Boletines de Vulnerabilidades |
Desbordamiento de búfer en el módulo mod_proxy para Apache |
|
Clasificación de la vulnerabilidad |
|
| Propiedad | Valor |
| Nivel de Confianza | Oficial |
| Impacto | Obtener acceso |
| Dificultad | Experto |
| Requerimientos del atacante | Acceso remoto sin cuenta a un servicio exotico |
Información sobre el sistema |
|
| Propiedad | Valor |
| Fabricant afectat | GNU/Linux |
| Software afectado | Apache 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26 |
Descripción |
|
|
Se ha descubierto una vulnerabilidad de desbordamiento de búfer en el modulo para Apache mod_proxy. La vulnerabilidad reside en el manejo de las cabeceras 'Content-Length'. La explotación de esta vulnerabilidad podría permitir a un atacante remoto la ejecución remota de código en algunas plataformas BSD si consigue que una instalación de Apache configurada como proxy se conecte a un sitio especialmente diseñado. |
|
Solución |
|
|
Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo. Actualización de seguridad Apache Apache httpd 1.3.34 http://httpd.apache.org/download.cgi OpenBSD OpenBSD 3.4 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/025_httpd3.patch OpenBSD 3.5 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/013_httpd.patch Red Hat Linux Red Hat Enterprise Linux AS (v. 2.1) SRPMS apache-1.3.27-8.ent.src.rpm mod_ssl-2.8.12-4.src.rpm i386 apache-1.3.27-8.ent.i386.rpm apache-devel-1.3.27-8.ent.i386.rpm apache-manual-1.3.27-8.ent.i386.rpm mod_ssl-2.8.12-4.i386.rpm ia64 apache-1.3.27-8.ent.ia64.rpm apache-devel-1.3.27-8.ent.ia64.rpm apache-manual-1.3.27-8.ent.ia64.rpm mod_ssl-2.8.12-4.ia64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 2.1) SRPMS apache-1.3.27-8.ent.src.rpm mod_ssl-2.8.12-4.src.rpm i386 apache-1.3.27-8.ent.i386.rpm apache-devel-1.3.27-8.ent.i386.rpm apache-manual-1.3.27-8.ent.i386.rpm mod_ssl-2.8.12-4.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux WS (v. 2.1) SRPMS apache-1.3.27-8.ent.src.rpm mod_ssl-2.8.12-4.src.rpm i386 apache-1.3.27-8.ent.i386.rpm apache-devel-1.3.27-8.ent.i386.rpm apache-manual-1.3.27-8.ent.i386.rpm mod_ssl-2.8.12-4.i386.rpm https://rhn.redhat.com/ Red Hat Linux Advanced Workstation 2.1 Itanium Processor SRPMS apache-1.3.27-8.ent.src.rpm mod_ssl-2.8.12-4.src.rpm ia64 apache-1.3.27-8.ent.ia64.rpm apache-devel-1.3.27-8.ent.ia64.rpm apache-manual-1.3.27-8.ent.ia64.rpm mod_ssl-2.8.12-4.ia64.rpm https://rhn.redhat.com/ Debian Linux Debian Linux 3.0 Source http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5.dsc http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5.diff.gz http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26.orig.tar.gz Paquetes independientes de arquitectura http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.26-0woody5_all.deb Alpha http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_alpha.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_alpha.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_alpha.deb ARM http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_arm.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_arm.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_i386.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_i386.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_ia64.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_ia64.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_ia64.deb HP Precision http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_hppa.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_hppa.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_m68k.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_m68k.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_mips.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_mips.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_mipsel.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_mipsel.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_powerpc.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_powerpc.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_s390.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_s390.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_sparc.deb http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_sparc.deb http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_sparc.deb Mandrake Linux Mandrakelinux 9.1 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-1.3.27-8.3.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-devel-1.3.27-8.3.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-modules-1.3.27-8.3.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/RPMS/apache-source-1.3.27-8.3.91mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.1/SRPMS/apache-1.3.27-8.3.91mdk.src.rpm PPC ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-1.3.27-8.3.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-devel-1.3.27-8.3.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-modules-1.3.27-8.3.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/RPMS/apache-source-1.3.27-8.3.91mdk.ppc.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/ppc/9.1/SRPMS/apache-1.3.27-8.3.91mdk.src.rpm Mandrakelinux 9.2 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-1.3.28-3.3.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-devel-1.3.28-3.3.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-modules-1.3.28-3.3.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/RPMS/apache-source-1.3.28-3.3.92mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/9.2/SRPMS/apache-1.3.28-3.3.92mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-1.3.28-3.3.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-devel-1.3.28-3.3.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-modules-1.3.28-3.3.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/RPMS/apache-source-1.3.28-3.3.92mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/9.2/SRPMS/apache-1.3.28-3.3.92mdk.src.rpm Mandrakelinux 10.0 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-1.3.29-1.2.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-devel-1.3.29-1.2.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-modules-1.3.29-1.2.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/apache-source-1.3.29-1.2.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/apache-1.3.29-1.2.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache-1.3.29-1.2.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache-devel-1.3.29-1.2.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache-modules-1.3.29-1.2.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/apache-source-1.3.29-1.2.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/apache-1.3.29-1.2.100mdk.src.rpm Corporate Server 2.1 X86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-1.3.26-7.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-common-1.3.26-7.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-devel-1.3.26-7.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-manual-1.3.26-7.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-modules-1.3.26-7.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/apache-source-1.3.26-7.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/apache-1.3.26-7.2.C21mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-1.3.26-7.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-common-1.3.26-7.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-7.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-7.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-7.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/apache-source-1.3.26-7.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/apache-1.3.26-7.2.C21mdk.src.rpm HP HP-UX B.11.04 Virtualvault A.04.70 PHSS_30944 PHSS_31058 HP-UX B.11.04 Virtualvault A.04.60 PHSS_30946 PHSS_31057 HP-UX B.11.04 Virtualvault A.04.50 PHSS_30647 PHSS_30648 HP-UX B.11.04 HP Webproxy A.02.10 PHSS_30950 HP-UX B.11.04 HP Webproxy A.02.00 PHSS_30949 HP-UX 11.04 / VirtualVault 4.7 Instalar PHSS_32140, PHSS_32182 HP-UX 11.04 / Virtualvault 4.6 Instalar PHSS_32206, PHSS_32183 HP-UX 11.04 / VirtualVault 4.5 Instalar PHSS_32141, PHSS_32184 HP Webproxy A.02.10 Instalar PHSS_32362 HP Webproxy A.02.00 Instalar PHSS_32363 Sun Solaris 9 SPARC http://sunsolve.sun.com/search/document.do?assetkey=1-21-113146-05-1 x86 http://sunsolve.sun.com/search/document.do?assetkey=1-21-114145-04-1 Solaris 8 SPARC http://sunsolve.sun.com/search/document.do?assetkey=1-21-116973-01-1 x86 http://sunsolve.sun.com/search/document.do?assetkey=1-21-116974-01-1 SUN SPARC Platform Solaris 8 con parche 116973-02 o posterior x86 Platform Solaris 8 con parche 116974-02 o posterior SPARC Platform Solaris 8 con parche 116973-02 o posterior Solaris 9 con parche 113146-05 o posterior x86 Platform Solaris 8 con parche 116974-02 o posterior Solaris 9 con parche 114145-04 o posterior |
|
Identificadores estándar |
|
| Propiedad | Valor |
| CVE | CAN-2004-0492 |
| BID | |
Recursos adicionales |
|
|
Overview of security vulnerabilities in Apache httpd 1.3 http://www.apacheweek.com/features/security-13 Apache 1.3.34 http://httpd.apache.org/download.cgi OpenBSD Security Advisories http://www.openbsd.org/security.html Red Hat Security Advisory RHSA-2004:245-14 https://rhn.redhat.com/errata/RHSA-2004-245.html Debian Security Advisory DSA 525-1 http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00126.html Mandrakesoft Security Advisory MDKSA-2004:065 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:065 HP SECURITY BULLETIN HPSBUX01057 http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01057 HP SECURITY BULLETIN HPSBUX01113 http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01113 Sun(sm) Alert Notification 57628 http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1&searchclause= Sun Alert Notification (101841) http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1&searchclause=%22category:security%22%20%22availability,%20security%22%20category:security Sun Alert Notification (101555) http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1&searchclause=%22category:security%22%20%22availability,%20s ecurity%22%20category:security.com |
|
Histórico de versiones |
||
| Versión | Comentario | Data |
| 1.0 | Aviso emitido | 2004-06-11 |
| 1.1 | Aviso emitido por OpenBSD | 2004-06-14 |
| 1.2 | Aviso emitido por Red Hat (RHSA-2004:245-14) | 2004-06-15 |
| 1.3 | Aviso emitido por Debian (DSA 525-1) | 2004-06-28 |
| 1.4 | Aviso emitido por Mandrake (MDKSA-2004:065) | 2004-06-30 |
| 1.5 | Aviso emitido por HP (HPSBUX01057) | 2004-07-12 |
| 1.6 | Aviso emitido por Sun (57628) | 2004-09-09 |
| 1.7 | Aviso actualizado por Sun (57628) | 2004-10-13 |
| 1.8 | Aviso emitido por HP (HPSBUX01113) | 2005-01-31 |
| 1.9 | Aviso actualizado por SUN (101841) | 2005-08-12 |
| 1.10 | Aviso actualizado por SUN (101555) | 2005-08-19 |
| 1.11 | Publicado Apache httpd 1.3.34 | 2005-11-02 |