Debians sikkerhedsbulletin

DSA-067-1 apache -- fjernangreb

Rapporteret den:

28. jul 2001

Berørte pakker:

apache, apache-ssl

Sårbar:

Referencer i sikkerhedsdatabaser:

I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 3009.
I Mitres CVE-ordbog: CVE-2001-0925.

Yderligere oplysninger:

Vi har modtaget rapporter om at den version af 'apache'-pakken, som er indeholdt i Debians 'stable'-distribution, er sårbar overfor problemet med kunstigt lange stinavne indeholdende skråstreger ('artificially long slash path directory listing vulnerability') som beskrevet hos SecurityFocus.

Denne sårbarhed blev annonceret på bagtraq af Dan Harkless.

Citat fra SecurityFocus' indlæg om denne sårbarhed:

Et problem i pakken kunne give mulighed for mappeindeksering og fremfinding af stinavne. I standard-opsætningen slår Apache mod_dir, mod_autoindex og mod_negotiation til. Men ved at sende en specielfremstillet forspørgsel til Apache-serveren, bestående af lange stinavne kunstigt fremstillet ved hjælp af utallige skråstreger kan dette få de pågældende moduler til at opføre sig forkert, hvilket gør det muligt at omgå fejlsiden og få en liste over indholdet i mappen.
Med denne sårbarhed kan en ondskabsfuld fjernbruger iværksætte et oplysningsindsamlingsangreb, der potentielt kan resultere i at systemet kompromitteres. Denne sårbarhed påvirker alle frigivelser af Apache før version 1.3.19.

Dette problem er rettet i apache-ssl 1.3.9-13.3 og apache 1.3.9-14. Vi anbefaler at du omgående opgraderer dine pakker.

Advarsel: .dsc- og .diff.gz-filernes MD5Sum stemmer ikke overens, da de bagefter blev kopieret fra den stabile udgivelse, indholdet af filen .diff.gz er dog det samme, og er kontrolleret.

Rettet i:

Debian GNU/Linux 2.2 (potato)

apache

Kildekode:: http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.diff.gz; http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.dsc; http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9.orig.tar.gz
Alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-common_1.3.9-14_alpha.deb; http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14_alpha.deb; http://security.debian.org/dists/stable/updates/main/binary-alpha/apache_1.3.9-14_alpha.deb
ARM:: http://security.debian.org/dists/stable/updates/main/binary-arm/apache-common_1.3.9-14_arm.deb; http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14_arm.deb; http://security.debian.org/dists/stable/updates/main/binary-arm/apache_1.3.9-14_arm.deb
Intel IA-32:: http://security.debian.org/dists/stable/updates/main/binary-i386/apache-common_1.3.9-14_i386.deb; http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14_i386.deb; http://security.debian.org/dists/stable/updates/main/binary-i386/apache_1.3.9-14_i386.deb
Motorola 680x0:: http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-common_1.3.9-14_m68k.deb; http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14_m68k.deb; http://security.debian.org/dists/stable/updates/main/binary-m68k/apache_1.3.9-14_m68k.deb
PowerPC:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-common_1.3.9-14_powerpc.deb; http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14_powerpc.deb; http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache_1.3.9-14_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-common_1.3.9-14_sparc.deb; http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-dev_1.3.9-14_sparc.deb; http://security.debian.org/dists/stable/updates/main/binary-sparc/apache_1.3.9-14_sparc.deb
Arkitekturuafhængig komponent:: http://security.debian.org/dists/stable/updates/main/binary-all/apache-doc_1.3.9-14_all.deb

apache-ssl
Kildekode:: http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-3.diff.gz; http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13-3.dsc; http://security.debian.org/dists/stable/updates/main/source/apache-ssl_1.3.9.13.orig.tar.gz
Alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-ssl_1.3.9.13-3_alpha.deb
ARM:: http://security.debian.org/dists/stable/updates/main/binary-arm/apache-ssl_1.3.9.13-3_arm.deb
Intel IA-32:: http://security.debian.org/dists/stable/updates/main/binary-i386/apache-ssl_1.3.9.13-3_i386.deb
Motorola 680x0:: http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-ssl_1.3.9.13-3_m68k.deb
PowerPC:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-ssl_1.3.9.13-3_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/apache-ssl_1.3.9.13-3_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.