[NTLUG:Discuss] apache updates

Jay Urish j at yourlinuxguru.com
Mon Jun 24 13:45:08 CDT 2002 

At 01:22 PM 6/24/2002 -0500, you wrote:
>Jay, I'm going to apologize in advance for the long reply (apologize to
>everyone), but here is the email Mandrake sent out for their last security
>advisory:

no prob-- funny thing is that the scanner says 1.3.23 (what i'm running) is 
vulnerable..

I don't have time for a major root compromise right now...



>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>________________________________________________________________________
>
>                 Mandrake Linux Security Update Advisory
>________________________________________________________________________
>
>Package name:           apache
>Advisory ID:            MDKSA-2002:039-2
>Date:                   June 22md, 2002
>Original Advisory Date: June 20th, 2002
>Affected versions:      7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1,
>                         Single Network Firewall 7.2
>________________________________________________________________________
>
>Problem Description:
>
>  [ Please note that this advisory supersedes the previous MDKSA-2002:039
>    and MDKSA-2002:039-1 advisories. ]
>
>  MandrakeSoft is urging all users of Mandrake Linux to update their
>  Apache installations immediately.  What was previously thought to have
>  been a DoS-only condition has now been proven to be more than that;
>  exploitable conditions have been discovered on both 32bit and 64bit
>  platforms.  Successful exploitation of this vulnerability may lead to
>  the execution of arbitary code on the server running a vulnerable
>  Apache with the permissions of the web server child process (on
>  Mandrake Linux this is the user "apache").  This can be used to exploit
>  other vulnerabilities that are unrelated to Apache on the local system,
>  and potentially allow the intruder root access.
>
>  Thanks to Gobbles for proving that this exploitable condition exists.
>  Because there are known exploits in the wild for some platforms, this
>  update should be considered essential and should be performed
>  immediately.
>
>  All versions of Apache prior to 1.3.26 and 2.0.37 are vulnerable to
>  this problem.  MandrakeSoft has provided patched versions of Apache to
>  correct this vulnerability.
>
>  Also please note that these packages are no different than those
>  provided in MDKSA-2002:039-1 so if you have already updated, there are
>  no new packages to upgrade.
>________________________________________________________________________
>
>References:
>
>  http://httpd.apache.org/info/security_bulletin_20020620.txt
>  http://online.securityfocus.com/news/493
>  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
>________________________________________________________________________

More information about the Discuss mailing list