Security Advisory Updated Apache packages fix chunked encoding issue

Advisory: RHSA-2002:103-18
Type: Security Advisory
Severity: N/A
Issued on: 2002-05-29
Last updated on: 2002-06-28
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-0392

Details

The Apache Web server contains a security vulnerability which can be used
to launch a denial of service attack or, in some cases, allow remote code
execution.

Versions of the Apache Web server up to and including 1.3.24 contain a bug
in the routines which deal with requests using "chunked" encoding.
A carefully crafted invalid request can cause an Apache child process to
call the memcpy() function in a way that will write past the end of its
buffer, corrupting the stack. On some platforms this can be remotely
exploited -- allowing arbitrary code to be run on the server.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0392 to this issue.

We have backported the security fix from the official Apache 1.3.26
release. This should help minimize the impact of upgrading to our errata
packages.

All users of Apache should update to these errata packages to correct this
security issue.

[Update Jun 26 2002]
Updated packages have been added for Red Hat Linux for S/390. Slight
changes to problem description to take into account possibility of exploits
also on 32-bit platforms.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2
SRPMS:
apache-1.3.22-5.6.src.rpm
File outdated by:  RHSA-2002:222		     c9cc91b855c94af3abe311195a04aade
 
Alpha:
apache-1.3.22-5.6.alpha.rpm
File outdated by:  RHSA-2002:222		     e399aa8737897f24d4623095a172f006
apache-devel-1.3.22-5.6.alpha.rpm
File outdated by:  RHSA-2002:222		     8e9a722fded471509bc8931ae61d8129
apache-manual-1.3.22-5.6.alpha.rpm
File outdated by:  RHSA-2002:222		     88a016e02120651c31507e7b353ce70d
 
IA-32:
apache-1.3.22-5.6.i386.rpm
File outdated by:  RHSA-2002:222		     6d4c4572e78e896a3524e27b3a66f95c
apache-devel-1.3.22-5.6.i386.rpm
File outdated by:  RHSA-2002:222		     192b4845d74ea1c4ca322dd12cff6753
apache-manual-1.3.22-5.6.i386.rpm
File outdated by:  RHSA-2002:222		     8c7c2dae4dbba20b9bc19627ca931c16
 
Sparc:
apache-1.3.22-5.6.sparc.rpm
File outdated by:  RHSA-2002:222		     1a04dc5b42074c669dddf758889fdbc6
apache-devel-1.3.22-5.6.sparc.rpm
File outdated by:  RHSA-2002:222		     e4b719011fc78631a7ef378c66ace855
apache-manual-1.3.22-5.6.sparc.rpm
File outdated by:  RHSA-2002:222		     cfe617f37ed9aab2365d67dca1f9fa52
 
Red Hat Linux 7.0
SRPMS:
apache-1.3.22-5.7.1.src.rpm
File outdated by:  RHSA-2002:222		     b1add5144050db80c5b2bdce9d548b58
 
Alpha:
apache-1.3.22-5.7.1.alpha.rpm
File outdated by:  RHSA-2002:222		     ec7369dc5a84513635a5a98133be60be
apache-devel-1.3.22-5.7.1.alpha.rpm
File outdated by:  RHSA-2002:222		     dbae5cade3259bbcf757868f1715eedb
apache-manual-1.3.22-5.7.1.alpha.rpm
File outdated by:  RHSA-2002:222		     2a55386b504652e054bb640e5d201f20
 
IA-32:
apache-1.3.22-5.7.1.i386.rpm
File outdated by:  RHSA-2002:222		     731785ece8addde5d9428b9015c57866
apache-devel-1.3.22-5.7.1.i386.rpm
File outdated by:  RHSA-2002:222		     1fd7cc20f207610b860d9311fddbfa09
apache-manual-1.3.22-5.7.1.i386.rpm
File outdated by:  RHSA-2002:222		     2cadb7f177f0bb7269e6dd0a88578e4b
 
Red Hat Linux 7.1
SRPMS:
apache-1.3.22-5.7.1.src.rpm
File outdated by:  RHSA-2002:222		     b1add5144050db80c5b2bdce9d548b58
 
Alpha:
apache-1.3.22-5.7.1.alpha.rpm
File outdated by:  RHSA-2002:222		     ec7369dc5a84513635a5a98133be60be
apache-devel-1.3.22-5.7.1.alpha.rpm
File outdated by:  RHSA-2002:222		     dbae5cade3259bbcf757868f1715eedb
apache-manual-1.3.22-5.7.1.alpha.rpm
File outdated by:  RHSA-2002:222		     2a55386b504652e054bb640e5d201f20
 
IA-32:
apache-1.3.22-5.7.1.i386.rpm
File outdated by:  RHSA-2003:405		     731785ece8addde5d9428b9015c57866
apache-devel-1.3.22-5.7.1.i386.rpm
File outdated by:  RHSA-2003:405		     1fd7cc20f207610b860d9311fddbfa09
apache-manual-1.3.22-5.7.1.i386.rpm
File outdated by:  RHSA-2003:405		     2cadb7f177f0bb7269e6dd0a88578e4b
 
IA-64:
apache-1.3.22-5.7.1.ia64.rpm
File outdated by:  RHSA-2002:222		     b981535612f142e5a639653f0910aba7
apache-devel-1.3.22-5.7.1.ia64.rpm
File outdated by:  RHSA-2002:222		     48e67955fa90dc3fca4a9fa54fab50f4
apache-manual-1.3.22-5.7.1.ia64.rpm
File outdated by:  RHSA-2002:222		     d7d617e218e24213b94a6c39414f2cc6
 
Red Hat Linux 7.2
SRPMS:
apache-1.3.22-6.src.rpm
File outdated by:  RHSA-2003:405		     7f7dc17add4c51e87f575c9d92dbff93
 
IA-32:
apache-1.3.22-6.i386.rpm
File outdated by:  RHSA-2003:405		     1f68721d45673d38ec8103e60f8b73f7
apache-devel-1.3.22-6.i386.rpm
File outdated by:  RHSA-2003:405		     c0c85594e3c818756922d227a111cbdc
apache-manual-1.3.22-6.i386.rpm
File outdated by:  RHSA-2003:405		     c2fab1baaac50f2f7852ca452733c395
 
IA-64:
apache-1.3.22-6.ia64.rpm
File outdated by:  RHSA-2003:405		     1efb1921007440d3593299ef2a0e6cb5
apache-devel-1.3.22-6.ia64.rpm
File outdated by:  RHSA-2003:405		     f8f970bbc5c1fe493e7085e35c558b47
apache-manual-1.3.22-6.ia64.rpm
File outdated by:  RHSA-2003:405		     c838ac0248526139d2c706dd93e15f45
 
s390:
ftp://updates.redhat.com/7.2/en/os/s390/apache-1.3.22-6.s390.rpm
Missing file		     1959883b980c59a86077de0ef8873011
ftp://updates.redhat.com/7.2/en/os/s390/apache-devel-1.3.22-6.s390.rpm
Missing file		     a8c2450fa4a576fbe524a33a27dea985
ftp://updates.redhat.com/7.2/en/os/s390/apache-manual-1.3.22-6.s390.rpm
Missing file		     18e3fffc1dee3bb301c9b019f75e8869
 
Red Hat Linux 7.3
SRPMS:
apache-1.3.23-14.src.rpm
File outdated by:  RHSA-2003:405		     c591a36143a23a48706a88c1a031435f
 
IA-32:
apache-1.3.23-14.i386.rpm
File outdated by:  RHSA-2003:405		     28471eb382a8495f3b89fb7d802659e1
apache-devel-1.3.23-14.i386.rpm
File outdated by:  RHSA-2003:405		     e4995ac4b722f3e53566e4dcd1b07692
apache-manual-1.3.23-14.i386.rpm
File outdated by:  RHSA-2003:405		     be2830997ba9b1807d35985e6ab80caf
 

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392
http://httpd.apache.org/info/security_bulletin_20020620.txt
http://www.apacheweek.com/issues/02-06-21#security

Keywords

apache, chunked, DoS, encoding

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/