MDKSA-2003:096-1 - Updated apache2 packages fix CGI scripting deadlock

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 10/25/03

  • Next message: Frog Man: "Advanced Poll : PHP Code Injection, File Include, Phpinfo"
    Date: 25 Oct 2003 00:33:40 -0000
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                    Mandrake Linux Security Update Advisory
     _______________________________________________________________________

     Package name: apache2
     Advisory ID: MDKSA-2003:096-1
     Date: October 24th, 2003
     Original Advisory Date: September 26th, 2003
     Affected versions: 9.1, 9.2
     ______________________________________________________________________

     Problem Description:

     A problem was discovered in Apache2 where CGI scripts that output more
     than 4k of output to STDERR will hang the script's execution which can
     cause a Denial of Service on the httpd process because it is waiting
     for more input from the CGI that is not forthcoming due to the locked
     write() call in mod_cgi.
     
     On systems that use scripts that output more than 4k to STDERR, this
     could cause httpd processes to hang and once the maximum connection
     limit is reached, Apache will no longer respond to requests.
     
     The updated packages provided use the latest mod_cgi.c from the Apache
     2.1 CVS version.
     
     Users may have to restart apache by hand after the upgrade by issuing
     a "service httpd restart".
      
    Update:

     The previous update introduced an experimental mod_cgi.c that while
     fixing the deadlock did not do so in a correct manner and it likewise
     introduced new problems with other scripts.
     
     These packages roll back to the original mod_cgi.c until such a time as
     the apache team have a proper fix in place. Both Mandrake Linux 9.1
     and 9.2 are affected with this problem.
     
     Likewise, a problem was discovered in the default mod_proxy
     configuration which created an open proxy. Users who have installed
     mod_perl also have mod_proxy installed due to dependencies and may
     unknowingly have allowed spammers to use their MTA via the wide-open
     mod_proxy settings.
     
     MandrakeSoft encourages all users to upgrade to these new packages
     immediately.
     _______________________________________________________________________

     References:

      http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
     ______________________________________________________________________

     Updated Packages:
      
     Mandrake Linux 9.1:
     0266407e6879970d75f699db87781e53 9.1/RPMS/apache2-2.0.47-1.4.91mdk.i586.rpm
     498191ace6f5898042aa4aeaf19987bb 9.1/RPMS/apache2-common-2.0.47-1.4.91mdk.i586.rpm
     2aab0ab5f06db331cab1b3cd61222703 9.1/RPMS/apache2-devel-2.0.47-1.4.91mdk.i586.rpm
     565506f84deabf6ef5f9d7c220598565 9.1/RPMS/apache2-manual-2.0.47-1.4.91mdk.i586.rpm
     4de0542aed8c6ec5f7390cf43e9de57b 9.1/RPMS/apache2-mod_dav-2.0.47-1.4.91mdk.i586.rpm
     6d2fe30aa77c6b2522377a781ebe74db 9.1/RPMS/apache2-mod_ldap-2.0.47-1.4.91mdk.i586.rpm
     1bf2c46c844ed09896154ceb51610429 9.1/RPMS/apache2-mod_ssl-2.0.47-1.4.91mdk.i586.rpm
     5dd37e86e03ccf353845ef1f469186c2 9.1/RPMS/apache2-modules-2.0.47-1.4.91mdk.i586.rpm
     a371874746bc9693dda494dd449ac9dc 9.1/RPMS/apache2-source-2.0.47-1.4.91mdk.i586.rpm
     6df5048842e866d6d029efd15c8d9239 9.1/RPMS/libapr0-2.0.47-1.4.91mdk.i586.rpm
     059fd94b8f53ad5dfb74f8123a0453c1 9.1/SRPMS/apache2-2.0.47-1.4.91mdk.src.rpm

     Mandrake Linux 9.1/PPC:
     f5d94eb1f0a64746434f828a6cf4acd7 ppc/9.1/RPMS/apache2-2.0.47-1.4.91mdk.ppc.rpm
     2f5e0a20ebd13a1915e655dcc46ac33f ppc/9.1/RPMS/apache2-common-2.0.47-1.4.91mdk.ppc.rpm
     51d8563c8b2d92fd93aeea6397665919 ppc/9.1/RPMS/apache2-devel-2.0.47-1.4.91mdk.ppc.rpm
     6a519e9a6861c719b8a25b63140ee2df ppc/9.1/RPMS/apache2-manual-2.0.47-1.4.91mdk.ppc.rpm
     d6986f2037233214aa557a5ff3c83194 ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.4.91mdk.ppc.rpm
     1cf512ced3909a27eba9e0c361c792ee ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.4.91mdk.ppc.rpm
     6288888bf0b3af6b4d4e946a0723479e ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.4.91mdk.ppc.rpm
     42f1924400fa8988cb71ec58d0f5b455 ppc/9.1/RPMS/apache2-modules-2.0.47-1.4.91mdk.ppc.rpm
     9026ab441d5a9a40438a0272dba9851f ppc/9.1/RPMS/apache2-source-2.0.47-1.4.91mdk.ppc.rpm
     70c48bdd53a0551c32469b8333b8c52d ppc/9.1/RPMS/libapr0-2.0.47-1.4.91mdk.ppc.rpm
     059fd94b8f53ad5dfb74f8123a0453c1 ppc/9.1/SRPMS/apache2-2.0.47-1.4.91mdk.src.rpm

     Mandrake Linux 9.2:
     d8358bda85bfb2671af97ae8cfd754a2 9.2/RPMS/apache2-2.0.47-6.1.92mdk.i586.rpm
     37d4d450259608ff4f156745b3d6a0b6 9.2/RPMS/apache2-common-2.0.47-6.1.92mdk.i586.rpm
     004bb302d4a29aea85d279bb26f6cbcb 9.2/RPMS/apache2-devel-2.0.47-6.1.92mdk.i586.rpm
     15b6e364990657d17f0b1f4df3b751a6 9.2/RPMS/apache2-manual-2.0.47-6.1.92mdk.i586.rpm
     27938e3f6e2ec4314e2d2c205e8fe26d 9.2/RPMS/apache2-mod_cache-2.0.47-6.1.92mdk.i586.rpm
     fc3042b41ec1708a11d752ee78f7fb2b 9.2/RPMS/apache2-mod_dav-2.0.47-6.1.92mdk.i586.rpm
     e1f4236f8d51afc50c6772380cb50b34 9.2/RPMS/apache2-mod_deflate-2.0.47-6.1.92mdk.i586.rpm
     e78c277bafebc5b43090e1cfadc3d8c8 9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.1.92mdk.i586.rpm
     0309bc5d51d36fd92f2edc110e097a14 9.2/RPMS/apache2-mod_file_cache-2.0.47-6.1.92mdk.i586.rpm
     47da9f7f1dafcb1d02d4cac6bd28d78a 9.2/RPMS/apache2-mod_ldap-2.0.47-6.1.92mdk.i586.rpm
     1a49a1936cee042389495ec8f4f6d4f1 9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.1.92mdk.i586.rpm
     e1828dddeb75c4e3df12292db93bb27d 9.2/RPMS/apache2-mod_proxy-2.0.47-6.1.92mdk.i586.rpm
     1ad3c77daf86db3d1b2042b911d668ae 9.2/RPMS/apache2-mod_ssl-2.0.47-6.1.92mdk.i586.rpm
     514956199b61185ee0c79015ccdeb58e 9.2/RPMS/apache2-modules-2.0.47-6.1.92mdk.i586.rpm
     4b429cc7e33e9fb81510130c026320d8 9.2/RPMS/apache2-source-2.0.47-6.1.92mdk.i586.rpm
     50c969427cb0448736f85e818362a0e3 9.2/RPMS/libapr0-2.0.47-6.1.92mdk.i586.rpm
     15cee7a5fafdc0610ea4675b6ab2d46c 9.2/SRPMS/apache2-2.0.47-6.1.92mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     A list of FTP mirrors can be obtained from:

      http://www.mandrakesecure.net/en/ftp.php

     All packages are signed by MandrakeSoft for security. You can obtain
     the GPG public key of the Mandrake Linux Security Team by executing:

      gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

     Please be aware that sometimes it takes the mirrors a few hours to
     update.

     You can view other update advisories for Mandrake Linux at:

      http://www.mandrakesecure.net/en/advisories/

     MandrakeSoft has several security-related mailing list services that
     anyone can subscribe to. Information on these lists can be obtained by
     visiting:

      http://www.mandrakesecure.net/en/mlist.php

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE/mcTkmqjQ0CJFipgRArTmAJ0c4Dr5VkLbAbbPfqvzbasRrREUGACgvVrs
    7wzdyVqf8OZQ1s83JFE5JWg=
    =XnK4
    -----END PGP SIGNATURE-----


  • Next message: Frog Man: "Advanced Poll : PHP Code Injection, File Include, Phpinfo"