search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apache HTTPD contains denial of service vulnerability in basic authentication module

Vulnerability Note VU#479268

Original Release Date: 2003-06-24 | Last Revised: 2003-09-18

Overview

The Apache HTTP server contains a denial-of-service vulnerability that allows remote attackers to to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.

Description

The Apache HTTP server contains a denial-of-service vulnerability in the apr_password_validate() function. The Apache Software Foundation has provided the following description of this vulnerability:

Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module, which was reported by John Hughes <john.hughes@entegrity.com>. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources.

For further information, please read the announcement located at

http://www.apache.org/dist/httpd/Announcement2.html

Impact

This vulnerability allows remote attackers to conduct denial-of-service attacks on the HTTP basic authentication module of an affected server.

Solution

The Apache Software Foundation recommends that users upgrade to version 2.0.46 to address this vulnerability. The latest version of Apache is available at:


http://httpd.apache.org/download.cgi

Vendor Information

479268
 
Affected   Unknown   Unaffected

Apache Software Foundation

Notified:  May 28, 2003 Updated:  June 24, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apache 2.0.46 Released

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the ninth public release of the Apache 2.0
HTTP Server.  This Announcement notes the significant changes in
2.0.46 as compared to 2.0.45.



This version of Apache is principally a security and bug fix release.
A summary of the bug fixes is given at the end of this document.
Of particular note is that 2.0.46 addresses two security
vulnerabilities:


Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in
certain circumstances.  This can be triggered remotely through mod_dav
and possibly other mechanisms.  The crash was originally reported by
David Endler <DEndler@iDefense.com> and was researched and fixed by
Joe Orton <jorton@redhat.com>.  Specific details and an analysis of the
crash will be published Friday, May 30.  No more specific information
is disclosed at this time, but all Apache 2.0 users are encouraged to
upgrade now.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245]


Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were
vulnerable to a denial-of-service attack on the basic authentication
module, which was reported by John Hughes <john.hughes@entegrity.com>.
A bug in the configuration scripts caused the apr_password_validate()
function to be thread-unsafe on platforms with crypt_r(), including
AIX and Linux.  All versions of Apache 2.0 have this thread-safety
problem on platforms with no crypt_r() and no thread-safe crypt(),
such as Mac OS X and possibly others.  When using a threaded MPM (which
is not the default on these platforms), this allows remote attackers
to create a denial of service which causes valid usernames and
passwords for Basic Authentication to fail until Apache is restarted.
We do not believe this bug could allow unauthorized users to gain
access to protected resources.
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189]


The Apache Software Foundation would like to thank David Endler
and John Hughes for the responsible reporting of these issues.



This release is compatible with modules compiled for 2.0.42 and later
versions.  We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.


Apache 2.0.46 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.


Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase.  For an overview of new features introduced
after 1.3 please see


http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep
in mind the following:


If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe.  Please contact the vendors of these
modules to obtain this information.



Apache 2.0.46 Major changes

Security vulnerabilities closed since Apache 2.0.45

*) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
remotely through mod_dav and possibly other mechanisms, causing
an Apache child process to crash.  The crash was first reported
by David Endler <DEndler@iDefense.com> and was researched and
fixed by Joe Orton <jorton@redhat.com>.  Details will be released
on 30 May 2003.


*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
affecting basic authentication on Unix platforms related to
thread-safety in apr_password_validate().  The problem was reported
by John Hughes <john.hughes@entegrity.com>



Bugs fixed and features added since Apache 2.0.45

*) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
when a MKACTIVITY request comes in.
[Ben Collins-Sussman <sussman@collab.net>]


*) Perform run-time query in apxs for apr and apr-util's includes.
[Justin Erenkrantz]


*) run libtool from the apr install directory (in case that is different
from the apache install directory) [Jeff Trawick]


*) configure.in: Play nice with libtool-1.5. [Wilfredo Sanchez]

*) If mod_mime_magic does not know the content-type, do not attempt to
guess.  PR 16908.  [Andrew Gapon <agapon@telcordia.com>]


*) ssl session caching(shmht) : Fix a SEGV problem with SHMHT session
caching. PR 17864.
[Andreas Leimbacher <andreasl67@yahoo.de>, Madhusudan Mathihalli]


*) Add a delete flag to htpasswd.
[Thom May]


*) Fix mod_rewrite's handling of absolute URIs. The escaping routines
now work scheme dependent and the query string will only be
appended if supported by the particular scheme.  [André Malo]


*) Add another check for already compressed content in mod_deflate.
PR 19913. [Tsuyoshi SASAMOTO <nazonazo@super.win.ne.jp>]


*) Fixes for VPATH builds; copying special.mk and any future .mk files
from the source tree as well as the build tree (now creates a usable
configuration for apxs), and eliminated redundant -I'nclude paths.
[William Rowe]


*) Code fixes, constness corrections and ssl_toolkit_compat.h updates
for SSLC and OpenSSL toolkit compatibility.  Still work remains to
be done to cripple features based on the limitations of RSA's binary
distribution of their SSL-C toolkit.
[William Rowe, Madhusudan Mathihalli, Jeff Trawick]


*) Linux 2.4+: If Apache is started as root and you code
CoreDumpDirectory, coredumps are enabled via the prctl() syscall.
[Greg Ames]


*) ap_get_mime_headers_core: allocate space for the trailing null
when folding is in effect.
PR 18170 [Peter Mayne <PeterMayne@SPAM_SUX.ap.spherion.com>]


*) Fix --enable-mods-shared=most and other variants.  [Aaron Bannert]

*) mod_log_config: Add the ability to log the id of the thread
processing the request via new %P formats.  [Jeff Trawick]


*) Use appropriate language codes for Czech (cs) and Traditional Chinese
(zh-tw) in default config files. PR 9427.  [André Malo]


*) mod_auth_ldap: Use generic whitespace character class when parsing
"require" directives, instead of literal spaces only. PR 17135.
[André Malo]


*) Hook mod_rewrite's type checker before mod_mime's one. That way the
RewriteRule [T=...] Flag should work as expected now. PR 19626.
[André Malo]


*) htpasswd: Check the processed file on validity. If a line is not empty
and not a comment, it must contain at least one colon. Otherwise exit
with error code 7. [Kris Verbeeck <Kris.Verbeeck@ubizen.com>, Thom May]


*) Fix a problem that caused httpd to be linked with incorrect flags
on some platforms when mod_so was enabled by default, breaking
DSOs on AIX.  PR 19012  [Jeff Trawick]


*) By default, use the same CC and CPP with which APR was built.
The user can override with CC and CPP environment variables.
[Jeff Trawick]


*) Fix ap_construct_url() so that it surrounds IPv6 literal address
strings with [].  This fixes certain types of redirection.
PR 19207.  [Jeff Trawick]


*) forward port of buffer overflow fixes for htdigest. [Thom May]

*) Added AllowEncodedSlashes directive to permit control of whether
the server will accept encoded slashes ('%2f') in the URI path.
Default condition is off (the historical behaviour).  This permits
environments in which the path-info needs to contain encoded
slashes.  PR 543, 2389, 3581, 3589, 5687, 7066, 7865, 14639.
[Ken Coar]


*) When using Redirect in directory context, append requested query
string if there's no one supplied by configuration. PR 10961.
[André Malo]


*) Unescape the supplied wildcard pattern in mod_autoindex. Otherwise
the pattern will not always match as desired. PR 12596.
[André Malo]


*) mod_autoindex now emits and accepts modern query string parameter
delimiters (;). Thus column headers no longer contain unescaped
ampersands. PR 10880  [André Malo]


*) Enable ap_sock_disable_nagle for Windows. This along with the
addition of APR_TCP_NODELAY_INHERITED to apr.hw will cause Nagle
to be disabled for Windows. [Allan Edwards]


*) Correct a mis-correlation between mpm_common.c and mpm_common.h;
This patch reverts us to pre-2.0.46 behavior, using the
ap_sock_disable_nagle noop macro, because ap_sock_disable_nagle
was never compiled on Win32. [Allan Edwards, William Rowe]


*) Fix a build problem with passing unsupported --enable-layout
args to apr and apr-util.  This broke binbuild.sh as well as
user-specified layout parameters.  PR 18649 [Justin Erenkrantz,
Jeff Trawick]


*) If a Date response header was already set in the headers array,
this value was ignored in favour of the current time. This meant
that Date headers on proxied requests where rewritten when they
should not have been. PR: 14376 [Graham Leggett]


*) Add code to buildconf that produces an httpd.spec file from
httpd.spec.in, using build/get-version.sh from APR.
[Graham Leggett]


*) Fixed a segfault when multiple ProxyBlock directives were used.
PR: 19023 [Sami Tikka <sami.tikka@f-secure.com>]


*) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability
identified and reported by Robert Howard <rihoward@rawbw.com> that
where device names faulted the running OS2 worker process.
The fix is actually in APR 0.9.4.  [Brian Havard]


*) Forward port: Escape special characters (especially control
characters) in mod_log_config to make a clear distinction between
client-supplied strings (with special characters) and server-side
strings. This was already introduced in version 1.3.25.
[André Malo]


*) mod_deflate: Check also err_headers_out for an already set
Content-Encoding: gzip header. This prevents gzip compressed content
from a CGI script from being compressed once more. PR 17797.
[André Malo]


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+1OGPNhUi14Kre9ERAgCPAKD7wcQxzXa/m7lJah1KMVLtEZSKTwCaA1DF
M+DtGud2fxkWMEZl84gqO8Y=
=ZKS4
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  June 16, 2003 Updated:  June 23, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : apache
SUMMARY   : Apache 2 vulnerability
DATE      : 2003-06-16 18:27:00
ID        : CLA-2003:661
RELEVANT
RELEASES  : 9

- -------------------------------------------------------------------------

DESCRIPTION
Apache[1] is the most popular webserver in use today.


This update addresses two security vulnerabilities which have been
fixed in the recently released[2] 2.0.46 version:


1) CAN-2003-0245[3]
iDefense published[5] an advisory about a vulnerability in the APR
library used by Apache 2. This library contains a vulnerability in
the apr_psprintf() function which could be used to make apache
reference invalid memory.


The most immediate impact of this vulnerability is a Denial of
Service condition. Arbitrary command execution remains a possibility,
but is deemed to be difficult to achieve outside a controlled
environment.


The packages provided with this update contain a fix for this
vulnerability.


2) CAN-2003-0189[4]
A problem with the build configuration scripts caused the Apache
basic authentication module to not be thread-safe. Systems running a
threaded server would then be vulnerable to a Denial of Service
condition when authenticating users using this module. Apache in
Conectiva Linux 9 is *not* vulnerable to this issue because it is not
built with threads support. However, the packages available through
this update have been patched to fix this problem to allow users to
recompile Apache with threads support in the event they choose to do
so.



SOLUTION
It is recommended that all Apache users upgrade their packages.


IMPORTANT: it is necessary to manually restart the httpd server after
upgrading the packages. In order to do this, execute the following as
root:


service apache stop

(wait a few seconds and check with "ps ax|grep httpd" if there are
any httpd processes running. On a busy webserver this could take a
little longer)


service apache start


REFERENCES
1. http://httpd.apache.org/
2. http://www.apache.org/dist/httpd/Announcement2.html
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189
5. http://www.idefense.com/advisory/05.30.03.txt



UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_2cl.i386.rpm


ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:


- run:                 apt-get update
- after that, execute: apt-get upgrade


Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+7jZm42jd0JmAcZARAiRGAJ9YvY29fX0lFso52C6d+Je/oDHOpACg3PUl
Brsx1Jmhaw3oH2SZTAMRgos=
=UeI/
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  July 16, 2003 Updated:  September 18, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----------------------------------------------------------------
**REVISED 01**
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0307-269
Originally issued: 16 July 2003
Last Revised: 03 Sept. 2003
SSRT3587 Security Vulnerabilities in Apache HTTP Server (rev.1)

-----------------------------------------------------------------

NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.
The information in the following Security Bulletin should
be acted upon as soon as possible.  Hewlett-Packard
Company will not be liable for any consequences to any
customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon
as possible.


-----------------------------------------------------------------
PROBLEM: 1. Apache 2.0.40 through 2.0.45 do not properly handle

threads correctly, potentially allowing a remote
denial of service.


More details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189


2. A defect in Apache 2.0.37 through 2.0.45 potentially
allows a remote denial of service.


More details are available at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245


IMPACT: Potential remote Denial of Service

PLATFORM: HP-UX releases B.11.00, B.11.11 and B.11.22 with
versions of the following products are affected:


- HPApache/B9416AA and HPApache/B9416BA (all versions)

- hp-ux apache-based web server, (product hpuxwsAPACHE or
hpuxwsApache) v.1.0.05.01 or earlier
This product includes Apache 2.0.45.


- hp apache-based web server, 2.0.43.04 or earlier
(HPApache/B9416AA, HPApache/B9416BA)
This product includes Apache 2.0.43.


- hp-ux apache-based web server, v.1.0.05.01 or earlier
(hpuxwsAPACHE/hpuxwsApache)
This product includes Apache 2.0.45.


AFFECTED FILESETS:
The affected filesets are: (product.fileset)
HPApache.APACHE2       2.0.39.01.02   HP Apache 2.0.39
hpuxwsAPACHE.APACHE2   A.1.0.05.01    2.0.45 base (IPF Binaries)


SOLUTION: For HP-UX releases B.11.00, B.11.11 and B.11.22:
1. Remove HPApache/B9416AA and HPApache/B9416BA if they

are installed.

2. Download and install:
hp-ux apache-based web server, v.1.0.06.01 or later
(product hpuxwsAPACHE or bundle hpuxwsApache)


NOTE: The product install location and structure has changed
between HPApache/B9416*A and hpuxwsAPACHE/hpuxwsApache.


This product includes Apache 2.0.46 and is available
from:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/
cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE


**REVISED 01**

--->> NOTE: The IPv6 solution is now available.  Please refer to
--->> documentation and depot's available from software.hp.com
--->> Click on "internet ready and networking"
--->> and look for "hp-ux apache-based web server
--->> v.1.0.07.01 for ipv6 powered by apache, tomcat, webmin.


MANUAL ACTIONS: Yes - Update
Install the product containing the fix.
For customers with HPApache/B9416AA or
HPApache/B9416BA installed, the fix requires
migration to hpuxwsAPACHE/hpuxwsApache and
removing the affected products from the system.


AVAILABILITY: Complete product bundles are available now on
<http://www.software.hp.com/>


**REVISED 01**
CHANGE SUMMARY:  Rev. 01 Added IPv6 information

-----------------------------------------------------------------
A. Background

The Common Vulnerabilities and Exposures project
<http://cve.mitre.org/> has identified potential vulnerabilities

in the Apache HTTP Server (CAN-2003-0189, CAN-2003-0245). These
affect the following HP products on HP-UX releases B.11.00,
B.11.11 and B.11.22:


- HPApache/B9416AA and HPApache/B9416BA (all versions)

- hp-ux apache-based web server products hpuxwsAPACHE and
hpuxwsApache, v.1.0.05.01 or earlier.


Note: The following are not vulnerable:
HP OpenVMS
HP NonStop Servers
HP Tru64 UNIX
HP Tru64 OpenVMS


**REVISED 01**
B. Recommended solution

The Apache Software Foundation has released Apache 2.0.46 as
the best known version fixing the potential vulnerabilities
mentioned above.


HP has incorporated Apache 2.0.46 in the following product:

- hp-ux apache-based web server v.1.0.06.01 or later,
available from:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/

displayProductInfo.pl?productNumber=HPUXWSSUITE

**REVISED 01**

--->> NOTE: The IPv6 solution is now available.  Please refer to
--->> documentation and depot's available from software.hp.com
--->> Click on "internet ready and networking"
--->> and look for "hp-ux apache-based web server
--->> v.1.0.07.01 for ipv6 powered by apache, tomcat, webmin.


Check for Apache Installation
-----------------------------
To determine if the Apache web server from HP is installed on
your system, use Software Distributor's swlist command.  More
than one version may be present on a single system.


For example, the results of the command
swlist -l product | grep -i apache


HPApache      2.0.39.01.02  HP Apache-based Web Server
hpuxwsAPACHE  A.1.0.05.01   HP-UX Apache-based Web Server


Stop Apache
-----------------------------
Before updating, make sure to stop any previous Apache binary.
Otherwise, the previous binary will continue running,
preventing the new one from starting, although the
installation would be successful.


After determining which Apache is installed, stop Apache with
the following commands:


for HPApache:        /opt/hpapache2/bin/apachectl stop
for hpuxwsAPACHE:    /opt/hpws/apache/bin/apachectl stop


Download and Install Apache
-----------------------------
- Download Apache from Software Depot using the previously

mentioned links.
- Verify successful download by comparing the cksum with the

value specified on the installation web page.
- Use SD to swinstall the depot.
- For customers with HPApache/B9416AA or HPApache/B9416BA

installed, migrate to hpuxwsAPACHE/hpuxwsApache and
remove the affected products from the system.


Installation of this new version of HP Apache over an existing
HP Apache installation is supported, whereas installation over
a non-HP Apache is NOT supported.


Removing Apache Installation
----------------------------
If you prefer to remove Apache from your system rather than
install a newer version to resolve the security problem, use
both Software Distributor's "swremove" command and also
"rm -rf" the home location as specified in the rc.config.d
file "HOME" variables.


To find the files containing HOME variables in the
/etc/rc.config.d directory:


%ls /etc/rc.config.d | grep apache
hpapache2conf
hpws_apacheconf


C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:


Use your browser to get to the HP IT Resource Center page
at:


http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password.  Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC.  Remember to save the
User ID assigned to you, and your password.


In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".


To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.


or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.


NOTE: Using your itrc account security bulletins can be
found here:

http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin


To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive".  (near the
bottom of the page)  Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic.  Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.  Please note that installing the patches
listed in the Security Patch Matrix will completely
implement a security bulletin _only_ if the MANUAL ACTIONS
field specifies "No."


The Security Patch Check tool can verify that a security
bulletin has been implemented on HP-UX 11.XX systems providing
that the fix is completely implemented in a patch with no
manual actions required.  The Security Patch Check tool cannot
verify fixes implemented via a product upgrade.


For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA


The security patch matrix is also available via anonymous
ftp:


ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".


The PGP key used to sign this bulletin is available from
several PGP Public Key servers.  The key identification
information is:


2D2A7D59
HP Security Response Team (Security Bulletin signing only)
<security-alert@hp.com>
Fingerprint =

6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59

If you have problems locating the key please write to
security-alert@hp.com.  Please note that this key is
for signing bulletins only and is not the key returned
by sending 'get key' to security-alert@hp.com.



D. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.


-----------------------------------------------------------------

(c)Copyright 2003 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.

________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP1aDh+AfOvwtKn1ZEQJmzACfZrjvmmLzqad9zcqBuSODoOCRZgcAnjrk
XXbH3osXpcYLdh+aR9ySN/PK
=CY+y
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  June 02, 2003 Updated:  June 24, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           apache2
Advisory ID:            MDKSA-2003:063-1
Date:                   June 2nd, 2003
Original Advisory Date: May 30th, 2003
Affected versions:9.1
________________________________________________________________________

Problem Description:

Two vulnerabilities were discovered in the Apache web server that
affect all 2.x versions prior to 2.0.46.  The first, discovered by John
Hughes, is a build system problem that allows remote attackers to
prevent access to authenticated content when a threaded server is used.
This only affects versions of Apache compiled with threaded server
"httpd.worker", which is not the default for Mandrake Linux.


The second vulnerability, discovered by iDefense, allows remote
attackers to cause a DoS (Denial of Service) condition and may also
allow the execution of arbitrary code.


The provided packages include back-ported fixes to correct these
vulnerabilities and MandrakeSoft encourages all users to upgrade
immediately.


Update:

The previous update mistakenly listed apache-conf packages which were
never included, nor intended to be included, as part of the update.

________________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245

________________________________________________________________________

Updated Packages:

Mandrake Linux 9.1:
d65381a88fcdd109974daf439d91484a  9.1/RPMS/apache2-2.0.45-4.3mdk.i586.rpm
b55e4f36efee37b6055dd4f6534701e8  9.1/RPMS/apache2-common-2.0.45-4.3mdk.i586.rpm
036667cc64f93c6227044eda60c010a1  9.1/RPMS/apache2-devel-2.0.45-4.3mdk.i586.rpm
d09e6bbcfabb98d1fbda5bef3f88d832  9.1/RPMS/apache2-manual-2.0.45-4.3mdk.i586.rpm
142a503a5cb05acbb351a6c381bb2a73  9.1/RPMS/apache2-mod_dav-2.0.45-4.3mdk.i586.rpm
84f2b3a67b727d4c4bf5959298e06c4e  9.1/RPMS/apache2-mod_ldap-2.0.45-4.3mdk.i586.rpm
b9b1060a89d663c312856939ff719e95  9.1/RPMS/apache2-mod_ssl-2.0.45-4.3mdk.i586.rpm
5c3186603f9c3f6ac37c90e5bf37f268  9.1/RPMS/apache2-modules-2.0.45-4.3mdk.i586.rpm
844ed273c5d02670336411c3886dc015  9.1/RPMS/apache2-source-2.0.45-4.3mdk.i586.rpm
138e432240b8cf43616b3dbcc028ab45  9.1/RPMS/libapr0-2.0.45-4.3mdk.i586.rpm
d31a62ca9bd9af08336b9a582246e22a  9.1/SRPMS/apache2-2.0.45-4.3mdk.src.rpm


Mandrake Linux 9.1/PPC:
3c04b040befea94653749da370d1fd24  ppc/9.1/RPMS/apache2-2.0.45-4.3mdk.ppc.rpm
7a2b57a3817fd9b9b12ba1ab18fc149c  ppc/9.1/RPMS/apache2-common-2.0.45-4.3mdk.ppc.rpm
628f0ddb0eeeb9c8ab1c438c4fcc11e5  ppc/9.1/RPMS/apache2-devel-2.0.45-4.3mdk.ppc.rpm
4dfd352417f72f57a6fdec6375ce2fc5  ppc/9.1/RPMS/apache2-manual-2.0.45-4.3mdk.ppc.rpm
c2c75171b467a740e5a460c9c204a8c3  ppc/9.1/RPMS/apache2-mod_dav-2.0.45-4.3mdk.ppc.rpm
9f5af5607b729d0d34761f3b55527901  ppc/9.1/RPMS/apache2-mod_ldap-2.0.45-4.3mdk.ppc.rpm
5dda8212a4a2f7a7f85f5cf38903f2ab  ppc/9.1/RPMS/apache2-mod_ssl-2.0.45-4.3mdk.ppc.rpm
7359a27567cab1add4dec16ca0599c72  ppc/9.1/RPMS/apache2-modules-2.0.45-4.3mdk.ppc.rpm
24abd44e8ecd2ca256d9918e3238f13d  ppc/9.1/RPMS/apache2-source-2.0.45-4.3mdk.ppc.rpm
1fb5c53305d7bdc52850b9adff612a7e  ppc/9.1/RPMS/libapr0-2.0.45-4.3mdk.ppc.rpm
d31a62ca9bd9af08336b9a582246e22a  ppc/9.1/SRPMS/apache2-2.0.45-4.3mdk.src.rpm

________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________

To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

rpm --checksig <filename>

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team

<security linux-mandrake.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA
BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H
8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K
+jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy
YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j
b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+
AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E
OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ
9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR
xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z
269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN
6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ
jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo
0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ
EJGXlA==
=yGlX
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+2+hVmqjQ0CJFipgRAuSwAJ9gIo7cwOQix9sCBsejpRQw/qoifQCguhDb
/7HSyaqH9G1mO8p3D/tEjz4=
=XaT0
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  May 28, 2003 Updated:  June 24, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis:          Updated httpd packages fix Apache security vulnerabilities
Advisory ID:       RHSA-2003:186-01
Issue date:        2003-05-28
Updated on:        2003-05-28
Product:           Red Hat Linux
Keywords:          Apache httpd auth remote
Cross references:
Obsoletes:
CVE Names:         CAN-2003-0189 CAN-2003-0245
---------------------------------------------------------------------

1. Topic:

Updated httpd packages that fix two security issues are now available for
Red Hat Linux 8.0 and 9.

2. Relevant releases/architectures:

Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

A bug in Apache 2.0 through 2.0.45 allows remote attackers to cause a
denial of service, and may allow execution of arbitrary code.  This bug
affects both Red Hat Linux 8.0 and 9.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0245 to
this issue.

A build system problem in Apache 2.0 through 2.0.45 allows remote attackers
to cause a denial of access to authenticated content when a threaded
server is used.   This bug affects only Red Hat Linux 9 when the threaded
server "httpd.worker" has been configured, which is not the default.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0189 to this issue.

All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues, and applied to Apache version 2.0.40.

After the errata packages are installed, restart the Web service by running
the following command:

/sbin/service httpd restart

Red Hat would like to thank iDefense who initially discovered CAN-2003-0245
and John Hughes for CAN-2003-0189.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

88575 - Byte Range implementation fix
89170 - fullstatus segfaults apachectl
89179 - mod_proxy (forward proxy) inserts empty line before header

6. RPMs required:

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/httpd-2.0.40-11.5.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-devel-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/httpd-manual-2.0.40-11.5.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/mod_ssl-2.0.40-11.5.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/httpd-2.0.40-21.3.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/httpd-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-devel-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/httpd-manual-2.0.40-21.3.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/mod_ssl-2.0.40-21.3.i386.rpm



7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
904aee1a576c1e0aa8db130f38ff4944 8.0/en/os/SRPMS/httpd-2.0.40-11.5.src.rpm
2f19f8a77ec3b3d176e2dca39b0c0afe 8.0/en/os/i386/httpd-2.0.40-11.5.i386.rpm
cb1e6c56201c66be08f0154160f6e853 8.0/en/os/i386/httpd-devel-2.0.40-11.5.i386.rpm
65953249119902e90b5064f9a5682622 8.0/en/os/i386/httpd-manual-2.0.40-11.5.i386.rpm
8e32d341bd26b8d31fbba3955c03fe41 8.0/en/os/i386/mod_ssl-2.0.40-11.5.i386.rpm
a0a8e23c41fd1ca6ddb1be41e00f3ed9 9/en/os/SRPMS/httpd-2.0.40-21.3.src.rpm
414838fb1cd03bfe0c528361c4d1efa2 9/en/os/i386/httpd-2.0.40-21.3.i386.rpm
36584099d7e1f4a560bd4ce2ada65f4e 9/en/os/i386/httpd-devel-2.0.40-21.3.i386.rpm
346e7032c5d1b89dd3545e9f5218577b 9/en/os/i386/httpd-manual-2.0.40-21.3.i386.rpm
b86192fe630b4797b0e176abe22e2cba 9/en/os/i386/mod_ssl-2.0.40-21.3.i386.rpm


These packages are GPG signed by Red Hat for security.  Our key is
available at http://www.redhat.com/solutions/security/news/publickey/

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

md5sum <filename>


8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0245

9. Contact:

The Red Hat security contact is <security@redhat.com>.  More contact
details at http://www.redhat.com/solutions/security/news/contact/

Copyright 2003 Red Hat, Inc.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks John Hughes for discovering this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2003-0189
Severity Metric: 0.68
Date Public: 2003-05-28
Date First Published: 2003-06-24
Date Last Updated: 2003-09-18 18:08 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.