__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apache HTTP Server 2.0.52 Released September 29, 2004 16:00 GMT Number O-221 [REVISED 28 Oct 2004] [REVISED 29 Oct 2004] ______________________________________________________________________________ PROBLEM: A vulnerability exists in the merging of the Satisfy directive of Apache 2.0.51. PLATFORM: Apache 2.0.51 HP-UX B.11.00, HP-UX B.11.11, HP-UX B.11.22 (IPv4) HP-UX B.11.11, HP-UX B.11.23 (IPv6) Secure Web Server based on Apache 2.0.49 or earlier (IX 6.3 or earlier; SWS 6.3 or earlier) DAMAGE: If using the Satisfy directive may allow remote attackers to bypass configured access controls. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A remote user could gain unauthorized ASSESSMENT: access to files and directories. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-221.shtml ORIGINAL BULLETIN: http://www.apache.org/dist/httpd/Announcement2.html ADDITIONAL LINK: Visit Hewlett Packard's Subscription Service for: HPSBUX01090 Rev.0 / SSRT4853 rev. 0 and HPSBGN01091 Rev.0 / SSRT4812, SSRT4832, Rev.0 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0811 ______________________________________________________________________________ REVISION HISTORY: 10/28/2004 - added reference to HP Bulletin that provides patches for this vulnerability (HPSBUX01090 Rev.0 / SSRT4853 rev. 0) 10/29/2004 - added reference to HP Bulletin that provides patches for this vulnerability (HPSBGN01091 Rev.0 / SSRT4812, SSRT4832, Rev.0) [****** Start Apache Bulletin ******] Apache HTTP Server 2.0.52 Released The Apache Software Foundation and the The Apache HTTP Server Project are pleased to announce the release of version 2.0.52 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.52 as compared to 2.0.51. The Announcement is also available in German and Japanese from: http://www.apache.org/dist/httpd/Announcement2.html.de http://www.apache.org/dist/httpd/Announcement2.html.ja This version of Apache is principally a bug fix release. Of particular note is that 2.0.52 addresses one new security related flaw introduced in 2.0.51: Fix merging of the Satisfy directive, which was applied to the surrounding context and could allow access despite configured authentication. PR 31315. [CAN-2004-0811] The Apache HTTP Server Project would like to thank Rici Lake for identification and a proposed fix of this flaw. This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.52 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. [****** End Apache Bulletin ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Apache for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-211: Potential Buffer Overflows in WinZip O-212: Apple Security Update O-213: Windows Buffer Overrun in JPEG Processing Could Allow Code Execution O-214: Windows Vulnerability in WordPerfect Converter Could Allow Code Execution O-215: "imlib" package vulnerability O-216: "gtk2" Package vulnerability O-217: "gdk-pixbuf" Package vulnerability O-218: HP Web Jetadmin Remote Access Vulnerability O-219: Sudo - "Sudoedit" Vulnerabilities O-220: "Any to PostScript" (a2ps) Filter Vulnerability