Re: [users@httpd] Help required for security vulnerabilities in 1.3.29

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



First My sincere appologies to Joshua for the inconivience caused, Seeing these vulnerabilities panicked me. Please accept my appologies and it wont be happening again
 
to answer your questions, I have following info
1)We make use of sun solaris 8 am not sure whether this is a big or small endian 64 bit platform
2)Our software is deployed at the customer site so upgrading to new apache version doesnt sem to be a solution for us
3)Also will try to find the answers to other questions put
 
Here I have following other questions
1)How can i run the htpasswd run as setuid? AM not clear about this point
2)Is there anyways I can test by injecting inject escape sequences into an Apache error or access log?
 
Thanks for all your time and help a nd am sorry again for the incovinience caused
 
Thanks and Regards
Syona

Joshua Slive <jslive@xxxxxxxxx> wrote:
On 11/28/05, syona m wrote:
> Hi All,
>
> This is a little urgent. We are making use of apache 1.3.29 in our project
> and while running "Nessus" security scan shows what it believes to be
> security vulnerabilties found within Apache ports. They need to know if
> these are validsecurity concerns or "False Positives" . Below are the case
> ids

First, you need to think a little more about what you are doing before
sending scattershot email to ev ery address you can find. You sent
this message also to me personally, to our security notification
address (which specifically forbids messages of this type) and to
god-only-knows how many other addresses. I find this very rude and
inconsiderate since it wastes the time of the people who you want to
help you. Please consider this the next time you have a problem.

The appropriate forum for this type of question is the
users@xxxxxxxxxxxxxxxx mailing list, to which I am now replying.

To start, you can get information on apache 1.3 security vulnerabilities here:
http://httpd.apache.org/security/vulnerabilities_13.html
You'll notice this lines up quite closely with the list you quote.
All of these problems could be fixed simply by upgrading your server
to the most recent 1.3 release: 1.3.33.

Are these important security vulnerabilities? Not really, but it
depends on the context. If you are running on a 64-bit big-endian
platf orm, then CVE-2003-0993 could be a problem. If you let untrusted
users run ssi, then CVE-2004-0940 could be a problem. If you are a
frequent target of Denial of Service attacks, then several of them
might be important.

The PUT and DELETE warnings are probably a false positive, but I don't
know how Nessus is doing its testing, so I can't tell for sure. Do
you run mod_dav? Do you run a CGI script that doesn't check its
methods?

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux