Mandrake alert: Updated apache2 packages fix CGI scripting deadlock
A problem was discovered in Apache2 where CGI scripts that output more than 4k of output to STDERR will hang the script's execution which can cause a Denial of Service on the httpd process because it is waiting for more input from the CGI that is not forthcoming due to the locked write() call in mod_cgi.
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrake Linux Security Update Advisory
_______________________________________________________________________
Package name: apache2
Advisory ID: MDKSA-2003:096-1
Date: October 24th, 2003
Original Advisory Date: September 26th, 2003
Affected versions: 9.1, 9.2
______________________________________________________________________
Problem Description:
A problem was discovered in Apache2 where CGI scripts that output more
than 4k of output to STDERR will hang the script's execution which can
cause a Denial of Service on the httpd process because it is waiting
for more input from the CGI that is not forthcoming due to the locked
write() call in mod_cgi.
On systems that use scripts that output more than 4k to STDERR, this
could cause httpd processes to hang and once the maximum connection
limit is reached, Apache will no longer respond to requests.
The updated packages provided use the latest mod_cgi.c from the Apache
2.1 CVS version.
Users may have to restart apache by hand after the upgrade by issuing
a "service httpd restart".
Update:
The previous update introduced an experimental mod_cgi.c that while
fixing the deadlock did not do so in a correct manner and it likewise
introduced new problems with other scripts.
These packages roll back to the original mod_cgi.c until such a time as
the apache team have a proper fix in place. Both Mandrake Linux 9.1
and 9.2 are affected with this problem.
Likewise, a problem was discovered in the default mod_proxy
configuration which created an open proxy. Users who have installed
mod_perl also have mod_proxy installed due to dependencies and may
unknowingly have allowed spammers to use their MTA via the wide-open
mod_proxy settings.
MandrakeSoft encourages all users to upgrade to these new packages
immediately.
_______________________________________________________________________
References:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
______________________________________________________________________
Updated Packages:
Mandrake Linux 9.1:
0266407e6879970d75f699db87781e53 9.1/RPMS/apache2-2.0.47-1.4.91mdk.i586.rpm
498191ace6f5898042aa4aeaf19987bb 9.1/RPMS/apache2-common-2.0.47-1.4.91mdk.i586.rpm
2aab0ab5f06db331cab1b3cd61222703 9.1/RPMS/apache2-devel-2.0.47-1.4.91mdk.i586.rpm
565506f84deabf6ef5f9d7c220598565 9.1/RPMS/apache2-manual-2.0.47-1.4.91mdk.i586.rpm
4de0542aed8c6ec5f7390cf43e9de57b 9.1/RPMS/apache2-mod_dav-2.0.47-1.4.91mdk.i586.rpm
6d2fe30aa77c6b2522377a781ebe74db 9.1/RPMS/apache2-mod_ldap-2.0.47-1.4.91mdk.i586.rpm
1bf2c46c844ed09896154ceb51610429 9.1/RPMS/apache2-mod_ssl-2.0.47-1.4.91mdk.i586.rpm
5dd37e86e03ccf353845ef1f469186c2 9.1/RPMS/apache2-modules-2.0.47-1.4.91mdk.i586.rpm
a371874746bc9693dda494dd449ac9dc 9.1/RPMS/apache2-source-2.0.47-1.4.91mdk.i586.rpm
6df5048842e866d6d029efd15c8d9239 9.1/RPMS/libapr0-2.0.47-1.4.91mdk.i586.rpm
059fd94b8f53ad5dfb74f8123a0453c1 9.1/SRPMS/apache2-2.0.47-1.4.91mdk.src.rpm
Mandrake Linux 9.1/PPC:
f5d94eb1f0a64746434f828a6cf4acd7 ppc/9.1/RPMS/apache2-2.0.47-1.4.91mdk.ppc.rpm
2f5e0a20ebd13a1915e655dcc46ac33f ppc/9.1/RPMS/apache2-common-2.0.47-1.4.91mdk.ppc.rpm
51d8563c8b2d92fd93aeea6397665919 ppc/9.1/RPMS/apache2-devel-2.0.47-1.4.91mdk.ppc.rpm
6a519e9a6861c719b8a25b63140ee2df ppc/9.1/RPMS/apache2-manual-2.0.47-1.4.91mdk.ppc.rpm
d6986f2037233214aa557a5ff3c83194 ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.4.91mdk.ppc.rpm
1cf512ced3909a27eba9e0c361c792ee ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.4.91mdk.ppc.rpm
6288888bf0b3af6b4d4e946a0723479e ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.4.91mdk.ppc.rpm
42f1924400fa8988cb71ec58d0f5b455 ppc/9.1/RPMS/apache2-modules-2.0.47-1.4.91mdk.ppc.rpm
9026ab441d5a9a40438a0272dba9851f ppc/9.1/RPMS/apache2-source-2.0.47-1.4.91mdk.ppc.rpm
70c48bdd53a0551c32469b8333b8c52d ppc/9.1/RPMS/libapr0-2.0.47-1.4.91mdk.ppc.rpm
059fd94b8f53ad5dfb74f8123a0453c1 ppc/9.1/SRPMS/apache2-2.0.47-1.4.91mdk.src.rpm
Mandrake Linux 9.2:
d8358bda85bfb2671af97ae8cfd754a2 9.2/RPMS/apache2-2.0.47-6.1.92mdk.i586.rpm
37d4d450259608ff4f156745b3d6a0b6 9.2/RPMS/apache2-common-2.0.47-6.1.92mdk.i586.rpm
004bb302d4a29aea85d279bb26f6cbcb 9.2/RPMS/apache2-devel-2.0.47-6.1.92mdk.i586.rpm
15b6e364990657d17f0b1f4df3b751a6 9.2/RPMS/apache2-manual-2.0.47-6.1.92mdk.i586.rpm
27938e3f6e2ec4314e2d2c205e8fe26d 9.2/RPMS/apache2-mod_cache-2.0.47-6.1.92mdk.i586.rpm
fc3042b41ec1708a11d752ee78f7fb2b 9.2/RPMS/apache2-mod_dav-2.0.47-6.1.92mdk.i586.rpm
e1f4236f8d51afc50c6772380cb50b34 9.2/RPMS/apache2-mod_deflate-2.0.47-6.1.92mdk.i586.rpm
e78c277bafebc5b43090e1cfadc3d8c8 9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.1.92mdk.i586.rpm
0309bc5d51d36fd92f2edc110e097a14 9.2/RPMS/apache2-mod_file_cache-2.0.47-6.1.92mdk.i586.rpm
47da9f7f1dafcb1d02d4cac6bd28d78a 9.2/RPMS/apache2-mod_ldap-2.0.47-6.1.92mdk.i586.rpm
1a49a1936cee042389495ec8f4f6d4f1 9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.1.92mdk.i586.rpm
e1828dddeb75c4e3df12292db93bb27d 9.2/RPMS/apache2-mod_proxy-2.0.47-6.1.92mdk.i586.rpm
1ad3c77daf86db3d1b2042b911d668ae 9.2/RPMS/apache2-mod_ssl-2.0.47-6.1.92mdk.i586.rpm
514956199b61185ee0c79015ccdeb58e 9.2/RPMS/apache2-modules-2.0.47-6.1.92mdk.i586.rpm
4b429cc7e33e9fb81510130c026320d8 9.2/RPMS/apache2-source-2.0.47-6.1.92mdk.i586.rpm
50c969427cb0448736f85e818362a0e3 9.2/RPMS/libapr0-2.0.47-6.1.92mdk.i586.rpm
15cee7a5fafdc0610ea4675b6ab2d46c 9.2/SRPMS/apache2-2.0.47-6.1.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:
gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/mcTkmqjQ0CJFipgRArTmAJ0c4Dr5VkLbAbbPfqvzbasRrREUGACgvVrs
7wzdyVqf8OZQ1s83JFE5JWg=
=XnK4
-----END PGP SIGNATURE-----
|
This topic does not have any threads posted yet!
You cannot post until you login.