Apache Rewrite Module Arbitrary File Disclosure Vulnerability
BID:1728
Info
Apache Rewrite Module Arbitrary File Disclosure Vulnerability
| Bugtraq ID: | 1728 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 29 2000 12:00AM |
| Updated: | Sep 29 2000 12:00AM |
| Credit: | This vulnerability was reported in the 09-22 Apache development list, and was reported to bugtraq by Kevin van der Raad <[email protected]> on Fri, 29 Sep 2000. |
| Vulnerable: |
Apache Apache 1.3.12 Apache Apache 1.3.11 Apache Apache 1.1.1 Apache Apache 1.1 Apache Apache 1.0.5 Apache Apache 1.0.3 Apache Apache 1.0.2 Apache Apache 1.0 Apache Apache 0.8.14 Apache Apache 0.8.11 |
| Not Vulnerable: |
Apache Apache 1.3.13 |
Exploit / POC
Apache Rewrite Module Arbitrary File Disclosure Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Apache Rewrite Module Arbitrary File Disclosure Vulnerability
Solution:
The fix which was released (1.3.14) limited some of the functionality of mod_rewrite. A patch is available for the apache source code at http://bugs.apache.org/index.cgi/full/6671 that fixes the bug and restores lost functionality that the original patches/fixes caused.
Apache Group has released Apache 1.3.14 which rectifies this issue and is available for download at:
http://httpd.apache.org/dist/
The patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename [such as the first example listed in the discussion].
(Excerpted from Apache development list 09-22).
Users of Trustix Secure Linux v1.1 are advised to obtain a new version of Apache, available at:
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
or:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
The package names are:
* apache-1.3.12-6tr.i586.rpm
* apache-devel-1.3.12-6tr.i586.rpm
* apache-ssl-1.3.12_1.39-8tr.i586.rpm
- Fix a remote exploit possible under certain circumstances in
mod_rewrite.
Connectiva:
SOLUTION
It is recommended that users using mod_rewrite or with virtual
hosting update their servers.
Users of Conectiva Linux 4.1 and 4.2 will also find apache-1.3.12 on
the FTP site. That package should be used for those who upgraded to
1.3.12 because of the IMP/HORDE advisory a while ago.
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/apache-1.3.6-16cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/apache-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/apache-devel-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/apache-1.3.6-16cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/apache-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/apache-devel-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/apache-1.3.9-17cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-devel-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/apache-1.3.9-17cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-devel-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-devel-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-devel-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-devel-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-devel-1.3.12-14cl.i386.rpm
Mandrake Linux:
The updates listed below are available from the following sites:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
Linux-Mandrake 6.0:
77fa37ac213493d94f5817f93710cbb8 6.0/RPMS/apache-1.3.6-29mdk.i586.rpm
8c51afd87ab8be5b08bc2d02fdc37298 6.0/RPMS/apache-devel-1.3.6-29mdk.i586.rpm
ec94ecd38c6a33dc5c77f7cf323d4791 6.0/SRPMS/apache-1.3.6-29mdk.src.rpm
Linux-Mandrake 6.1:
890f342e3d33a73978b9ec60d53f3c54 6.1/RPMS/apache-1.3.9-8mdk.i586.rpm
4308ebc3b5c496b74173d0af0cb43de9 6.1/RPMS/apache-devel-1.3.9-8mdk.i586.rpm
6fea96bb3c5e6696a2322134d6245937 6.1/SRPMS/apache-1.3.9-8mdk.src.rpm
Linux-Mandrake 7.0:
094ae1b8764bd6c71519fe051b735e21 7.0/RPMS/apache-1.3.9-18mdk.i586.rpm
dc298d04f25fe4f5a895e898606b8551 7.0/RPMS/apache-devel-1.3.9-18mdk.i586.rpm
7fe54f76cf8f5b46d35ba44944783811 7.0/RPMS/apache-suexec-1.3.9-18mdk.i586.rpm
c0eeda6da43ac82e2625950738287183 7.0/SRPMS/apache-1.3.9-18mdk.src.rpm
Linux-Mandrake 7.1:
6733773bb495b2095eae6670dc40c1a8 7.1/RPMS/apache-1.3.12-15mdk.i586.rpm
6de0327248be26c363bb5bb32a8d7530 7.1/RPMS/apache-devel-1.3.12-15mdk.i586.rpm
1bdbee39947ed25e99af77486eadeee0 7.1/RPMS/apache-suexec-1.3.12-15mdk.i586.rpm
971578db71afb0474a7c41ccdc2b5d2c 7.1/SRPMS/apache-1.3.12-15mdk.src.rpm
Wirex has released patches for Immunix OS 6.2:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/apache-1.3.14-1.6.x_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/apache-devel-1.3.14-1.6.x_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/apache-manual-1.3.14-1.6.x_StackGuard.i386.rpm
and for those who craft their own versions, the source:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/apache-1.3.14-1.6.x_StackGuard.src.rpm
md5sums of the packages:
a400e3b306fab2f4f91120dc20e53cd5 apache-1.3.14-1.6.x_StackGuard.i386.rpm
910e5e3b9e297a8078234e16dd9408a2 apache-devel-1.3.14-1.6.x_StackGuard.i386.rpm
4ebd23dcb6933ddd9e569760373e3360 apache-manual-1.3.14-1.6.x_StackGuard.i386.rpm
c4c6935edc702c7317927eb825dca5cf apache-1.3.14-1.6.x_StackGuard.src.rpm
Red Hat Linux 5.2:
alpha:
ftp://updates.redhat.com/5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/mod_perl-1.19-2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-3.0.17-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm
sparc:
ftp://updates.redhat.com/5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/mod_perl-1.19-2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-3.0.17-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm
i386:
ftp://updates.redhat.com/5.2/i386/apache-1.3.14-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/mod_perl-1.19-2.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-3.0.17-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/apache-1.3.14-2.5.x.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/mod_perl-1.19-2.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/php-3.0.17-1.5.x.src.rpm
Red Hat Linux 6.0:
alpha:
ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-3.0.17-1.6.0.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-imap-3.0.17-1.6.0.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-manual-3.0.17-1.6.0.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-3.0.17-1.6.0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-imap-3.0.17-1.6.0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-manual-3.0.17-1.6.0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-pgsql-3.0.17-1.6.0.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-3.0.17-1.6.0.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-imap-3.0.17-1.6.0.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-manual-3.0.17-1.6.0.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-pgsql-3.0.17-1.6.0.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/php-3.0.17-1.6.0.src.rpm
Red Hat Linux 6.1:
alpha:
ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-imap-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-ldap-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-manual-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-pgsql-3.0.17-1.6.1.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-imap-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-ldap-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-manual-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-pgsql-3.0.17-1.6.1.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/auth_ldap-1.4.0-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-imap-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-ldap-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-manual-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-pgsql-3.0.17-1.6.1.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/php-3.0.17-1.6.1.src.rpm
Red Hat Linux 6.2:
alpha:
ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-imap-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-ldap-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-manual-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-pgsql-3.0.17-1.6.2.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-imap-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-ldap-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-manual-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-pgsql-3.0.17-1.6.2.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/auth_ldap-1.4.0-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-imap-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-ldap-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-manual-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-pgsql-3.0.17-1.6.2.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/php-3.0.17-1.6.2.src.rpm
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/apache-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/apache-devel-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/apache-manual-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/mod_ssl-2.7.1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/mod_php-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-imap-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-ldap-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-manual-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-mysql-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-pgsql-4.0.3pl1-1.i386.rpm
sources:
ftp://updates.redhat.com/7.0/SRPMS/apache-1.3.14-3.src.rpm
ftp://updates.redhat.com/7.0/SRPMS/php-4.0.3pl1-1.src.rpm
Apache Apache 1.3.12
Solution:
The fix which was released (1.3.14) limited some of the functionality of mod_rewrite. A patch is available for the apache source code at http://bugs.apache.org/index.cgi/full/6671 that fixes the bug and restores lost functionality that the original patches/fixes caused.
Apache Group has released Apache 1.3.14 which rectifies this issue and is available for download at:
http://httpd.apache.org/dist/
The patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename [such as the first example listed in the discussion].
(Excerpted from Apache development list 09-22).
Users of Trustix Secure Linux v1.1 are advised to obtain a new version of Apache, available at:
http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
or:
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
The package names are:
* apache-1.3.12-6tr.i586.rpm
* apache-devel-1.3.12-6tr.i586.rpm
* apache-ssl-1.3.12_1.39-8tr.i586.rpm
- Fix a remote exploit possible under certain circumstances in
mod_rewrite.
Connectiva:
SOLUTION
It is recommended that users using mod_rewrite or with virtual
hosting update their servers.
Users of Conectiva Linux 4.1 and 4.2 will also find apache-1.3.12 on
the FTP site. That package should be used for those who upgraded to
1.3.12 because of the IMP/HORDE advisory a while ago.
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/apache-1.3.6-16cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/apache-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/apache-devel-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/apache-1.3.6-16cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/apache-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/apache-devel-1.3.6-16cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/apache-1.3.9-17cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/apache-devel-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/apache-1.3.9-17cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/apache-devel-1.3.9-17cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/apache-devel-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/apache-devel-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/apache-devel-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/apache-1.3.12-14cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-doc-1.3.12-14cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/apache-devel-1.3.12-14cl.i386.rpm
Mandrake Linux:
The updates listed below are available from the following sites:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
Linux-Mandrake 6.0:
77fa37ac213493d94f5817f93710cbb8 6.0/RPMS/apache-1.3.6-29mdk.i586.rpm
8c51afd87ab8be5b08bc2d02fdc37298 6.0/RPMS/apache-devel-1.3.6-29mdk.i586.rpm
ec94ecd38c6a33dc5c77f7cf323d4791 6.0/SRPMS/apache-1.3.6-29mdk.src.rpm
Linux-Mandrake 6.1:
890f342e3d33a73978b9ec60d53f3c54 6.1/RPMS/apache-1.3.9-8mdk.i586.rpm
4308ebc3b5c496b74173d0af0cb43de9 6.1/RPMS/apache-devel-1.3.9-8mdk.i586.rpm
6fea96bb3c5e6696a2322134d6245937 6.1/SRPMS/apache-1.3.9-8mdk.src.rpm
Linux-Mandrake 7.0:
094ae1b8764bd6c71519fe051b735e21 7.0/RPMS/apache-1.3.9-18mdk.i586.rpm
dc298d04f25fe4f5a895e898606b8551 7.0/RPMS/apache-devel-1.3.9-18mdk.i586.rpm
7fe54f76cf8f5b46d35ba44944783811 7.0/RPMS/apache-suexec-1.3.9-18mdk.i586.rpm
c0eeda6da43ac82e2625950738287183 7.0/SRPMS/apache-1.3.9-18mdk.src.rpm
Linux-Mandrake 7.1:
6733773bb495b2095eae6670dc40c1a8 7.1/RPMS/apache-1.3.12-15mdk.i586.rpm
6de0327248be26c363bb5bb32a8d7530 7.1/RPMS/apache-devel-1.3.12-15mdk.i586.rpm
1bdbee39947ed25e99af77486eadeee0 7.1/RPMS/apache-suexec-1.3.12-15mdk.i586.rpm
971578db71afb0474a7c41ccdc2b5d2c 7.1/SRPMS/apache-1.3.12-15mdk.src.rpm
Wirex has released patches for Immunix OS 6.2:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/apache-1.3.14-1.6.x_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/apache-devel-1.3.14-1.6.x_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/apache-manual-1.3.14-1.6.x_StackGuard.i386.rpm
and for those who craft their own versions, the source:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/apache-1.3.14-1.6.x_StackGuard.src.rpm
md5sums of the packages:
a400e3b306fab2f4f91120dc20e53cd5 apache-1.3.14-1.6.x_StackGuard.i386.rpm
910e5e3b9e297a8078234e16dd9408a2 apache-devel-1.3.14-1.6.x_StackGuard.i386.rpm
4ebd23dcb6933ddd9e569760373e3360 apache-manual-1.3.14-1.6.x_StackGuard.i386.rpm
c4c6935edc702c7317927eb825dca5cf apache-1.3.14-1.6.x_StackGuard.src.rpm
Red Hat Linux 5.2:
alpha:
ftp://updates.redhat.com/5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/mod_perl-1.19-2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-3.0.17-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm
sparc:
ftp://updates.redhat.com/5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/mod_perl-1.19-2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-3.0.17-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm
i386:
ftp://updates.redhat.com/5.2/i386/apache-1.3.14-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/mod_perl-1.19-2.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-3.0.17-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/apache-1.3.14-2.5.x.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/mod_perl-1.19-2.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/php-3.0.17-1.5.x.src.rpm
Red Hat Linux 6.0:
alpha:
ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-3.0.17-1.6.0.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-imap-3.0.17-1.6.0.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-manual-3.0.17-1.6.0.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-3.0.17-1.6.0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-imap-3.0.17-1.6.0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-manual-3.0.17-1.6.0.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-pgsql-3.0.17-1.6.0.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-3.0.17-1.6.0.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-imap-3.0.17-1.6.0.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-manual-3.0.17-1.6.0.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-pgsql-3.0.17-1.6.0.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/php-3.0.17-1.6.0.src.rpm
Red Hat Linux 6.1:
alpha:
ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-imap-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-ldap-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-manual-3.0.17-1.6.1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-pgsql-3.0.17-1.6.1.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-imap-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-ldap-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-manual-3.0.17-1.6.1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-pgsql-3.0.17-1.6.1.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/auth_ldap-1.4.0-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-imap-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-ldap-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-manual-3.0.17-1.6.1.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-pgsql-3.0.17-1.6.1.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/php-3.0.17-1.6.1.src.rpm
Red Hat Linux 6.2:
alpha:
ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-imap-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-ldap-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-manual-3.0.17-1.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/php-pgsql-3.0.17-1.6.2.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-imap-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-ldap-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-manual-3.0.17-1.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/php-pgsql-3.0.17-1.6.2.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/auth_ldap-1.4.0-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-imap-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-ldap-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-manual-3.0.17-1.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/php-pgsql-3.0.17-1.6.2.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/php-3.0.17-1.6.2.src.rpm
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/apache-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/apache-devel-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/apache-manual-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/mod_ssl-2.7.1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/mod_php-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-imap-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-ldap-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-manual-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-mysql-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-pgsql-4.0.3pl1-1.i386.rpm
sources:
ftp://updates.redhat.com/7.0/SRPMS/apache-1.3.14-3.src.rpm
ftp://updates.redhat.com/7.0/SRPMS/php-4.0.3pl1-1.src.rpm
Apache Apache 1.3.12
-
Apache mod_rewrite.patch
http://www.securityfocus.com/data/vulnerabilities/patches/mod_rewrite. patch
References
Apache Rewrite Module Arbitrary File Disclosure Vulnerability
References:
References: