        5.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

        5.5 Source Packages

        de01c304396d9f99e39ac07739d51a98        apache-1.3.22-6.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

        6.2 Packages

        1f3fc745848367bca81d567ddfe3da30        apache-1.3.22-6.i386.rpm
        fecf254f55ef9424c14897bf809a34c8        apache-devel-1.3.22-6.i386.rpm
        de2a877889489b07fc2e873cd2fb74bb        apache-doc-1.3.22-6.i386.rpm

        6.3 Installation

        rpm -Fvh apache-1.3.22-6.i386.rpm
        rpm -Fvh apache-devel-1.3.22-6.i386.rpm
        rpm -Fvh apache-doc-1.3.22-6.i386.rpm

        6.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

        6.5 Source Packages

        a8a9d123784e4f6995b3ec696924b5d8        apache-1.3.22-6.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

        7.2 Packages

        f98ee1d900a26571613367e00a5916b8        apache-1.3.22-6.i386.rpm
        12e7d9ff5fe04e6d4884a02db248bc8b        apache-devel-1.3.22-6.i386.rpm
        9096714909c70c99273e78b10ace3ce4        apache-doc-1.3.22-6.i386.rpm

        7.3 Installation

        rpm -Fvh apache-1.3.22-6.i386.rpm
        rpm -Fvh apache-devel-1.3.22-6.i386.rpm
        rpm -Fvh apache-doc-1.3.22-6.i386.rpm

        7.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

        7.5 Source Packages

        977a132032c7f6df823bda2ae8397fca        apache-1.3.22-6.src.rpm


8. References

        Specific references for this advisory:
                http://www.cert.org/advisories/CA-2002-17.html
                http://httpd.apache.org/info/security_bulletin_20020617.txt

        Caldera security resources:
                http://www.caldera.com/support/security/index.html

        This security fix closes Caldera incidents sr865896, fz521277,
        erg712080.


9. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on this website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera products.


10. Acknowledgements

        Neel Mehta of the ISS X-Force discovered this vulnerability.
        Mark Litchfield reported this vulnerability to the Apache Software
        Foundation, and Mark Cox reported it to the CERT/CC.

______________________________________________________________________________

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2002-029.0] Linux: Apache Web Server Chunk Handling Vulnerability security (Jun 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault