Is Raw Hide Apache RPM stable with RH 9?

Greg Bonnette gbonnett at coe.neu.edu
Mon Aug 18 07:37:47 EDT 2003


On Mon, 18 Aug 2003, at 12:34am, bscott at ntisys.com wrote:
> Elaborate, please.

I am running the latest RH release of apache. I was unaware of the
security patch back-porting that distros do.

I have been having a tough time pinpointing the source of my problems. 
First I should explain the situation, my webserver is 50 miles away from
me and I have all remote access disabled other than ftp, so once a week
I get physical access to it to do updates. Yesterday without warning my
apache just crashed and started giving me this:

Bad request!
Your browser (or proxy) sent a request that this server could not
understand. 
If you think this is a server error, please contact the webmaster 
Error 400
www.mydomain.com 
Mon 18 Aug 2003 07:30:34 AM EDT 
Apache/2.0.40 (Red Hat Linux)

I wont have a chance to look at the logs until tomorrow, when I do I may
be able to pinpoint the request that caused the crash. I think I may
finally break down and setup ssh and sftp.

Thanks,

-Greg

-----Original Message-----
From: gnhlug-discuss-admin at mail.gnhlug.org
[mailto:gnhlug-discuss-admin at mail.gnhlug.org] On Behalf Of
bscott at ntisys.com
Sent: Monday, August 18, 2003 1:37 AM
To: Greater NH Linux User Group
Subject: Re: Is Raw Hide Apache RPM stable with RH 9? 

On Mon, 18 Aug 2003, at 12:34am, gbonnett at coe.neu.edu wrote:
> My Apache 2.0.40 / RH 9 Web server seems to have been getting DoS'd
more
> frequently as of late.

  Elaborate, please.

> I thought I had the most recent packages installed, but it turns out
the
> latest RPM redhat has released was for 2.0.40 ...

  Keep in mind that Red Hat, like many (most?) distro vendors, backports
security fixes into their production releases.  That helps reduce the
scope
of the changes that need to be made.  Also keep in mind that bugs may be
discovered in Apache that only affect certain configurations, and Red
Hat's
packages may be configured in such a way that they are not effected.

  That being said...

  It appears that the current Red Hat production release for RHL 9 is
2.0.40-21.3.  From the information in the RHSA-2003:186-06 advisory[1],
I
conclude that release contains fixes up through Apache httpd 2.0.46, but
no
later.  The Apache website[2] leads me to believe that several
vulnerabilities are present in 2.0.46 which Red Hat release 2.0.40-21.3
might be vulnerable to.

  *That* being said...

  CAN-2003-0192 - It appears this would only affect you if you are using
the
"SSLCipherSuite" directive, and the worst exposure would be a weaker SSL
cipher being chosen.

  CAN-2003-0254 - It appears this would only affect you if you are using
Apache as an HTTP proxy, and connecting to an IPv6 FTP site via said
proxy.

  CAN-2003-0253 - It appears this would only affect you if you have
multiple
listening sockets configured in Apache. [3]

  VU#379828 - I could not find any documentation on this issue.  Even
the
CERT Vulnerability database does not have that VU# on file (not
publicly,
anyway).  Thus, I cannot make an analysis.

  All in all, I would say running the latest RHL 9 production release
should
be safe, EXCEPT for the VU#379828 mystery bug.  What little information
I
could find on that one certainly makes it sound like it would be
exploitable 
for DoS.

Footnotes
---------
[1] https://rhn.redhat.com/errata/RHSA-2003-186.html
[2] http://www.apache.org/dist/httpd/Announcement2.html
[3] http://www.apacheweek.com/features/security-20

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do
|
| not represent the views or policy of any other person or organization.
|
| All information is provided without warranty of any kind.
|


_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss




More information about the gnhlug-discuss mailing list