__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apache HTTP Server 2.0.49 Release Fixes Security Vulnerabilities [Apache 2.0.49 Released] April 27, 2004 20:00 GMT Number O-128 [REVISED 30 Apr 2004] [REVISED 7 July 2004] [REVISED 4 Aug 2004] [REVISED 10 Aug 2004] [REVISED 25 Aug 2004] [REVISED 23 Sep 2004] [REVISED 24 Sep 2004] [REVISED 06 Dec 2004] ______________________________________________________________________________ PROBLEM: This version of Apache is principally a bug fix release. Of particular note is that 2.0.49 addresses three security vulnerabilities. PLATFORM: - Apache HTTP Server 2.0.49 (This release is compatible with modules compiled for 2.0.42 and later versions.) - Apache HTTP Server 2.0.50 - Red Hat Linux 9 - Red Hat Desktop (v.3) - Red Hat Enterprise Linux AS (v.3) - Red Hat Enterprise Linux ES (v.3) - Red Hat Enterprise Linux WS (v.3) - SGI ProPack 3 for the SGI Altix family of systems - HP Tru64 UNIX 5.1B PK4 (BL25), PK3 (BL24), PK2 (BL22) - HP-UX B.11.04 with Virtualvault 4.7, 4.6, or 4.5 - Mac OS X v10.2.x and v10.3.x - Mac OS X Servers v10.2.x and v10.3.x DAMAGE: Vulnerabilities are listed as follows: - When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux. - Arbitrary client-supplied strings can be written to the error log which can allow exploits of certain terminal emulators. - A remotely triggered memory leak in mod_ssl can allow a denial of service attack due to excessive memory consumption. SOLUTION: Install available upgrade. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Remote denial of service is possible if ASSESSMENT: exploited. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-128.shtml ORIGINAL BULLETIN: http://www.apache.org/dist/httpd/Announcement2.html ADDITIONAL LINKS: - Visit Hewlett Packard's Subscription Service for: HP Security Bulletin HPSBUX01022 (SSRT4717) HP Security Bulletin HPSBUX01069 (SSRT4789 rev.0) HP Security Bulletin HPSBTU01049 (SSRT4717 rev.1) - Red Hat Security Advisory RHSA-2004:182-03 https://rhn.redhat.com/errata/RHSA-2004-182.html - Red Hat RHSA-2004:342-10 https://rhn.redhat.com/errata/RHSA-2004-342.html - Apache HTTP Server 2.0.50 http://www.apache.org/dist/httpd/Announcement2.html - SGI Advanced Linux Environment 3, Number 20040701-01-U ftp://patches.sgi.com/support/free/security/advisories/ 20040701-01-U.asc - Apple Security Update 2004-12-02 (Also on CIAC P-049) http://docs.info.apple.com/article.html?artnum=61798 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0174, CAN-2003-0020, CAN-2004-0113 ______________________________________________________________________________ REVISION HISTORY: 4/30/04 - Added link to Red Hat Security Advisory RHSA-2004:182-03, providing Red Hat Linux 9 updated packages for these vulnerabilities. 7/07/04 - Added a link to Red Hat Security Advisory RHSA-2004:342-10, providing Red Hat Desktop and Enterprise Linux AS, ES, WS (v.3) updated packages for these vulnerabilities. Also added a link to Apache HTTP Server 2.0.50. 8/04/04 - Added a link to SGI Advanced Linux Environment 3 Security Update #6, Number 20040701-01-U that provides Patch 10088 for SGI ProPack 3. 8/10/04 - Added reference to HP Subscription Service for patches available through HPSBUX01069, SSRT4789 rev.0 and HPSBTU01049 rev.1, SSRT4717 rev.1. 8/25/04 - Added a link to Sun Alert ID: 57628 that provides patches for this vulnerability. 9/23/04 - sent announcement that Sun Microsystems has released T-patches for Solaris 8. See their Sun Alert ID: 57628. 9/24/04 - Removed all references to Sun Alert ID 57628. This alert was for Apache v1.3.31. 12/06/04 - Added Apple products to Platforms. Added link to Apple's Security Update 2004-12-02. This information also on our CIAC Bulletin P-049. [***** Start Apache 2.0.49 Released *****] Apache HTTP Server 2.0.49 Released The Apache Software Foundation and the The Apache HTTP Server Project are pleased to announce the release of version 2.0.49 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.49 as compared to 2.0.48. This version of Apache is principally a bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.49 addresses three security vulnerabilities: When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux. [CAN-2004-0174] Arbitrary client-supplied strings can be written to the error log which can allow exploits of certain terminal emulators. [CAN-2003-0020] A remotely triggered memory leak in mod_ssl can allow a denial of service attack due to excessive memory consumption. [CAN-2004-0113] This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.49 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.49 Major changes Security vulnerabilities closed since Apache 2.0.48 * SECURITY: CAN-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. With Apache 2.x there is no performance concern about enabling the logic for platforms which don't need it, so it is enabled everywhere except for Win32. [Jeff Trawick] * SECURITY: CAN-2004-0113 (cve.mitre.org) mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling. PR 27106. [Joe Orton] * SECURITY: CAN-2003-0020 (cve.mitre.org) Escape arbitrary data before writing into the errorlog. Unescaped errorlogs are still possible using the compile time switch "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo] Bugs fixed and features added since Apache 2.0.47 * mod_cgid: Fix storage corruption caused by use of incorrect pool. [Jeff Trawick] * Win32: find_read_listeners was not correctly handling multiple listeners on the Win32DisableAcceptEx path. [Bill Stoddard] * Fix bug in mod_usertrack when no CookieName is set. PR 24483. [Manni Wood ] * Fix some piped log problems: bogus "piped log program '(null)' failed" messages during restart and problem with the logger respawning again after Apache is stopped. PR 21648, PR 24805. [Jeff Trawick] * Fixed file extensions for real media files and removed rpm extension from mime.types. PR 26079. [Allan Sandfeld ] * Remove compile-time length limit on request strings. Length is now enforced solely with the LimitRequestLine config directive. [Paul J. Reder] * mod_ssl: Send the Close Alert message to the peer before closing the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton] * mod_ssl: Fix bug in passphrase handling which could cause spurious failures in SSL functions later. PR 21160. [Joe Orton] * mod_log_config: Fix corruption of buffered logs with threaded MPMs. PR 25520. [Jeff Trawick] * Fix mod_include's expression parser to recognize strings correctly even if they start with an escaped token. [André Malo] * Add fatal exception hook for use by diagnostic modules. The hook is only available if the --enable-exception-hook configure parm is used and the EnableExceptionHook directive has been set to "on". [Jeff Trawick] * Allow mod_auth_digest to work with sub-requests with different methods than the original request. PR 25040. [Josh Dady ] * fix "Expected > but saw " errors in nested, argumentless containers. ["Philippe M. Chiasson" ] * mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756. [Matthieu Estrade , Brad Nicholes] * mod_cgid: Restart the cgid daemon if it crashes. PR 19849 [Glenn Nielsen ] * The whole codebase was relicensed and is now available under the Apache License, Version 2.0 (http://www.apache.org/licenses). [Apache Software Foundation] * Fixed cache-removal order in mod_mem_cache. [Jean-Jacques Clar, Cliff Woolley] * mod_setenvif: Fix the regex optimizer, which under circumstances treated the supplied regex as literal string. PR 24219. [André Malo] * ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm instead of mmn. [André Malo] * mod_rewrite: Catch an edge case, where strange subsequent RewriteRules could lead to a 400 (Bad Request) response. [André Malo] * Keep focus of ITERATE and ITERATE2 on the current module when the module chooses to return DECLINE_CMD for the directive. PR 22299. [Geoffrey Young ] * Add support for IMT minor-type wildcards (e.g., text/*) to ExpiresByType. PR#7991 [Ken Coar] * Fix segfault in mod_mem_cache cache_insert() due to cache size becoming negative. PR: 21285, 21287 [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar] * core.c: If large file support is enabled, allow any file that is greater than AP_MAX_SENDFILE to be split into multiple buckets. This allows Apache to send files that are greater than 2gig. Otherwise we run into 32/64 bit type mismatches in the file size. [Brad Nicholes] * proxy_http fix: mod_proxy hangs when both KeepAlive and ProxyErrorOverride are enabled, and a non-200 response without a body is generated by the backend server. (e.g.: a client makes a request containing the "If-Modified-Since" and "If-None-Match" headers, to which the backend server respond with status 304.) [Graham Wiseman , Richard Reiner] * mod_dav: Reject requests which include an unescaped fragment in the Request-URI. PR 21779. [Amit Athavale ] * Build array of allowed methods with proper dimensions, fixing possible memory corruption. [Jeff Trawick] * mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID. PR 15057. [Otmar Lendl ] * mod_ssl: Fix streaming output from an nph- CGI script. PR 21944 [Joe Orton] * mod_usertrack no longer inspects the Cookie2 header for the cookie name. PR 11475. [Chris Darrochi ] * mod_usertrack no longer overwrites other cookies. PR 26002. [Scott Moore ] * worker MPM: fix stack overlay bug that could cause the parent process to crash. [Jeff Trawick] * Win32: Add Win32DisableAcceptEx directive. This Windows NT/2000/XP directive is useful to work around bugs in some third party layered service providers like virus scanners, VPN and firewall products, that do not properly handle WinSock 2 APIs. Use this directive if your server is issuing AcceptEx failed messages. [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick] * Make REMOTE_PORT variable available in mod_rewrite. PR 25772. [André Malo] * Fix a long delay with CGI requests and keepalive connections on AIX. [Jeff Trawick] * mod_autoindex: Add 'XHTML' option in order to allow switching between HTML 3.2 and XHTML 1.0 output. PR 23747. [André Malo] * Add XHTML Document Type Definitions to httpd.h (minor MMN bump). [André Malo] * mod_ssl: Advertise SSL library version as determined at run-time rather than at compile-time. PR 23956. [Eric Seidel ] * mod_ssl: Fix segfault on a non-SSL request if the 'c' log format code is used. PR 22741. [Gary E. Miller ] * Fix build with parallel make. PR 24643. [Joe Orton] * mod_rewrite: In external rewrite maps lookup keys containing a newline now cause a lookup failure. PR 14453. [Cedric Gavage , André Malo] * Backport major overhaul of mod_include's filter parser from 2.1. The new parser code is expected to be more robust and should catch all of the edge cases that were not handled by the previous one. The 2.1 external API changes were hidden by a wrapper which is expected to keep the API backwards compatible. [André Malo] * Add a hook (insert_error_filter) to allow filters to re-insert themselves during processing of error responses. Enable mod_expires to use the new hook to include Expires headers in valid error responses. This addresses an RFC violation. It fixes PRs 19794, 24884, and 25123. [Paul J. Reder] * Add Polish translation of error messages. PR 25101. [Tomasz Kepczynski ] * Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes, Bill Stoddard] * Add mod_status hook to allow modules to add to the mod_status report. [Joe Orton] * Fix htdbm to generate comment fields in DBM files correctly. [Justin Erenkrantz] * mod_dav: Use bucket brigades when reading PUT data. This avoids problems if the data stream is modified by an input filter. PR 22104. [Tim Robbins , André Malo] * Fix RewriteBase directive to not add double slashes. [André Malo] * Improve 'configure --help' output for some modules. [Astrid Keßler] * Correct UseCanonicalName Off to properly check incoming port number. [Jim Jagielski] * Fix slow graceful restarts with prefork MPM. [Joe Orton] * Fix a problem with namespace mappings being dropped in mod_dav_fs; if any property values were set which defined namespaces these came out mangled in the PROPFIND response. PR 11637. [Amit Athavale ] * mod_dav: Return a WWW-auth header for MOVE/COPY requests where the destination resource gives a 401. PR 15571. [Joe Orton] * mod_autoindex / core: Don't fail to show filenames containing special characters like '%'. PR 13598. [André Malo] * mod_status: Report total CPU time accurately when using a threaded MPM. PR 23795. [Jeff Trawick] * Fix memory leak in handling of request bodies during reverse proxy operations. PR 24991. [Larry Toppi ] * Win32 MPM: Implement MaxMemFree to enable setting an upper limit on the amount of storage used by the bucket brigades in each server thread. [Bill Stoddard] * Modified the cache code to be header-location agnostic. Also fixed a number of other cache code bugs related to PR 15852. Includes a patch submitted by Sushma Rai . This fixes mod_mem_cache but not mod_disk_cache yet so I'm not closing the PR since that is what they are using. [Paul J. Reder] * complain via error_log when mod_include's INCLUDES filter is enabled, but the relevant Options flag allowing the filter to run for the specific resource wasn't set, so that the filter won't silently get skipped. next remove itself, so the warning will be logged only once [Stas Bekman, Jeff Trawick, Bill Rowe] * mod_info: HTML escape configuration information so it displays correctly. PR 24232. [Thom May] * Restore the ability to add a description for directories that don't contain an index file. (Broken in 2.0.48) [André Malo] * Fix a problem with the display of empty variables ("SetEnv foo") in mod_include. PR 24734 [Markus Julen ] * mod_log_config: Log the minutes component of the timezone correctly. PR 23642. [Hong-Gunn Chew ] * mod_proxy: Fix cases where an invalid status-line could be sent to the client. PR 23998. [Joe Orton] * mod_ssl: Fix segfaults at startup if other modules which use OpenSSL are also loaded. [Joe Orton] * mod_ssl: Use human-readable OpenSSL error strings in logs; use thread- safe interface for retrieving error strings. [Joe Orton] * mod_expires: Initialize ExpiresDefault to NULL instead of "" to avoid reporting an Internal Server error if it is used without having been set in the httpd.conf file. PR: 23748, 24459 [Andre Malo, Liam Quinn ] * mod_autoindex: Don't omit the start tag if the SuppressIcon option is set. PR 21668. [Jesse Tie-Ten-Quee ] * mod_include no longer allows an ETag header on 304 responses. PR 19355. [Geoffrey Young , André Malo] * EBCDIC: Convert header fields to ASCII before sending (broken since 2.0.44). [Martin Kraemer] * Fix the inability to log errors like exec failure in mod_ext_filter/ mod_cgi script children. This was broken after such children stopped inheriting the error log handle. [Jeff Trawick] * Fix mod_info to use the real config file name, not the default config file name. [Aryeh Katz ] * Set the scoreboard state to indicate logging prior to running logging hooks so that server-status will show 'L' for hung loggers instead of 'W'. [Jeff Trawick] [***** End Apache 2.0.49 Released *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of The Apache Project for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-118: HP OpenView Operations Remote Unauthorized Access O-119: HP Tru64 UNIX WU-FTPD Security Vulnerabilities O-120: HP Web Jetadmin Security Vulnerabilities O-121: Debian linux-kernel-2.4.17 and 2.4.18 Vulnerabilities O-122: Red Hat Updated OpenOffice Packages Fix Security Vulnearbility in Neon O-123: Debian 483-1 MySQL O-124: Cisco TCP Vulnerabilities in Multiple Cisco Products O-125: Cisco Vulnerabilities in SNMP Message Processing O-126: Red Hat Updated Kernel Packages Fix Several Vulnerabilities O-127: Debian linux-kernel-2.4.16 Vulnerabilities