HPE Community
Operating System - HP-UX
1823938 Members
3678 Online
109667 Solutions
New Discussion юеВ

Apache Web Server Chunk Handling Vulnerability ?????

 
HPP
Regular Advisor

тАО06-21-2002 05:35 AM

тАО06-21-2002 05:35 AM

Apache Web Server Chunk Handling Vulnerability ?????

This question for HP:
When will HP release patch for "Apache Web Server Chunk Handling Vulnerability" or when will you release Apache Apache 1.3.26 and Apache 2.0.39?

Thanks
Be Teachable
0 Kudos
Reply
7 REPLIES 7
someone_4
Honored Contributor

тАО06-21-2002 07:35 AM

тАО06-21-2002 07:35 AM

Re: Apache Web Server Chunk Handling Vulnerability ?????

Just so everyone knows what you are talking about here.

ALERT - APACHE WEB VULNERABILITY

Free Vulnerability Scanning Utility Now Available

Two days ago a vulnerability that affects Apache web server software was announced. The vulnerability is a remote buffer overflow in the section of code that handles chunked-encoding requests. It is possible for attackers to manipulate this vulnerability to execute code against any vulnerable versions of Apache. This includes the Unix and Windows versions.

It should also be noted that since the Apache vulnerability was released, exploit programs that take advantage of the vulnerability have been distributed to the Internet. This makes the chances of attack, and even the possibility a large scale attack such as a worm, much greater.

Due to the fact that Apache is the most deployed web server software on the Internet, detecting and patching this vulnerability is critical for many administrators. eEye has created a free tool that IT administrators can use to scan their networks for vulnerable Apache servers. The tool also provides a link to information on how to correctly patch vulnerable servers.

To learn more about the free scanning tool visit:
http://www.eeye.com/html/Research/Tools/apachechunked.html

Note: A recent update to eEye's Retina Network Security Scanner included an audit for this particular Apache vulnerability. Retina users should be sure to run an "Auto-Update" to obtain this and other new vulnerability checks.



SUBSCRIPTION INFORMATION

You are receiving this email as a valued user of eEye products. If you wish to be removed from the mailing list, please go to http://www.eeye.com/html/forms/unsubscribe.asp?list=Blast.


0 Kudos
Reply
John Ott
New Member

тАО06-21-2002 10:45 AM

тАО06-21-2002 10:45 AM

Re: Apache Web Server Chunk Handling Vulnerability ?????

I'm trying to build apache-1.3.26
on a HP-UX 11 host

I'm getting the following error.
(only used --prefix at the
configure stage)

/usr/local/src/apache_1.3.26-> ./configure --prefix=/opt/apache
Configuring for Apache, Version 1.3.26
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for HP-UX 11 platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ checking for system header files
+ adding selected modules
+ using builtin Expat
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/lib/expat-lite
Creating Makefile in src/modules/standard
-------------
that works now the make fails
--------------
make
===> src
make[1]: Entering directory `/opt/app/ULOC-SRC/apache_1.3.26'
make[2]: Entering directory `/opt/app/ULOC-SRC/apache_1.3.26/src'
===> src/regex
make[3]: Nothing to be done for `all'.
<=== src/regex
===> src/os/unix
gcc -c -I../../os/unix -I../../include -DHPUX11 -DUSE_HSREGEX -DUSE_EXPAT -I../../lib/expat-lite -DNO_DL_NEEDED `../../apaci` os.c
In file included from ../../include/ap_config.h:1121,
from os.c:6:
/usr/include/sys/socket.h:439: parse error before "sendfile"
/usr/include/sys/socket.h:439: parse error before "bsize_t"
/usr/include/sys/socket.h:441: parse error before "sendpath"
/usr/include/sys/socket.h:441: parse error before "bsize_t"
make[3]: *** [os.o] Error 1
make[2]: *** [subdirs] Error 1
make[2]: Leaving directory `/opt/app/ULOC-SRC/apache_1.3.26/src'
make[1]: *** [build-std] Error 2
make[1]: Leaving directory `/opt/app/ULOC-SRC/apache_1.3.26'
make: *** [build] Error 2


Any Ideas??

thanks
John
0 Kudos
Reply
VINCENT SPURGEON
Frequent Advisor

тАО07-09-2002 05:48 AM

тАО07-09-2002 05:48 AM

Re: Apache Web Server Chunk Handling Vulnerability ?????

http://www.cert.org/advisories/CA-2002-17.html

This article states, that with regards to HP, "...Patches are in process and will be announced in an HP Security Bulletin when available."

Has anyone heard anything relating to HPUX 11.xx??
It's only a flesh wound...
0 Kudos
Reply
harry d brown jr
Honored Contributor

тАО07-09-2002 06:37 AM

тАО07-09-2002 06:37 AM

Re: Apache Web Server Chunk Handling Vulnerability ?????


You need to address this issue:

This member has assigned points to 23 of 132 responses to his/her questions.

a big 17.4 %

click on this and bring your results up:

http://forums.itrc.hp.com/cm/TopSolutions/1,,CA79166!1!questions,00.html

live free or die
harry
Live Free or Die
0 Kudos
Reply
Kathleen
Regular Advisor

тАО07-09-2002 08:35 AM

тАО07-09-2002 08:35 AM

Re: Apache Web Server Chunk Handling Vulnerability ?????

This was released by HP within the last week.



SOLUTION: For HP-UX releases 11.00 and 11.11, download new product
bundles from the ftp site below.

MANUAL ACTIONS: Install repaired binary

AVAILABILITY: Complete product bundles are available now for 11.00
and 11.11 are available for PA-RISC architecture
platforms via ftp at hprc.external.hp.com (see below
for account details).

------------------------------------------------------------------
A. Background
The CERT Advisory CA-2002-17 regarding Apache affects the
following HP product numbers:

B9416AA Apache 2.x PA-RISC HP-UX releases 11.00 and 11.11
B9415AA Apache 1.3.x PA-RISC HP-UX releases 11.00 and 11.11

HP Apache 1.3.26 (PA-RISC)
installs into /opt/apache and /opt/tomcat
disk space: 55-65 MB
documents: /opt/apache/htdocs/doc

HP Apache 2.0.39 (PA-RISC)
installs into /opt/hpapache2
disk space: 80-90 MB
documents: /opt/hpapache2/hp_apache_docs

HP Apache automatically starts upon installation if port 80
is available.

Installation of this new version of HP Apache over an existing
HP Apache installation is supported, while installation over a
non-HP Apache is NOT supported.

B. Fixing the problem
The fixes for HP-UX 11.00 and 11.11 are in the form of new
product bundles, instead of patches. An ftp server account has
been created to enable timely downloading of these binaries.

System: hprc.external.hp.com

FTP Access: ftp://apache:apache@hprc.external.hp.com/
or: ftp://apache:apache@192.170.19.51/

Retrieve the binaries and verify the correct size, cksum output
and MD5 fingerprint.

0 Kudos
Reply
Daimian Woznick
Trusted Contributor

тАО07-09-2002 12:48 PM

тАО07-09-2002 12:48 PM

Re: Apache Web Server Chunk Handling Vulnerability ?????

As a note there were two revisions made to the security bulletin:

CHANGE SUMMARY: Rev.01 - Do not install the bundle on NNM.
Rev.02 - Added Virtualvault patches.
0 Kudos
Reply
Niraj Kumar Verma
Trusted Contributor

тАО07-09-2002 07:53 PM

тАО07-09-2002 07:53 PM

Re: Apache Web Server Chunk Handling Vulnerability ?????

Hi,

You are using the gcc compiler.

I had the similar problem and got it resolved using ansic C compiler.

if you have anci C compiler then try the following before
running configure

# export CC=/opt/ansic/bin/cc

# ./configure --prefix=/opt/apache

I am sure it will work.

-Niraj
Niraj.Verma@philips.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.