Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related
vulnerabilities which can be exploited by local users running under the
Apache user ID. In-server scripting languages, such as PHP, are the most
likely means of carrying out the attacks. One vulnerability causes the
server to fork off new processes, leading to denial of service scenarios;
the other allows an attacker to send SIGUSR1 to any process as root,
probably killing that process. See this
iDEFENSE advisory for the details.
Posted Nov 26, 2002 6:53 UTC (Tue) by rasmus (guest, #1728)
[Link]
How come RedHat haven't made a patch/upgrade for this?
Rasmus
Apache shared memory scoreboard vulnerabilities
Posted Dec 12, 2002 6:28 UTC (Thu) by proski (subscriber, #104)
[Link]
That's a valid question. The announcement is dated October 9, 2002. It have been more than two months since then. I cannot think of any reason why Red Hat 7.x would be unaffected. The current update for Red Hat 7.3 is apache-1.3.23-14, dated June 19. The ChangeLog in that package doesn't mention the fix.
Many people believe that the advantage of using Red Hat is support and timely updates even for the distribution that is not exactly "latest and greatest". Red Hat should really care to fulfill this expectation. It's unreasonable to expect everybody to upgrade to Red Hat 8.0, which uses Apache 2, and it's unfair to drop support for older versions silently, without an announcement.
Apache shared memory scoreboard vulnerabilities
Posted Dec 12, 2002 20:37 UTC (Thu) by proski (subscriber, #104)
[Link]