Debians sikkerhedsbulletin
DSA-067-1 apache -- fjernangreb
- Rapporteret den:
- 28. jul 2001
- Berørte pakker:
- apache, apache-ssl
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 3009.
I Mitres CVE-ordbog: CVE-2001-0925. - Yderligere oplysninger:
-
Vi har modtaget rapporter om at den version af 'apache'-pakken, som er
indeholdt i Debians 'stable'-distribution, er sårbar overfor problemet med
kunstigt lange stinavne indeholdende skråstreger ('artificially long
slash path directory listing vulnerability') som beskrevet hos
SecurityFocus.
Denne sårbarhed blev annonceret på bagtraq af Dan Harkless.
Citat fra SecurityFocus' indlæg om denne sårbarhed:
Et problem i pakken kunne give mulighed for mappeindeksering og fremfinding af stinavne. I standard-opsætningen slår Apache mod_dir, mod_autoindex og mod_negotiation til. Men ved at sende en specielfremstillet forspørgsel til Apache-serveren, bestående af lange stinavne kunstigt fremstillet ved hjælp af utallige skråstreger kan dette få de pågældende moduler til at opføre sig forkert, hvilket gør det muligt at omgå fejlsiden og få en liste over indholdet i mappen.
Med denne sårbarhed kan en ondskabsfuld fjernbruger iværksætte et oplysningsindsamlingsangreb, der potentielt kan resultere i at systemet kompromitteres. Denne sårbarhed påvirker alle frigivelser af Apache før version 1.3.19.
Dette problem er rettet i apache-ssl 1.3.9-13.3 og apache 1.3.9-14. Vi anbefaler at du omgående opgraderer dine pakker.
Advarsel: .dsc- og .diff.gz-filernes MD5Sum stemmer ikke overens, da de bagefter blev kopieret fra den stabile udgivelse, indholdet af filen .diff.gz er dog det samme, og er kontrolleret.
- Rettet i:
-
Debian GNU/Linux 2.2 (potato)
apache
- Kildekode:
- http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.diff.gz
- http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.dsc
- http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9.orig.tar.gz
- http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.dsc
- Alpha:
- http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-common_1.3.9-14_alpha.deb
- http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14_alpha.deb
- http://security.debian.org/dists/stable/updates/main/binary-alpha/apache_1.3.9-14_alpha.deb
- http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14_alpha.deb
- ARM:
- http://security.debian.org/dists/stable/updates/main/binary-arm/apache-common_1.3.9-14_arm.deb
- http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14_arm.deb
- http://security.debian.org/dists/stable/updates/main/binary-arm/apache_1.3.9-14_arm.deb
- http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14_arm.deb
- Intel IA-32:
- http://security.debian.org/dists/stable/updates/main/binary-i386/apache-common_1.3.9-14_i386.deb
- http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14_i386.deb
- http://security.debian.org/dists/stable/updates/main/binary-i386/apache_1.3.9-14_i386.deb
- http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14_i386.deb
- Motorola 680x0:
- http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-common_1.3.9-14_m68k.deb
- http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14_m68k.deb
- http://security.debian.org/dists/stable/updates/main/binary-m68k/apache_1.3.9-14_m68k.deb
- http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14_m68k.deb
- PowerPC:
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-common_1.3.9-14_powerpc.deb
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14_powerpc.deb
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache_1.3.9-14_powerpc.deb
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14_powerpc.deb
- Sun Sparc:
- http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-common_1.3.9-14_sparc.deb
- http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-dev_1.3.9-14_sparc.deb
- http://security.debian.org/dists/stable/updates/main/binary-sparc/apache_1.3.9-14_sparc.deb
- http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-dev_1.3.9-14_sparc.deb
- Arkitekturuafhængig komponent:
- http://security.debian.org/dists/stable/updates/main/binary-all/apache-doc_1.3.9-14_all.deb
apache-ssl
- Kildekode:
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-3.diff.gz
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-3.dsc
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13.orig.tar.gz
- http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-3.dsc
- Alpha:
- http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-ssl_1.3.9.13-3_alpha.deb
- ARM:
- http://security.debian.org/dists/stable/updates/main/binary-arm/apache-ssl_1.3.9.13-3_arm.deb
- Intel IA-32:
- http://security.debian.org/dists/stable/updates/main/binary-i386/apache-ssl_1.3.9.13-3_i386.deb
- Motorola 680x0:
- http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-ssl_1.3.9.13-3_m68k.deb
- PowerPC:
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-ssl_1.3.9.13-3_powerpc.deb
- Sun Sparc:
- http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-ssl_1.3.9.13-3_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.