topic Re: Apache Web Server Chunk Handling Vulnerability ????? in Operating System - HP-UX

Apache Web Server Chunk Handling Vulnerability ?????

HPP — Fri, 21 Jun 2002 12:35:05 GMT

This question for HP:
When will HP release patch for "Apache Web Server Chunk Handling Vulnerability" or when will you release Apache Apache 1.3.26 and Apache 2.0.39?

Thanks

Re: Apache Web Server Chunk Handling Vulnerability ?????

someone_4 — Fri, 21 Jun 2002 14:35:03 GMT

Just so everyone knows what you are talking about here.

ALERT - APACHE WEB VULNERABILITY

Free Vulnerability Scanning Utility Now Available

Two days ago a vulnerability that affects Apache web server software was announced. The vulnerability is a remote buffer overflow in the section of code that handles chunked-encoding requests. It is possible for attackers to manipulate this vulnerability to execute code against any vulnerable versions of Apache. This includes the Unix and Windows versions.

It should also be noted that since the Apache vulnerability was released, exploit programs that take advantage of the vulnerability have been distributed to the Internet. This makes the chances of attack, and even the possibility a large scale attack such as a worm, much greater.

Due to the fact that Apache is the most deployed web server software on the Internet, detecting and patching this vulnerability is critical for many administrators. eEye has created a free tool that IT administrators can use to scan their networks for vulnerable Apache servers. The tool also provides a link to information on how to correctly patch vulnerable servers.

To learn more about the free scanning tool visit:
http://www.eeye.com/html/Research/Tools/apachechunked.html

Note: A recent update to eEye's Retina Network Security Scanner included an audit for this particular Apache vulnerability. Retina users should be sure to run an "Auto-Update" to obtain this and other new vulnerability checks.

SUBSCRIPTION INFORMATION

You are receiving this email as a valued user of eEye products. If you wish to be removed from the mailing list, please go to http://www.eeye.com/html/forms/unsubscribe.asp?list=Blast.

Re: Apache Web Server Chunk Handling Vulnerability ?????

John Ott — Fri, 21 Jun 2002 17:45:56 GMT

I'm trying to build apache-1.3.26
on a HP-UX 11 host

I'm getting the following error.
(only used --prefix at the
configure stage)

/usr/local/src/apache_1.3.26-> ./configure --prefix=/opt/apache
Configuring for Apache, Version 1.3.26
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for HP-UX 11 platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ checking for system header files
+ adding selected modules
+ using builtin Expat
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/lib/expat-lite
Creating Makefile in src/modules/standard
-------------
that works now the make fails
--------------
make
===> src
make[1]: Entering directory `/opt/app/ULOC-SRC/apache_1.3.26'
make[2]: Entering directory `/opt/app/ULOC-SRC/apache_1.3.26/src'
===> src/regex
make[3]: Nothing to be done for `all'.
<=== src/regex
===> src/os/unix
gcc -c -I../../os/unix -I../../include -DHPUX11 -DUSE_HSREGEX -DUSE_EXPAT -I../../lib/expat-lite -DNO_DL_NEEDED `../../apaci` os.c
In file included from ../../include/ap_config.h:1121,
from os.c:6:
/usr/include/sys/socket.h:439: parse error before "sendfile"
/usr/include/sys/socket.h:439: parse error before "bsize_t"
/usr/include/sys/socket.h:441: parse error before "sendpath"
/usr/include/sys/socket.h:441: parse error before "bsize_t"
make[3]: *** [os.o] Error 1
make[2]: *** [subdirs] Error 1
make[2]: Leaving directory `/opt/app/ULOC-SRC/apache_1.3.26/src'
make[1]: *** [build-std] Error 2
make[1]: Leaving directory `/opt/app/ULOC-SRC/apache_1.3.26'
make: *** [build] Error 2

Any Ideas??

thanks
John

Re: Apache Web Server Chunk Handling Vulnerability ?????

VINCENT SPURGEON — Tue, 09 Jul 2002 12:48:19 GMT

http://www.cert.org/advisories/CA-2002-17.html

This article states, that with regards to HP, "...Patches are in process and will be announced in an HP Security Bulletin when available."

Has anyone heard anything relating to HPUX 11.xx??

Re: Apache Web Server Chunk Handling Vulnerability ?????

harry d brown jr — Tue, 09 Jul 2002 13:37:53 GMT

You need to address this issue:

This member has assigned points to 23 of 132 responses to his/her questions.

a big 17.4 %

click on this and bring your results up:

http://forums.itrc.hp.com/cm/TopSolutions/1,,CA79166!1!questions,00.html

live free or die
harry

Re: Apache Web Server Chunk Handling Vulnerability ?????

Kathleen — Tue, 09 Jul 2002 15:35:41 GMT

This was released by HP within the last week.

SOLUTION: For HP-UX releases 11.00 and 11.11, download new product
bundles from the ftp site below.

MANUAL ACTIONS: Install repaired binary

AVAILABILITY: Complete product bundles are available now for 11.00
and 11.11 are available for PA-RISC architecture
platforms via ftp at hprc.external.hp.com (see below
for account details).

------------------------------------------------------------------
A. Background
The CERT Advisory CA-2002-17 regarding Apache affects the
following HP product numbers:

B9416AA Apache 2.x PA-RISC HP-UX releases 11.00 and 11.11
B9415AA Apache 1.3.x PA-RISC HP-UX releases 11.00 and 11.11

HP Apache 1.3.26 (PA-RISC)
installs into /opt/apache and /opt/tomcat
disk space: 55-65 MB
documents: /opt/apache/htdocs/doc

HP Apache 2.0.39 (PA-RISC)
installs into /opt/hpapache2
disk space: 80-90 MB
documents: /opt/hpapache2/hp_apache_docs

HP Apache automatically starts upon installation if port 80
is available.

Installation of this new version of HP Apache over an existing
HP Apache installation is supported, while installation over a
non-HP Apache is NOT supported.

B. Fixing the problem
The fixes for HP-UX 11.00 and 11.11 are in the form of new
product bundles, instead of patches. An ftp server account has
been created to enable timely downloading of these binaries.

System: hprc.external.hp.com

FTP Access: ftp://apache:apache@hprc.external.hp.com/
or: ftp://apache:apache@192.170.19.51/

Retrieve the binaries and verify the correct size, cksum output
and MD5 fingerprint.

Re: Apache Web Server Chunk Handling Vulnerability ?????

Daimian Woznick — Tue, 09 Jul 2002 19:48:37 GMT

As a note there were two revisions made to the security bulletin:

CHANGE SUMMARY: Rev.01 - Do not install the bundle on NNM.
Rev.02 - Added Virtualvault patches.

Re: Apache Web Server Chunk Handling Vulnerability ?????

Niraj Kumar Verma — Wed, 10 Jul 2002 02:53:38 GMT

Hi,

You are using the gcc compiler.

I had the similar problem and got it resolved using ansic C compiler.

if you have anci C compiler then try the following before
running configure

# export CC=/opt/ansic/bin/cc

# ./configure --prefix=/opt/apache

I am sure it will work.

-Niraj