From: David K. <dka...@er...> - 2008-11-05 19:31:35
|
We implemented several security-related bug fixes in krang's version of Apache today: Upgraded Apache to version 1.3.41 (the latest 1.3x release) to address the following known security vulnerabilities: Apache 'mod_proxy_ftp' Undefined Charset UTF-7 Cross-Site Scripting Vulnerability http://www.securityfocus.com/bid/27234 Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 'mod_status' Cross-Site Scripting Vulnerability http://www.securityfocus.com/bid/27237 Apache mod_imagemap and mod_imap Cross-Site Scripting Vulnerability http://www.securityfocus.com/bid/19661 And added the "TraceEnable off" directive to the httpd and siteserver apache conf files, to address this one: Multiple vendors' web servers enable HTTP TRACE method by default http://www.kb.cert.org/vuls/id/867593 Each of these vulnerabilities was detected by a recent security scan of systems running krang (3.01) which was performed as part of a PCI DSS [1] compliance audit. Although krang is not vulnerable to all of these threats (the mod_proxy_ftp and mod_imagemap modules aren't included for instance) the scans identify the *version* of apache that is bundled with krang as being potentially vulnerable, and since compliance with credit card industry standards is mandatory for many e-commerce sites, it never hurts to be up to date! [1] Payment Card Industry Data Security Standard http://en.wikipedia.org/wiki/PCI_DSS -dave -- David Kaufman The Erlbaum Group, LLC 817 Broadway, 10th floor New York, NY 10003 646-775-4151 (office) 212-684-6226 (fax) dka...@er... -----Original Message----- From: dka...@kr... [mailto:dka...@kr...] Sent: Wednesday, November 05, 2008 2:03 PM To: kra...@li... Subject: [Krang-CVS] [5610] Upgraded: Apache from 1.3.37 to 1.3.41 Revision: 5610 Author: dkaufman Date: 2008-11-05 14:03:01 -0500 (Wed, 05 Nov 2008) Log Message: ----------- Upgraded: Apache from 1.3.37 to 1.3.41 mm from 1.4.2 to 1.4.2, and mod_ssl from 2.8.28 to 2.8.31 Also disabled HTTP trace method in krang httpd and siteserver conf templates to address unnecessary security vulnerability, and added the removed source files, that were replaced, to the remove_files() call in the 3.04 upgrade script Modified Paths: -------------- trunk/krang/conf/httpd.conf.tmpl trunk/krang/conf/siteserver.conf.tmpl trunk/krang/upgrade/V3_04.pm Added Paths: ----------- trunk/krang/src/Apache-MOD_PERL/apache_1.3.41.tar.gz trunk/krang/src/Apache-MOD_PERL/mm-1.4.2.tar.gz trunk/krang/src/Apache-MOD_PERL/mod_ssl-2.8.31-1.3.41.tar.gz Removed Paths: ------------- trunk/krang/src/Apache-MOD_PERL/apache_1.3.37.tar.gz trunk/krang/src/Apache-MOD_PERL/mm-1.4.0.tar.gz trunk/krang/src/Apache-MOD_PERL/mod_ssl-2.8.28-1.3.37.tar.gz Modified: trunk/krang/conf/httpd.conf.tmpl =================================================================== --- trunk/krang/conf/httpd.conf.tmpl 2008-11-05 18:30:54 UTC (rev 5609) +++ trunk/krang/conf/httpd.conf.tmpl 2008-11-05 19:03:01 UTC (rev 5610) @@ -78,6 +78,10 @@ </tmpl_if> AddModule mod_perl.c +# Disable HTTP TRACE method [http://www.kb.cert.org/vuls/id/867593] +TraceEnable off + + # # Non mod_perl config # Modified: trunk/krang/conf/siteserver.conf.tmpl =================================================================== --- trunk/krang/conf/siteserver.conf.tmpl 2008-11-05 18:30:54 UTC (rev 5609) +++ trunk/krang/conf/siteserver.conf.tmpl 2008-11-05 19:03:01 UTC (rev 5610) @@ -70,6 +70,8 @@ </tmpl_if> AddModule mod_perl.c +# Disable HTTP TRACE method [http://www.kb.cert.org/vuls/id/867593] +TraceEnable off # # To use server-parsed HTML files Deleted: trunk/krang/src/Apache-MOD_PERL/apache_1.3.37.tar.gz =================================================================== (Binary files differ) Added: trunk/krang/src/Apache-MOD_PERL/apache_1.3.41.tar.gz =================================================================== (Binary files differ) Property changes on: trunk/krang/src/Apache-MOD_PERL/apache_1.3.41.tar.gz ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Deleted: trunk/krang/src/Apache-MOD_PERL/mm-1.4.0.tar.gz =================================================================== (Binary files differ) Added: trunk/krang/src/Apache-MOD_PERL/mm-1.4.2.tar.gz =================================================================== (Binary files differ) Property changes on: trunk/krang/src/Apache-MOD_PERL/mm-1.4.2.tar.gz ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Deleted: trunk/krang/src/Apache-MOD_PERL/mod_ssl-2.8.28-1.3.37.tar.gz =================================================================== (Binary files differ) Added: trunk/krang/src/Apache-MOD_PERL/mod_ssl-2.8.31-1.3.41.tar.gz =================================================================== (Binary files differ) Property changes on: trunk/krang/src/Apache-MOD_PERL/mod_ssl-2.8.31-1.3.41.tar.gz ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Modified: trunk/krang/upgrade/V3_04.pm =================================================================== --- trunk/krang/upgrade/V3_04.pm 2008-11-05 18:30:54 UTC (rev 5609) +++ trunk/krang/upgrade/V3_04.pm 2008-11-05 19:03:01 UTC (rev 5610) @@ -52,6 +52,9 @@ htdocs/help/template_archived.html htdocs/help/user.html htdocs/help/workspace.html + src/Apache-MOD_PERL/mod_ssl-2.8.28-1.3.37.tar.gz + src/Apache-MOD_PERL/mm-1.4.0.tar.gz + src/Apache-MOD_PERL/apache_1.3.37.tar.gz src/Digest-MD5-2.23.tar.gz src/HTML-Parser-3.36.tar.gz src/HTML-PopupTreeSelect-Dynamic-1.3.tar.gz |