Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Bug Software Security Apache

SecurityFocus Updates 2 Apache Vulnerabilities 15

Posted by timothy from the chin-up-buckle-down dept.
michael path writes "SecurityFocus released two updated Apache vulnerabilities, one affecting 2.0.x (a DOS vulnerability), the other affecting both the 1.3.x and 2.0.x revisions (a buffer overflow). IBM HTTP Server is also affected by these vulnerabilities in similar version numbers."
This discussion has been archived. No new comments can be posted.

SecurityFocus Updates 2 Apache Vulnerabilities More

SecurityFocus Updates 2 Apache Vulnerabilities

Comments Filter:

  • phew (Score:5, Informative)

    by roll_w.it ( 317514 ) on Monday April 12, 2004 @04:33PM (#8841056)

    from my logs [Mon Apr 12 16:29:53 2004] [error] [client 64.229.154.62] request failed: URI too long

    from the article [securityfocus.com]
    not vulnerable Apache Software Foundation
    Apache 1.3.29
    Apache Software Foundation Apache 2.0.48
    + Trustix Secure Linux 2.0
    + Trustix Secure Linux 2.1

    From my machine $ httpd -v
    Server version: Apache/1.3.29 (Unix)
    Server built: Nov 3 2003 19:54:39

    • That's a different bug. (Score:4, Informative)

      by Inoshiro ( 71693 ) on Monday April 12, 2004 @09:36PM (#8843598) Homepage
      If you actually check your access_log for the partner entry, you'll see it's a request for the SEARCH command which seems to be a new IIS exploit heading around. My vulnerable 1.3.28 also spits out:
      [Sun Apr 11 00:45:43 2004] [error] [client 24.78.143.66] request failed: URI too long

      You haven't identified the problem at all. I just wish there was an easy way to filter out those requests before they hit by Apache and crapfill my logs.

      • I know :) - But there has been a lot of attempts at buffer exploits via the url lately... it just happened to be handy. I believe this is the webdav exploit.

        I'm getting sick of seeing \xb1\x02 in my access log too - theres a thread over here [apachefreaks.com] with some ideas on how to do it - but haven't had the chance yet (exam week)

  • OS X (Score:5, Informative)

    by b1t r0t ( 216468 ) on Monday April 12, 2004 @04:53PM (#8841281)
    For those of you running OS X who don't want to scroll through the three thousand lines of version information in the securityfocus.com link, if you're running 10.3.3 you should be fine, because 10.3.3 uses Apache 1.3.29.
  • it doesn't say whether httpd-2.0.49 is or is not vulnerable.

  • Old news (Score:5, Informative)

    by slive ( 21582 ) on Monday April 12, 2004 @07:36PM (#8842801) Homepage
    These are both rather old.

    If you want more complete information about
    apache security issues, a better source is
    http://www.apacheweek.com/features/security-20
    and
    http://www.apacheweek.com/features/security -13

  • Some information in incorrect. (Score:3, Informative)

    by Inoshiro ( 71693 ) on Monday April 12, 2004 @09:44PM (#8843655) Homepage
    Slackware-current has Apache 1.3.29, which happens to be the version listed as not vulnerable.

    If you're running Slack, just download the source, run apache.SlackBuild, and upgradepkg to become non-vulnerable.
  • It's a little late for the buffer overflow to be hitting Slashdot's Apache news. The fix was known and published back in December 2003.

    Red Hat backported the fix into their custom 1.3.27 version in this errata, released 12/18:
    https://rhn.redhat.com/errata/RHSA-2003-405.html [redhat.com]
  • Why is this article not so hot? Well, because the upgrade process is so easy, for us!
    - A Weblog from Nigeria [afriguru.com]

Slashdot Top Deals

"Experience has proved that some people indeed know everything." -- Russell Baker

Close