RedHat: 'apache' Unauthorized access vulnerability
Summary
Summary
By using a carefully constructed HTTP request, a server withmod_negotiation and either mod_dir or mod_autoindex loaded could be trickedinto displaying a listing of the contents of a directory, despite thepresence of an index file.The Common Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the names CAN-2001-0730, and CAN-2001-0731 to theseissues.
Solution
Note: The updated apache (and apache-devel) packages for Red Hat Linux 7,
7.1, and 7.2 require installation of mm and expat (as well as mm-devel and
expat-devel for apache-devel). Because mm and expat were not previously
released for Red Hat Linux 7, and mm was not previously released for Red
Hat Linux 7.1, they will need to either be installed simultaneously with or
before the apache packages.
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Users of Red Hat Linux 7 and
7.1 will find that the mod_bandwidth, mod_put, and mod_throttle packages
are now built as separate packages, and that they will need to manually
install these packages as well.
To update all other RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.
Users of Red Hat Linux 7 will find that these updates enable the suexec
feature by default, which was not the case in previous versions of this
package. Administrators who have configured their servers to run CGI
scripts from user home directories should read the suexec documentation
included in the apache-manual package.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. Bug IDs fixed ( for more info):
34772 - Apache 1.3.14 breaks byterange functionality (hinders serving of PDFs)
6. RPMs required:
Red Hat Linux 6.2:
SRPMS:
alpha:
i386:
sparc:
Red Hat Linux 7.0:
SRPMS:
alpha:
i386:
Red Hat Linux 7.1:
SRPMS:
alpha:
i386:
ia64:
Red Hat Linux 7.2:
SRPMS:
i386:
7. Verification:
MD5 sum Package Name
bc9a7598e452fd0a5e2b05173216ef81 6.2/en/os/SRPMS/apache-1.3.22-0.6.src.rpm
a181a9ffff1759abbf42e05c824ddb2f 6.2/en/os/alpha/apache-1.3.22-0.6.alpha.rpm
3360fda64d65cbf60a8634e7991e5a6d 6.2/en/os/alpha/apache-devel-1.3.22-0.6.alpha.rpm
f045b315ecc6a11e23131fa86e2d0a72 6.2/en/os/alpha/apache-manual-1.3.22-0.6.alpha.rpm
dc567a3074e237efd73622596dfc2c13 6.2/en/os/i386/apache-1.3.22-0.6.i386.rpm
36b1dd6f65c83f3c47326ae976567ce3 6.2/en/os/i386/apache-devel-1.3.22-0.6.i386.rpm
13d4d3822f4b2de1f198d5bc24884a8a 6.2/en/os/i386/apache-manual-1.3.22-0.6.i386.rpm
ef85d7e0d44abd776d4b76a75553cc86 6.2/en/os/sparc/apache-1.3.22-0.6.sparc.rpm
4eb62d0355f51df33e62ea6647a061ec 6.2/en/os/sparc/apache-devel-1.3.22-0.6.sparc.rpm
7138fb9b44085ee557d291c081e46d3c 6.2/en/os/sparc/apache-manual-1.3.22-0.6.sparc.rpm
5cf136a2bfb482501254fa6630f9e6e8 7.0/en/os/SRPMS/apache-1.3.22-1.7.1.src.rpm
d0cbe11cfd0c2fad460d749a4afadf8f 7.0/en/os/SRPMS/expat-1.95.1-1.src.rpm
85f0ff3830d540a3235e2d7471ca2e27 7.0/en/os/SRPMS/mm-1.1.3-2.src.rpm
9cd99798f41854041ed50e5c2b9c9d4a 7.0/en/os/SRPMS/mod_bandwidth-2.0.3-2.src.rpm
392c6c20c9ca7d5ad437b91ea08bac2a 7.0/en/os/SRPMS/mod_put-1.3-2.src.rpm
4d9b105c543162987b6a0755080e73b1 7.0/en/os/SRPMS/mod_ssl-2.8.5-0.7.src.rpm
15398a5663f14b8e5babbb5309d6739c 7.0/en/os/SRPMS/mod_throttle-3.1.2-3.src.rpm
8f8ea759a9ff2d61c60104ee9b3edc09 7.0/en/os/alpha/apache-1.3.22-1.7.1.alpha.rpm
ea3bd3c37081fd9a303c8f656a31b52f 7.0/en/os/alpha/apache-devel-1.3.22-1.7.1.alpha.rpm
e6f023bd016b75e40e390b2cdf5fe77f 7.0/en/os/alpha/apache-manual-1.3.22-1.7.1.alpha.rpm
4b4d4c5fdf897457c7286d2b4fd2ac39 7.0/en/os/alpha/expat-1.95.1-1.alpha.rpm
aa8555291135f9b681d1d519f5fe5539 7.0/en/os/alpha/expat-devel-1.95.1-1.alpha.rpm
13cfd219c25232decce6703c70419f4a 7.0/en/os/alpha/mm-1.1.3-2.alpha.rpm
f9b26ec0d52c79444de07f10bceb2262 7.0/en/os/alpha/mm-devel-1.1.3-2.alpha.rpm
3be3121fa4b5490a1ace387526cf2406 7.0/en/os/alpha/mod_bandwidth-2.0.3-2.alpha.rpm
25f1a3961b8c2aa6f2b63288535abc73 7.0/en/os/alpha/mod_put-1.3-2.alpha.rpm
b4b100f56cefc614b878a191fb5ed6f0 7.0/en/os/alpha/mod_ssl-2.8.5-0.7.alpha.rpm
d3f81d978bb81de0b2e357b79ade1d7e 7.0/en/os/alpha/mod_throttle-3.1.2-3.alpha.rpm
6bcd4368b5106127787cbac0248f669b 7.0/en/os/i386/apache-1.3.22-1.7.1.i386.rpm
052ac912ba5dd85f2f81a1dc0c7472fd 7.0/en/os/i386/apache-devel-1.3.22-1.7.1.i386.rpm
26752f2274eec2d5e399d03a6f973ea7 7.0/en/os/i386/apache-manual-1.3.22-1.7.1.i386.rpm
fb87db480ce7f5317f0464640b419e43 7.0/en/os/i386/expat-1.95.1-1.i386.rpm
87978a5568dccb618c1646110443ad87 7.0/en/os/i386/expat-devel-1.95.1-1.i386.rpm
bffbf64db212e970ad139b5e61dc4ad2 7.0/en/os/i386/mm-1.1.3-2.i386.rpm
541a185e0e63970cdbb573eb5afc6d45 7.0/en/os/i386/mm-devel-1.1.3-2.i386.rpm
414b7a5cb5a0153b9cd41c0b10a7c155 7.0/en/os/i386/mod_bandwidth-2.0.3-2.i386.rpm
c1bc1dd8b81ed2669ea31a0338cf8e8d 7.0/en/os/i386/mod_put-1.3-2.i386.rpm
ef3ec4f2b0775440f7b9f7b2274e5a3f 7.0/en/os/i386/mod_ssl-2.8.5-0.7.i386.rpm
e80083a4d622f91d14125d291e542b24 7.0/en/os/i386/mod_throttle-3.1.2-3.i386.rpm
5cf136a2bfb482501254fa6630f9e6e8 7.1/en/os/SRPMS/apache-1.3.22-1.7.1.src.rpm
85f0ff3830d540a3235e2d7471ca2e27 7.1/en/os/SRPMS/mm-1.1.3-2.src.rpm
9cd99798f41854041ed50e5c2b9c9d4a 7.1/en/os/SRPMS/mod_bandwidth-2.0.3-2.src.rpm
392c6c20c9ca7d5ad437b91ea08bac2a 7.1/en/os/SRPMS/mod_put-1.3-2.src.rpm
4d9b105c543162987b6a0755080e73b1 7.1/en/os/SRPMS/mod_ssl-2.8.5-0.7.src.rpm
15398a5663f14b8e5babbb5309d6739c 7.1/en/os/SRPMS/mod_throttle-3.1.2-3.src.rpm
8f8ea759a9ff2d61c60104ee9b3edc09 7.1/en/os/alpha/apache-1.3.22-1.7.1.alpha.rpm
ea3bd3c37081fd9a303c8f656a31b52f 7.1/en/os/alpha/apache-devel-1.3.22-1.7.1.alpha.rpm
e6f023bd016b75e40e390b2cdf5fe77f 7.1/en/os/alpha/apache-manual-1.3.22-1.7.1.alpha.rpm
13cfd219c25232decce6703c70419f4a 7.1/en/os/alpha/mm-1.1.3-2.alpha.rpm
f9b26ec0d52c79444de07f10bceb2262 7.1/en/os/alpha/mm-devel-1.1.3-2.alpha.rpm
3be3121fa4b5490a1ace387526cf2406 7.1/en/os/alpha/mod_bandwidth-2.0.3-2.alpha.rpm
25f1a3961b8c2aa6f2b63288535abc73 7.1/en/os/alpha/mod_put-1.3-2.alpha.rpm
b4b100f56cefc614b878a191fb5ed6f0 7.1/en/os/alpha/mod_ssl-2.8.5-0.7.alpha.rpm
d3f81d978bb81de0b2e357b79ade1d7e 7.1/en/os/alpha/mod_throttle-3.1.2-3.alpha.rpm
6bcd4368b5106127787cbac0248f669b 7.1/en/os/i386/apache-1.3.22-1.7.1.i386.rpm
052ac912ba5dd85f2f81a1dc0c7472fd 7.1/en/os/i386/apache-devel-1.3.22-1.7.1.i386.rpm
26752f2274eec2d5e399d03a6f973ea7 7.1/en/os/i386/apache-manual-1.3.22-1.7.1.i386.rpm
bffbf64db212e970ad139b5e61dc4ad2 7.1/en/os/i386/mm-1.1.3-2.i386.rpm
541a185e0e63970cdbb573eb5afc6d45 7.1/en/os/i386/mm-devel-1.1.3-2.i386.rpm
414b7a5cb5a0153b9cd41c0b10a7c155 7.1/en/os/i386/mod_bandwidth-2.0.3-2.i386.rpm
c1bc1dd8b81ed2669ea31a0338cf8e8d 7.1/en/os/i386/mod_put-1.3-2.i386.rpm
ef3ec4f2b0775440f7b9f7b2274e5a3f 7.1/en/os/i386/mod_ssl-2.8.5-0.7.i386.rpm
e80083a4d622f91d14125d291e542b24 7.1/en/os/i386/mod_throttle-3.1.2-3.i386.rpm
d72a44ce73899c1ae8502a4dac44977a 7.1/en/os/ia64/apache-1.3.22-1.7.1.ia64.rpm
91d505625bfc721907beead7f79fa565 7.1/en/os/ia64/apache-devel-1.3.22-1.7.1.ia64.rpm
235d62371a30d4f8817ff873f8948dae 7.1/en/os/ia64/apache-manual-1.3.22-1.7.1.ia64.rpm
93ebc06c4d160fd82430b983093e9f40 7.1/en/os/ia64/mm-1.1.3-2.ia64.rpm
e31a027184bdc9a202994c57f9b96a10 7.1/en/os/ia64/mm-devel-1.1.3-2.ia64.rpm
c091e03032e4f7d628e8bb2f706e66ab 7.1/en/os/ia64/mod_bandwidth-2.0.3-2.ia64.rpm
4678335e17b5e09c42d679480493f2a0 7.1/en/os/ia64/mod_put-1.3-2.ia64.rpm
1e5337f03080b9f28c951cc06fa7aa14 7.1/en/os/ia64/mod_ssl-2.8.5-0.7.ia64.rpm
47691815f0bad537d3305aa379083500 7.1/en/os/ia64/mod_throttle-3.1.2-3.ia64.rpm
bf518904d1b4ef0edd07ce3a7dd34871 7.2/en/os/SRPMS/apache-1.3.22-2.src.rpm
bc734ceff3e2dee5d5a4ff230b5e8293 7.2/en/os/SRPMS/mod_ssl-2.8.5-1.src.rpm
6dd421e90d6de5cb9a5ae25e428724e8 7.2/en/os/i386/apache-1.3.22-2.i386.rpm
19aa4f624d8263756374095b352c274a 7.2/en/os/i386/apache-devel-1.3.22-2.i386.rpm
c352198baaeb451d6e1797458cfcad4e 7.2/en/os/i386/apache-manual-1.3.22-2.i386.rpm
cec3188aea446e454e92efcf9246abd5 7.2/en/os/i386/mod_ssl-2.8.5-1.i386.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
About
You can verify each package with the following command:
rpm --checksig
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg
References
CVE -CVE-2001-0730 CVE -CVE-2001-0731 Apache Week. Apache Desktop Reference reviewed; Waiting for 1.3.21 Download - The Apache HTTP Server Project Copyright(c) 2000, 2001 Red Hat, Inc. `
Package List
Topic
Topic
Updated Apache packages are now available for Red Hat Linux 6.2, 7, 7.1,
and 7.2. These packages upgrade the Apache Web server to version 1.3.22,
which closes a potential security bug which would present clients with a
listing of the contents of a directory instead of the contents of an index
file, or in case of an error, the error message.
Relevant Releases Architectures
Red Hat Linux 6.2 - alpha, i386, sparc
Red Hat Linux 7.0 - alpha, i386
Red Hat Linux 7.1 - alpha, i386, ia64
Red Hat Linux 7.2 - i386
Bugs Fixed
