Is Raw Hide Apache RPM stable with RH 9?

bscott at ntisys.com bscott at ntisys.com
Mon Aug 18 01:36:36 EDT 2003 

On Mon, 18 Aug 2003, at 12:34am, gbonnett at coe.neu.edu wrote:
> My Apache 2.0.40 / RH 9 Web server seems to have been getting DoS'd more
> frequently as of late.

  Elaborate, please.

> I thought I had the most recent packages installed, but it turns out the
> latest RPM redhat has released was for 2.0.40 ...

  Keep in mind that Red Hat, like many (most?) distro vendors, backports
security fixes into their production releases.  That helps reduce the scope
of the changes that need to be made.  Also keep in mind that bugs may be
discovered in Apache that only affect certain configurations, and Red Hat's
packages may be configured in such a way that they are not effected.

  That being said...

  It appears that the current Red Hat production release for RHL 9 is
2.0.40-21.3.  From the information in the RHSA-2003:186-06 advisory[1], I
conclude that release contains fixes up through Apache httpd 2.0.46, but no
later.  The Apache website[2] leads me to believe that several
vulnerabilities are present in 2.0.46 which Red Hat release 2.0.40-21.3
might be vulnerable to.

  *That* being said...

  CAN-2003-0192 - It appears this would only affect you if you are using the
"SSLCipherSuite" directive, and the worst exposure would be a weaker SSL
cipher being chosen.

  CAN-2003-0254 - It appears this would only affect you if you are using
Apache as an HTTP proxy, and connecting to an IPv6 FTP site via said proxy.

  CAN-2003-0253 - It appears this would only affect you if you have multiple
listening sockets configured in Apache. [3]

  VU#379828 - I could not find any documentation on this issue.  Even the
CERT Vulnerability database does not have that VU# on file (not publicly,
anyway).  Thus, I cannot make an analysis.

  All in all, I would say running the latest RHL 9 production release should
be safe, EXCEPT for the VU#379828 mystery bug.  What little information I
could find on that one certainly makes it sound like it would be exploitable 
for DoS.

Footnotes
---------
[1] https://rhn.redhat.com/errata/RHSA-2003-186.html
[2] http://www.apache.org/dist/httpd/Announcement2.html
[3] http://www.apacheweek.com/features/security-20

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list