LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Apache shared memory scoreboard vulnerabilities

Package(s):apache CVE #(s):CAN-2002-0839
Created:October 9, 2002 Updated:December 18, 2002
Description: Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related vulnerabilities which can be exploited by local users running under the Apache user ID. In-server scripting languages, such as PHP, are the most likely means of carrying out the attacks. One vulnerability causes the server to fork off new processes, leading to denial of service scenarios; the other allows an attacker to send SIGUSR1 to any process as root, probably killing that process. See this iDEFENSE advisory for the details.
Alerts:
Mandrake MDKSA-2002:068-1 2002-12-18
SCO Group CSSA-2002-056.0 2002-12-05
Debian DSA-195-1 2002-11-13
Debian DSA-188-1 2002-11-05
Debian DSA-187-1 2002-11-04
Trustix 2002-0069 2002-10-17
Mandrake MDKSA-2002:067 2002-10-15
Gentoo apache-20021015 2002-10-15
EnGarde ESA-20021007-024 2002-10-07
Conectiva CLA-2002:530 2002-10-07
OpenPKG OpenPKG-SA-2002.009 2002-10-04
(Log in to post comments)

Apache shared memory scoreboard vulnerabilities

Posted Nov 26, 2002 6:53 UTC (Tue) by rasmus (subscriber, #1728) [Link]

How come RedHat haven't made a patch/upgrade for this?

Rasmus

Apache shared memory scoreboard vulnerabilities

Posted Dec 12, 2002 6:28 UTC (Thu) by proski (subscriber, #104) [Link]

That's a valid question. The announcement is dated October 9, 2002. It have been more than two months since then. I cannot think of any reason why Red Hat 7.x would be unaffected. The current update for Red Hat 7.3 is apache-1.3.23-14, dated June 19. The ChangeLog in that package doesn't mention the fix.

Many people believe that the advantage of using Red Hat is support and timely updates even for the distribution that is not exactly "latest and greatest". Red Hat should really care to fulfill this expectation. It's unreasonable to expect everybody to upgrade to Red Hat 8.0, which uses Apache 2, and it's unfair to drop support for older versions silently, without an announcement.

Apache shared memory scoreboard vulnerabilities

Posted Dec 12, 2002 20:37 UTC (Thu) by proski (subscriber, #104) [Link]

They have just released the update. There is an update for Red Hat 8.0 as well.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds