Apache security alert

[Steve D. <sd...@sw...>]

Hello everyone.  I received the following alert on the Debian security
mailing list. Since it probably applies to many sql-ledger users, I
thought I would forward it.

I also included Google's cache of the alert since securityfocus seems to
be down this morning (how convenient).

It's recommended that you upgrade Apache to a secure version
immediately.

-------- Original Message --------
Subject: [SECURITY] [DSA-067-1] New versions of apache, fixes index bug
Resent-From: deb...@li...
Date: Sat, 28 Jul 2001 02:59:23 +0200
From: Robert van der Meulen <rv...@wi...>
Reply-To: sec...@de...
To: deb...@li...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-
------------------------------------------------------------------------
Debian Security Advisory DSA-067-1                   sec...@de...
http://www.debian.org/security/                    Robert van der Meulen
July 28, 2001
-
------------------------------------------------------------------------


Package		: apache,apache-ssl
Problem type	: remote exploit
Debian-specific	: no

We have received reports that the 'apache' http daemon, as included in 
the Debian 'stable' distribution, is vulnerable to the 'artificially 
long slash path directory listing vulnerability' as described in 
http://www.securityfocus.com/vdb/bottom.html?vid=2503 .

This vulnerability was announced to bugtraq by Dan Harkless.

Quoting the SecurityFocus entry for this vulnerability:

 A problem in the package could allow directory indexing, and path 
 discovery. In a default configuration, Apache enables mod_dir, 
 mod_autoindex, and mod_negotiation. However, by placing a custom
crafted 
 request to the Apache server consisting of a long path name created 
 artificially by using numerous slashes, this can cause these modules to 
 misbehave, making it possible to escape the error page, and gain a
listing 
 of the directory contents.
  
 This vulnerability makes it possible for a malicious remote user to
launch 
 an information gathering attack, which could potentially result in 
 compromise of the system. Additionally, this vulnerability affects all 
 releases of Apache previous to 1.3.19.
 
**************BUGTRAQ NOTICE*************************************

bugtraq id
            2503
 class
            Input Validation Error
 cve
            CVE-MAP-NOMATCH
 remote
            Yes
 local
            No
 published
            March 13, 2001
 updated
            June 29, 2001
 vulnerable
            Apache Group Apache 1.3.9
               - Sun Solaris 8.0_x86
               - Sun Solaris 8.0
               + Debian Linux 2.2 sparc
               + Debian Linux 2.2 powerpc
               + Debian Linux 2.2 arm
               + Debian Linux 2.2 alpha
               + Debian Linux 2.2 68k
               + Debian Linux 2.2
            Apache Group Apache 1.3.3
               + RedHat Linux 5.2 sparc
               + RedHat Linux 5.2 i386
               + RedHat Linux 5.2 alpha
            Apache Group Apache 1.3.17win32
               - Microsoft Windows ME
               - Microsoft Windows 98se
               - Microsoft Windows 98
               - Microsoft Windows 95
               - Microsoft Windows NT 4.0SP6a
                  + Microsoft Windows NT 4.0
               - Microsoft Windows NT 4.0SP6
                  + Microsoft Windows NT 4.0
               - Microsoft Windows NT 4.0SP5
                  + Microsoft Windows NT 4.0
               - Microsoft Windows NT 4.0SP4
                  + Microsoft Windows NT 4.0
               - Microsoft Windows NT 4.0SP3
                  + Microsoft Windows NT 4.0
               - Microsoft Windows NT 4.0SP2
                  + Microsoft Windows NT 4.0
               - Microsoft Windows NT 4.0SP1
                  + Microsoft Windows NT 4.0
               - Microsoft Windows NT 4.0
               - Microsoft Windows 2000 SP2
               - Microsoft Windows 2000 SP1
               - Microsoft Windows 2000 
            Apache Group Apache 1.3.17
               + S.u.S.E. Linux 7.1
               + OpenBSD OpenBSD 2.8
            Apache Group Apache 1.3.14
               + MandrakeSoft Linux Mandrake 7.2
            Apache Group Apache 1.3.12
               + S.u.S.E. Linux 7.0sparc
               + S.u.S.E. Linux 7.0
               + RedHat Linux 7.0 i386
               + RedHat Linux 7.0 alpha
               + RedHat Linux 6.2 sparc
               + RedHat Linux 6.2 i386
               + RedHat Linux 6.2 alpha
 not vulnerable
            Apache Group Apache 1.3.19
               - Sun Solaris 8.0
               - Sun Solaris 7.0
               - SGI IRIX 6.5.9
               - SGI IRIX 6.5.8
               - S.u.S.E. Linux 7.1
               - S.u.S.E. Linux 7.0
               - S.u.S.E. Linux 6.4
               - RedHat Linux 7.1
               - RedHat Linux 7.0
               - RedHat Linux 6.2
               - OpenBSD OpenBSD 2.9
               - OpenBSD OpenBSD 2.8
               - NetBSD NetBSD 1.5.1
               - NetBSD NetBSD 1.5
               - MandrakeSoft Linux Mandrake 8.0
               - MandrakeSoft Linux Mandrake 7.2
               - MandrakeSoft Linux Mandrake 7.1
               - HP HP-UX 11.11
               - HP HP-UX 11.0
               - HP HP-UX 10.20
               - FreeBSD FreeBSD 4.2
               - FreeBSD FreeBSD 3.5.1
               - Digital (Compaq) TRU64/DIGITAL UNIX 5.0
               - Digital (Compaq) TRU64/DIGITAL UNIX 4.0g
               - Digital (Compaq) TRU64/DIGITAL UNIX 4.0f
               + Debian Linux 2.3
               - Caldera eServer 2.3.1
               - Caldera eDesktop 2.4
               - Caldera OpenLinux 2.4