Sikkerhedsoplysninger / 2002 / Sikkerhedsoplysninger -- DSA-131-1 apache

Debians sikkerhedsbulletin

DSA-131-1 apache -- fjern-overbelastning/udnyttelse

Rapporteret den:

19. jun 2002

Berørte pakker:

apache

Sårbar:

Ja

Referencer i sikkerhedsdatabaser:

I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5033.
I Mitres CVE-ordbog: CVE-2002-0392.
CERTs noter om sårbarheder, bulletiner og hændelser: CA-2002-17, VU#944335.

Yderligere oplysninger:

Mark Litchfield har fundet et overbelastningsangreb ("denial of service") i webserveren Apache. Mens Apache Software Foundation undersøgte problemet, opdatede de at koden til håndtering af forkerte forespørgsler som anvender "chunked encoding" også kunne give mulighed for udførelse af vilkårlig kode på 64-bits arkitekturer.

Dette er rettet i version 1.3.9-14.1 i Debians apache-pakke, foruden i opstrømsversionerne 1.3.26 og 2.0.37. Vi anbefaler kraftigt at du omgående opgraderer din apache-pakke.

Pakkeopgraderingen genstarter ikke automatisk apache-serveren, dette skal gøres manuelt. Kontrollér at din opsætning er korrekt ("apachectl configtest" kontrollerer det for dig) og genstart den ved hjælp af "/etc/init.d/apache restart".

Rettet i:

Debian GNU/Linux 2.2 (potato)

Kildekode:

http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.diff.gz

http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.dsc

http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9.orig.tar.gz

Arkitekturuafhængig komponent:

http://security.debian.org/dists/stable/updates/main/binary-all/apache-doc_1.3.9-14.1_all.deb

Alpha:

http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-common_1.3.9-14.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14.1_alpha.deb

http://security.debian.org/dists/stable/updates/main/binary-alpha/apache_1.3.9-14.1_alpha.deb

ARM:

http://security.debian.org/dists/stable/updates/main/binary-arm/apache-common_1.3.9-14.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14.1_arm.deb

http://security.debian.org/dists/stable/updates/main/binary-arm/apache_1.3.9-14.1_arm.deb

Intel IA-32:

http://security.debian.org/dists/stable/updates/main/binary-i386/apache-common_1.3.9-14.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14.1_i386.deb

http://security.debian.org/dists/stable/updates/main/binary-i386/apache_1.3.9-14.1_i386.deb

Motorola 680x0:

http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-common_1.3.9-14.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14.1_m68k.deb

http://security.debian.org/dists/stable/updates/main/binary-m68k/apache_1.3.9-14.1_m68k.deb

PowerPC:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-common_1.3.9-14.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14.1_powerpc.deb

http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache_1.3.9-14.1_powerpc.deb

Sun Sparc:

http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-common_1.3.9-14.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-dev_1.3.9-14.1_sparc.deb

http://security.debian.org/dists/stable/updates/main/binary-sparc/apache_1.3.9-14.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.