[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] apache remote exploit

remote exploit in apache webserver

Problem Description
Versions of the Apache web server up to and including 1.3.24 and 2.0
up to and including 2.0.36 contain a bug in the routines which deal
with invalid requests which are encoded using chunked encoding.  This
bug can be triggered remotely by sending a carefully crafted invalid

On 32 bit Unix systems this bug allows a denial of service (DoS) attack:
the web server stops running. Investigations by the Apache Software Foundation
show that in some cases 64-bit platforms may have a greater exposure and
could be remotely exploited to allow arbitrary code to be run on the server.
This includes defacing of web pages served by the apache web server.

Upgrading to newer or patched versions of the Apache webserver is strongly

Affected Systems
Web servers based on Apache code versions 1.3 through 1.3.24
Web servers based on Apache code versions 2.0 through 2.0.36

upgrade to versions 1.3.26 or 2.0.39 or a patched version for your

RedHat 6.x
rpm -Fvh apache-1.3.22-5.6.i386.rpm \
         apache-devel-1.3.22-5.6.i386.rpm \

RedHat 7.0, 7.1
rpm -Fvh apache-1.3.22-5.7.1.i386.rpm \
         apache-devel-1.3.22-5.7.1.i386.rpm \

RedHat 7.2
rpm -Fvh apache-1.3.22-6.i386.rpm \
         apache-devel-1.3.22-6.i386.rpm \

RedHat 7.3
rpm -Fvh apache-1.3.23-14.i386.rpm \
         apache-devel-1.3.23-14.i386.rpm \

Debian 2.2 (potato)
upgrade to apache_1.3.9-14.1_i386.deb, apache-common_1.3.9-14.1_i386.deb,
Then check your configuration: "apachectl configtest".
Finally restart the webserver: "/etc/init.d/apache restart".