__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities [Apache 2.0.48 Released] October 29, 2003 19:00 GMT Number O-015 [REVISED 21 Nov 2003] [REVISED 10 Dec 2003] [REVISED 17 Dec 2003] [REVISED 18 Dec 2003] [REVISED 14 Jan 2004] [REVISED 11 Feb 2004] [REVISED 21 Sep 2004] [REVISED 12 Oct 2004] [REVISED 15 Aug 2005] ______________________________________________________________________________ PROBLEM: There exist two security vulnerabilities: 1) mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded Multi- processing Module (MPM) is used. 2) A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. SOFTWARE: Apache 2.0.47 PLATFORM: HP-UX B.11.00, B.11.11, B.11.20, B.11.23 Red Hat Enterprise Linux - AS, ES, and WS v2.1 and v.3 Red Hat Linux 7.1, 7.2, 7.3, 8.0 and 9 SGI Sun Solaris 8 and 9 DAMAGE: 1) Information for one user could be directed to another. 2) A buffer overflow could cause a system crash or be used to take control of a system. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. The first problem is unlikely to expose a ASSESSMENT: system to additional compromise. For the second problem, a mod_rewrite regular expression is unlikely to be configured to have more than 9 captures. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-015.shtml ORIGINAL BULLETIN: http://www.apache.org/dist/httpd/Announcement2.html ADDITIONAL INFORMATION: * Visit HEWLETT PACKARD's Subscription Service for: HPSBUX0311-301 (SSRT3663) * RED HAT Security Advisory RHSA-2003:360-08 https://rhn.redhat.com/errata/RHSA-2003-360.html * RED HAT Security Advisory RHSA-2003:320-09 https://rhn.redhat.com/errata/RHSA-2003-320.html * RED HAT Security Advisory RHSA-2003:405-04 https://rhn.redhat.com/errata/RHSA-2003-405.html * RED HAT Security Advisory RHSA-2004:015-04 https://rhn.redhat.com/errata/RHSA-2004-015.html * SGI security update #7 ftp://patches.sgi.com/support/free/security/advisories/ 20031203-01-U.asc Sun Alert ID: 57496 (superceded by 101444) http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-101444-1 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0789 CVE-2003-0542 ______________________________________________________________________________ REVISION HISTORY: 11/21/03 - Added Hewlett Packard's bulletin link information for HPSBUX0311-301 (SSRT3663), added HP-UX in the Platform section. 12/10/03 - Added Red Hat's advisory link information for RHSA-2003:360-08 for their Enterprise Linux products, and added product versions in the the Platform section. 12/17/03 - Added Red Hat's advisory link information for RHSA-2003:320-09 for Linux 8.0 and 9 platforms, and added to the Platform section. 12/18/03 - (1) added a link to Red Hat's Security Advisory RHSA-2003:405-04 announcing the release of their updated Apache httpd packages for their Linux platforms 7.1, 7.2 and 7.3. (2) added a link to SGI's Security Update #7 announcing the release of their Patch 10039 for this vulnerability. 1/14/04 - add a link to Red Hat's Security Advisory RHSA-2004:015-04 announcing the release of their updated Apache httpd packages for their Enterprise Linux platforms AS, ES, WS (v. 3) and to add a link to Debian Security Advisory DSA-422-1. 2/11/04 - add a link to Sun Alert ID: 57496. 9/21/04 - Sun Alert ID #57496 was updated by the release of T-patches for Solaris 8. 10/12/04 - Sun Alert ID #57496 was updated. The Contributing Factors and Resolution sections were modified. 08/15/05 - Sun Microsystems has superceded their Alert ID #57496 with Alert ID: 101444 and modified Contributing Factors and Resolutions sections where links to patches are provided. [***** Start Apache 2.0.48 Released *****] Apache HTTP Server 2.0.48 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the eleventh public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.48 as compared to 2.0.47. This version of Apache is principally a bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.48 addresses two security vulnerabilities: mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. [CAN-2003-0789] A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. [CAN-2003-0542] This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.48 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.48 Major changes Security vulnerabilities closed since Apache 2.0.47 * SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] * SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo] Bugs fixed and features added since Apache 2.0.47 * mod_include: fix segfault which occured if the filename was not set, for example, when processing some error conditions. PR 23836. [Brian Akins , André Malo] * fix the config parser to support .. containers (no arguments in the opening tag) supported by httpd 1.3. Without this change mod_perl 2.0's sections are broken. ["Philippe M. Chiasson" ] * mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. [Jeff Trawick] * Update httpd-*.conf to be clearer in describing the connection between AddType and AddEncoding for defining the meaning of compressed file extensions. [Roy Fielding] * mod_rewrite: Don't die silently when failing to open RewriteLogs. PR 23416. [André Malo] * mod_rewrite: Fix mod_rewrite's support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. [Eider Oliveira ] * cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. [Thomas Castelle ] * Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 [Thom May] * mod_ssl: Fix segfaults after renegotiation failure. PR 21370 [Hartmut Keil ] * mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced by the icon of that file. PR 9587. [David Shane Holden ] * Fixed mod_usertrack to not get false positive matches on the user-tracking cookie's name. PR 16661. [Manni Wood ] * mod_cache: Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. [bjorn@exoweb.net] * mod_log_config: Fix %b log format to write really "-" when 0 bytes were sent (e.g. with 304 or 204 response codes). [Astrid Keßler] * Modify ap_get_client_block() to note if it has seen EOS. [Justin Erenkrantz] * Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. [Joe Orton, André Malo] * Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. [André Malo] * mod_ssl: Fix a problem setting variables that represent the client certificate chain. PR 21371 [Jeff Trawick] * Unix: Handle permissions settings for flock-based mutexes in unixd_set_global|proc_ mutex_perms(). Allow the functions to be called for any type of mutex. PR 20312 [Jeff Trawick] * ab: Work over non-loopback on Unix again. PR 21495. [Jeff Trawick] * Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. [Jeff Trawick] * Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. PR 9011 [Jeff Trawick] * MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. [Cliff Woolley, Jean-Jacques Clar] * Install config.nice into the build/ directory to make minor version upgrades easier. [Joshua Slive] * Fix mod_deflate so that it does not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. [Stas Bekman] * mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. [Sander Striker] * mod_rewrite: Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. [André Malo] * ab: Overlong credentials given via command line no longer clobber the buffer. [André Malo] * mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz] * Assure that we block properly when reading input bodies with SSL. PR 19242. [David Deaves , William Rowe] * Update mime.types to include latest IANA and W3C types. [Roy Fielding] * mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. [Andrew Ho, Jeff Trawick] * Fix buildconf errors when libtool version changes. [Jeff Trawick] * Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. [André Malo] * mod_include: Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095. [Ron Park , André Malo, Cliff Woolley] * Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] [Kris Verbeeck , Nicel KM ] * Eliminate creation of a temporary table in ap_get_mime_headers_core() [Joe Schaefer ] * Added FreeBSD directory layout. PR 21100. [Sander Holthaus , André Malo] * Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. [Glenn Nielsen , André Malo] * mod_rewrite: Perform child initialization on the rewrite log lock. This fixes a log corruption issue when flock-based serialization is used (e.g., FreeBSD). [Jeff Trawick] * Don't respect the Server header field as set by modules and CGIs. As with 1.3, for proxy requests any such field is from the origin server; otherwise it will have our server info as controlled by the ServerTokens directive. [Jeff Trawick] [***** End Apache 2.0.48 Released *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Apache for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-005: Microsoft Exchange Server Vulnerabilities O-006: Microsoft Authenticode Verification Vulnerability O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities O-010: Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability O-011: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Admin Script O-012: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Server Daemon O-013: Buffer Overflow in Oracle Binary O-014: SGI Wildcard Exportfs Issue in Network File SYstem (NFS)