search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apache mod_alias vulnerable to buffer overflow via crafted regular expression

Vulnerability Note VU#549142

Original Release Date: 2004-02-03 | Last Revised: 2004-03-19

Overview

A vulnerability in a supplementary module to the Apache HTTP server could allow an attacker to execute arbitrary code on an affected web server under certain circumstances.

Description

The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_alias, provides for mapping different parts of the host filesystem into the document tree and for URL redirection. Several of the mod_alias directives can use regular expressions rather than simple prefix matches. A buffer overflow has been discovered in the way that mod_alias handles regular expressions containing more than 9 captures (stored strings matching a particular pattern). This flaw results in a remotely exploitable vulnerability on web servers that specify such a regular expression to the mod_alias module in their configuration files.

Impact

An attacker may be able to execute arbitrary code in the context of the web server user (e.g., "apache", "httpd", "nobody", etc.). The attacker would have to have the ability to supply a specially crafted configuration file (e.g., .htaccess or httpd.conf) to the Apache server in order to mount this attack.

Solution

Apply a patch from the vendor

Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.

Workarounds


Disable mod_alias if it is not required in your web server configuration. Instructions for doing this can be found in the Apache HTTP Server documentation. Sites, particularly those that are not able to apply the patches, are encouraged to consider implementing this workaround.

Vendor Information

549142
 
Affected   Unknown   Unaffected

Apache Software Foundation

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Apache Software Foundation has released versions 1.3.29 and 2.0.48 of the Apache httpd server in response to this issue. These patched versions of the software are available at:


Because this software is commonly repackaged by third-party vendors, users are encouraged to review the Systems Affected section of VU#434566 first to determine whether their vendor has produced an update for their systems.

Users who compile the Apache httpd software from source code are encouraged to upgrade to one of the patched versions listed above (or newer). Users are also encouraged to verify the PGP signatures on the software distribution before compiling and installing it on their systems.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------


PACKAGE   : apache
SUMMARY   : Fix for some vulnerabilities
DATE      : 2003-11-05 19:18:00
ID        : CLA-2003:775
RELEVANT
RELEASES  : 7.0, 8, 9


- -------------------------------------------------------------------------

DESCRIPTION
Apache[1] is the most popular webserver in use today.

New versions of the Apache web server have been made available[2][3]
with the following security fixes:

1. Buffer overflow in mod_alias and mod_rewrite (CAN-2003-0542) [4]
A buffer overflow could occur in mod_alias and mod_rewrite when a
regular expression with more than 9 captures is configured. Users who
can create or modify configuration files (httpd.conf or .htaccess,
for example) could trigger this. This vulnerability affects Apache
1.3.x and Apache 2.0.x.

2. mod_cgid mishandling of CGI redirect paths (CAN-2003-0789) [5]
mod_cgid mishandling of CGI redirect paths could result in CGI output
going to the wrong client when a threaded MPM is used. The packages
provided with Conectiva Linux 9 are not vulnerable to this issue
because  they are not compiled with that MPM, but the fix has been
included because new packages for Conectiva Linux 9 were already
being built for the suexec problem (see below).

In addition to the above security fixes, "suexec" has been correctly

 built in the Conectiva Linux 9 packages, fixing[6] the problem where
CGI scripts could not be run from the user's home directory.



SOLUTION
It is recommended that all Apache users upgrade their packages.

IMPORTANT: it is necessary to manually restart the httpd server after
upgrading the packages. In order to do this, execute the following as
root:

service httpd stop

(wait a few seconds and check with "pidof httpd" if there are any
httpd processes running. On a busy webserver this could take a little
longer)

service httpd start


REFERENCES
1. http://apache.httpd.org/
2. http://www.apache.org/dist/httpd/Announcement2.html
3. http://www.apache.org/dist/httpd/Announcement.html
4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789
6. http://bugzilla.conectiva.com.br/show_bug.cgi?id=8754 (pt_BR only)



UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/apache-1.3.28-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.28-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.28-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.28-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/apache-1.3.28-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.28-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.28-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.28-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_5cl.i386.rpm

ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_5cl.i386.rpm



ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:


 - run:                 apt-get update
- after that, execute: apt-get upgrade


 Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en


- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en


- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com


- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


iD8DBQE/qWk/42jd0JmAcZARAkF2AJsGfA3n7v7l8f4A8ik+Ao6uqB9NYACfZnQ4
qf3SjmMxGkqRYyXuBBragEE=
=zsxK
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03
- ---------------------------------------------------------------------------


          PACKAGE : net-www/apache
         SUMMARY : buffer overflow
            DATE : Tue Oct 28 16:43:46 UTC 2003
         EXPLOIT : local
VERSIONS AFFECTED : <apache-1.3.29
   FIXED VERSION : >=apache-1.3.29
             CVE : CAN-2003-0542 (under review at time of GLSA)


- ---------------------------------------------------------------------------

Quote from <http://httpd.apache.org/dev/dist/Announcement>:

   This version of Apache is principally a bug and security fix release.
  A partial summary of the bug fixes is given at the end of this document.
  A full listing of changes can be found in the CHANGES file.  Of
  particular note is that 1.3.29 addresses and fixes 1 potential
  security issue:


     o CAN-2003-0542 (cve.mitre.org)
      Fix buffer overflows in mod_alias and mod_rewrite which occurred if
      one configured a regular expression with more than 9 captures.


   We consider Apache 1.3.29 to be the best version of Apache 1.3 available
  and we strongly recommend that users of older versions, especially of
  the 1.1.x and 1.2.x family, upgrade as soon as possible.  No further
  releases will be made in the 1.2.x family.



SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/apache 1.x upgrade:


emerge sync
emerge -pv apache
emerge '>=net-www/apache-1.3.29'
emerge clean
/etc/init.d/apache restart



// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)


iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk
RyV+5R/BFsdAzsMYZp9dT8A=
=ym4e
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Guardian Digital, Inc. has released Guardian Digital Security Advisory ESA-20031105-030 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Updated:  March 08, 2004

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 -----------------------------------------------------------------
**REVISED 01**
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0311-301
Originally issued: 18 November 2003
Last revised: 19 November 2003
SSRT3663 Apache HTTP Server mod_cgid, mod_alias, mod_rewrite
-----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this
       Bulletin provided that it remains complete and intact.


The information in the following Security Bulletin should be
acted upon as soon as possible.  Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.


 -----------------------------------------------------------------
PROBLEM: 1. mod_cgid mishandling of CGI redirect paths could
           result in CGI output going to the wrong client when a
           threaded MPM is used.


            More details are available at:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789


         2. A buffer overflow could occur in mod_alias and
           mod_rewrite when a regular expression with more than
           9 captures is configured.


            More details are available at:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542



IMPACT: Potential Denial of Service or execute arbitrary code.

PLATFORM: HP9000 Servers running HP-UX release B.11.00, B.11.11,
         B.11.20, B.11.22, and B.11.23 with versions of the
         following products are affected, and represented as:
              product-name, version (product-tag/bundle-tag)


          product-name, version (product-tag/bundle-tag)

          - hp apache-based web server, 2.0.43.04
           or earlier (HPApache/B9416AA)
           This product includes Apache 2.0.43.


          - hp-ux apache-based web server, v.1.0.09.01
           or earlier (hpuxwsAPACHE/hpuxwsApache)
           This product includes Apache 2.0.47.


          - hp apache-based web server (with IPv6 support),
           2.0.43.04 or earlier (HPApache/B9416BA)
           This product includes Apache 2.0.43.


          - hp-ux apache-based web server(with IPv6 support),
           v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache)
           This product includes Apache 2.0.47.


SOLUTION: For HP-UX releases B.11.00, B.11.11, B.11.20, B.11.22
         and B.11.23 download new HP Apache product from
         http://www.software.hp.com/:


          For HPApache/B9416AA, HPApache/B9416BA and
             hpuxwsAPACHE/hpuxwsApache download the following:


          - hp-ux apache-based web server (with IPv4)
           v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache)
           This product includes Apache 2.0.48.
     http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/
          cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE


          - hp-ux apache-based web server(with IPv6 support),
           v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache)
           This product includes Apache 2.0.48.
     http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/
          cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE



MANUAL ACTIONS: Yes - Non-Update
               Install the product containing the fix.
               For customers with HPApache/B9416AA
               HPApache/B9416BA installed, the fix requires
               migration to hpuxwsAPACHE/hpuxwsApache and
               removing the affected products from the system.


AVAILABILITY: Complete product bundles are available now on
              <http://www.software.hp.com/>


CHANGE SUMMARY:  Rev. 01 Corrected typo in version number
-----------------------------------------------------------------
**REVISED  01**
A. Background
  The Common Vulnerabilities and Exposures project
  <http://cve.mitre.org/> has identified potential
  vulnerabilities in the Apache HTTP Server (CAN-2003-0789, and
  CAN-2003-0542).  It affects the following HP product
  numbers/versions on HP-UX releases B.11.00, B.11.11, B.11.20,
  B.11.22, and B.11.23:


   - hp apache-based web server, 2.0.43.04 or earlier
    (HPApache/B9416AA)


   - hp-ux apache-based web server, v.1.0.09.01 or earlier
    (hpuxwsAPACHE/hpuxwsApache)


   - hp apache-based web server, 2.0.43.04 (with IPv6 support)
    or earlier (HPApache/B9416BA)


   - hp-ux apache-based web server (with IPv6 support),
    v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache)


   AFFECTED VERSIONS

   The following is a list of affected filesets or patches
  and fix information. To determine if a system has an
  affected version, search the output of
  "swlist -a revision -l fileset" for an affected fileset
  or patch, then determine if a fixed revision or applicable
  patch is installed.


         HP-UX B.11.00
        HP-UX B.11.11
        HP-UX B.11.20
        HP-UX B.11.22
        HP-UX B.11.23
        ====================================
        HPApache.APACHE2
        hpuxwsAPACHE.APACHE2
--->>   fix: install hp-ux apache-based web server, v.1.0.10.01
             or later.


   END AFFECTED VERSIONS

B. Recommended solution
  The Apache Software Foundation has released Apache 2.0.48 as
  the best known version that fixes the problems identified in
  the above mentioned issues.


   For customers using HPApache/B9416AA HPApache/B9416BA and
  hpuxwsAPACHE/hpuxwsApache, HP has incorporated Apache 2.0.48
  in the following product:
  - hp-ux apache-based web server v.1.0.10.01 or later
     http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
            displayProductInfo.pl?productNumber=HPUXWSSUITE



   Check for Apache Installation
  -----------------------------
  To determine if the Apache web server from HP is installed on
  your system, use Software Distributor's swlist command.  All
  three versions products may co-exist on a single system.


   For example, the results of the command
    swlist -l product | grep -i apache


     HPApache      2.0.39.01.02  HP Apache-based Web Server
    hpuxwsAPACHE  A.1.0.09.01   HP-UX Apache-based Web Server


   Stop Apache
  -----------------------------
  Before updating, make sure to stop any previous Apache binary.
  Otherwise, the previous binary will continue running,
  preventing the new one from starting, although the installation
  would be successful.


   After determining which Apache is installed, stop Apache with
  the following commands:


     for HPApache:        /opt/hpapache2/bin/apachectl stop
    for hpuxwsAPACHE:    /opt/hpws/apache/bin/apachectl stop


   Download and Install Apache
  -----------------------------
  - Download Apache from Software Depot using the previously
    mentioned links.
  - Verify successful download by comparing the cksum with the
    value specified on the installation web page.
  - Use SD to swinstall the depot.
  - For customers with HPApache/B9416BA installed, migrate to
    hpuxwsAPACHE/hpuxwsApache and remove the affected products
    from the system.


   Installation of this new version of HP Apache over an existing
  HP Apache installation is supported, while installation over a
  non-HP Apache is NOT supported.


   Removing Apache Installation
  ----------------------------
  If you rather remove Apache from your system than install a
  newer version to resolve the security problem, use both
  Software Distributor's "swremove" command and also "rm -rf" the
  home location as specified in the rc.config.d file "HOME"
  variables.


   To find the files containing HOME variables in the
  /etc/rc.config.d directory:


     %ls /etc/rc.config.d | grep apache
       hpapache2conf
       hpws_apacheconf


C. To subscribe to automatically receive future NEW HP Security
  Bulletins from the HP IT Resource Center via electronic
  mail, do the following:


   Use your browser to get to the HP IT Resource Center page
  at:


      http://itrc.hp.com

   Use the 'Login' tab at the left side of the screen to login
  using your ID and password.  Use your existing login or the
  "Register" button at the left to create a login, in order to
  gain access to many areas of the ITRC.  Remember to save the
  User ID assigned to you, and your password.


   In the left most frame select "Maintenance and Support".

   Under the "Notifications" section (near the bottom of
  the page), select "Support Information Digests".


   To -subscribe- to future HP Security Bulletins or other
  Technical Digests, click the check box (in the left column)
  for the appropriate digest and then click the "Update
  Subscriptions" button at the bottom of the page.


   or

   To -review- bulletins already released, select the link
  (in the middle column) for the appropriate digest.


   NOTE: Using your itrc account security bulletins can be
        found here:
  http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin



   To -gain access- to the Security Patch Matrix, select
  the link for "The Security Bulletins Archive".  (near the
  bottom of the page)  Once in the archive the third link is
  to the current Security Patch Matrix. Updated daily, this
  matrix categorizes security patches by platform/OS release,
  and by bulletin topic.  Security Patch Check completely
  automates the process of reviewing the patch matrix for
  11.XX systems.  Please note that installing the patches
  listed in the Security Patch Matrix will completely
  implement a security bulletin _only_ if the MANUAL ACTIONS
  field specifies "No."


   The Security Patch Check tool can verify that a security
  bulletin has been implemented on HP-UX 11.XX systems providing
  that the fix is completely implemented in a patch with no
  manual actions required.  The Security Patch Check tool cannot
  verify fixes implemented via a product upgrade.


   For information on the Security Patch Check tool, see:
  http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
  displayProductInfo.pl?productNumber=B6834AA


   The security patch matrix is also available via anonymous
  ftp:


   ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

   On the "Support Information Digest Main" page:
  click on the "HP Security Bulletin Archive".


   The PGP key used to sign this bulletin is available from
  several PGP Public Key servers.  The key identification
  information is:


      2D2A7D59
     HP Security Response Team (Security Bulletin signing only)
     <security-alert@hp.com>
     Fingerprint =
       6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59


   If you have problems locating the key please write to
  security-alert@hp.com.  Please note that this key is
  for signing bulletins only and is not the key returned
  by sending 'get key' to security-alert@hp.com.



D. To report new security vulnerabilities, send email to

   security-alert@hp.com

   Please encrypt any exploit information using the
  security-alert PGP key, available from your local key
  server, or by sending a message with a -subject- (not body)
  of 'get key' (no quotes) to security-alert@hp.com.


 -----------------------------------------------------------------

(c)Copyright 2003 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.


 ________________________________________________________________
- --


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0


iQA/AwUBP7wcI+AfOvwtKn1ZEQLrYACg57hw7CsQg63mHb936Iv7mb4ZB1cAoNi5
S6ApYHc0R0qvXKQTDOvx0K2X
=Iijo
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2003:103 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The OpenPKG development team has release OpenPKG Security Advisory OpenPKG-SA-2003.046 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat, Inc. has published the following Red Hat Security Advisories in response to this issue:


Users are encouraged to review the information provided in these advisories and apply the patches they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Updated:  March 08, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SCO Group has published SCO Security Advisory CSSA-2003-SCO.28 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has published SGI Advanced Linux Environment security update #7 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[slackware-security]  apache security update (SSA:2003-308-01)

Apache httpd is a hypertext transfer protocol server, and is used
by over two thirds of the Internet's web sites.


Upgraded Apache packages are available for Slackware 8.1, 9.0, 9.1,
and -current.  These fix local vulnerabilities that could allow users
who can create or edit Apache config files to gain additional
privileges.  Sites running Apache should upgrade to the new packages.


In addition, new mod_ssl packages have been prepared for all platforms,
and new PHP packages have been prepared for Slackware 8.1, 9.0, and
- -current (9.1 already uses PHP 4.3.3).  In -current, these packages
also move the Apache module directory from /usr/libexec to
/usr/libexec/apache.  Links for all of these related packages are
provided below.


More details about the Apache issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:


  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Mon Nov  3 20:06:29 PST 2003
patches/packages/apache-1.3.29-i486-1.tgz:  Upgraded to apache-1.3.29.
 This fixes the following local security issue:
   o CAN-2003-0542 (cve.mitre.org)
     Fix buffer overflows in mod_alias and mod_rewrite which occurred if
     one configured a regular expression with more than 9 captures.
 This vulnerability requires the attacker to create or modify certain
 Apache configuration files, and is not a remote hole.  However, it could
 possibly be used to gain additional privileges if access to the Apache
 administrator account can be gained through some other means.  All sites
 running Apache should upgrade.
 (* Security fix *)
+--------------------------+



WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+


Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.3-i386-1.tgz


Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.3-i386-1.tgz


Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.29-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.16_1.3.29-i486-1.tgz


Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.29-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.16_1.3.29-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.3-i486-3.tgz



MD5 SIGNATURES:
+-------------+


Slackware 8.1 packages:
1a8190a214c052f0707bd5a6b005a7cd  apache-1.3.29-i386-1.tgz
eb74afbc99295c01d418b576e92e83bb  mod_ssl-2.8.16_1.3.29-i386-1.tgz
b41a44c3ce2a3a09873b5d0930faf4c1  php-4.3.3-i386-1.tgz


Slackware 9.0 packages:
bb34ae622245f57bdca747ac5d8f73cf  apache-1.3.29-i386-1.tgz
c84af5778a5667a06a60a274f2fe1edb  mod_ssl-2.8.16_1.3.29-i386-1.tgz
7660e36f2cfb30cc339734369cca7719  php-4.3.3-i386-1.tgz


Slackware 9.1 packages:
9b494bb3f03cb4a4cb8c28f4fcc76666  apache-1.3.29-i486-1.tgz
938412e01daf55fee37293a5790d907f  mod_ssl-2.8.16_1.3.29-i486-1.tgz


Slackware -current packages:
091c22d398c51fee820dd0d0b7d514e3  apache-1.3.29-i486-1.tgz
cd260439c9f1373329ba2224ace0451d  mod_ssl-2.8.16_1.3.29-i486-1.tgz
cc90540cc07e840e5a0513ffbb308102  php-4.3.3-i486-3.tgz



INSTALLATION INSTRUCTIONS:
+------------------------+


First, stop apache:

# apachectl stop

Next, upgrade these packages as root:

# upgradepkg apache-1.3.29-i486-1.tgz
# upgradepkg mod_ssl-2.8.16_1.3.29-i486-1.tgz
# upgradepkg php-4.3.3-i486-3.tgz


Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com


+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)


iD8DBQE/qEKrakRjwEAQIjMRArvcAKCMB2tJJVmHitflS/Rc0yG9kksiPACeP0Dd
7HXUeO3O/cg1yufkh2Zvrqg=
=YQdI
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Updated:  March 08, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems, Inc. has published Sun Security Alert #57496 in response to this issue. Users are encouraged to review this alert and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix

Updated:  February 02, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Trustix development team has published Trustix Secure Linux Security Advisory #2003-0041 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 13 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

The Apache Software Foundation credits André Malo with the discovery of this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2003-0542
Severity Metric: 0.61
Date Public: 2003-10-30
Date First Published: 2004-02-03
Date Last Updated: 2004-03-19 19:58 UTC
Document Revision: 25

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.