Stay Ahead With Linux Security News

security advisoryapacheexploit risk

Apache Web Server: Insufficient Patch Update with Exploit Threat

Update: For millions of websites that were vulnerable care of ISS, Apache is not too happy. ISS (Internet Security Systems) released an insufficient patch along with their advisory to the Apache Web . . . . Update: For millions of websites that were vulnerable care of ISS, Apache is not too happy. ISS (Internet Security Systems) released an insufficient patch along with their advisory to the Apache Web Server. ISS believe that because Apache is open source, that the vulnerability need not be reported to the maintainers, only to the public. Apache's official advisory states specifically that the ISS patch does not correct this vulnerability. The CERT advisory gives a description of which platforms this vulnerability affects. ISS insists that this vulnerability is unexploitable. Apache.org's Mark Cox insists that if ISS had contacted Apache prior to making this vulnerability public, they would been able to gain a better understanding of the problem and realize that their fix was insufficient. The bug, which deals with invalid requests encoded using chunked encoding, can cause a child process to terminate and then restart. This uses a trivial amount of resources. A Slashdot.org posting asserts that ISS is using this Apache vulnerability as a press release. ISS's rebuttal is available here. There is no doubt that this assertion can be substantiated, but The Register believes that there may be something more to it than that. Has ISS ever tried something of this nature with Microsoft? The fix is now available httpd . Here is the message from Bugtraq telling you how to test if you need the patch or not. Threat becomes vulnerability: Now that the patch has been released and apache has been updated for all OS's affected, the exploits have been released. Ensure your version has been patched and give the exploits a try. The exploits are available here and here. Media References: Washington Post Problem is, they didn't tell the maker of the software. Then they issued the wrongprescription for fixing the problem... The Register On Monday, Internet Security Systems (ISS) posted their discovery to the BugTraq mailing list, without knowing the full extent of the flaw, and without giving Apache.org time to investigate and develop a patch or even propose a workaround. To sugar the pill... News.com The warning's release reopened a long-simmering debate over how much time a security researcher should give a software maker to verify and fix vulnerabilities that could affect large numbers of computer users... ZD Net Tech News The warning's release reopened a long-simmering debate over how much time a security researcher should give a software maker to verify and fix vulnerabilities that could affect large numbers of computer users... InfoWorld More than 63 percent of all Web sites run on an Apache Web server, according to Netcraft Ltd. of Bath, England, which compiles such information. The flaw is similar to... Version Specific References: Debian: /advisories/debian EnGarde: /advisories IBM AIX: https://www.ibm.com/solutions/servers Red Hat: /advisories/red-hat SuSe: /advisories/suse Slackware: /advisories/slackware Trustix: /advisories Conectiva: /advisories . Apache responds to ISS's insufficient patch affecting countless sites. Learn further about the specifics of the vulnerability.. apache server, exploit risk, open source security, patch update, ISS advisory. . LinuxSecurity.com Team

Jun 21, 2002 • LinuxSecurity.com Team Server Security