[3978] in WWW Security List Archive
Re: Security release: Apache 1.1.2 (fwd)
daemon@ATHENA.MIT.EDU (Michael Brennen)
Tue Jan 14 12:17:53 1997
Date: Tue, 14 Jan 1997 08:54:19 -0600 (CST)
From: Michael Brennen <mbrennen@fni.com>
To: Daniel Rinehart <danielr@ccs.neu.edu>
cc: www security <www-security@ns2.rutgers.edu>
In-Reply-To: <Pine.SUN.3.95.970113221242.27203C-100000@stockberg.ccs.neu.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Don't install the directory patch; it will break CGI execution. I have
not looked into the patch to determine why. Stronghold has apparently
already released a modified directory patch that doesn't break CGI; I
expect Apache will follow shortly (if it isn't already in the rest of my
inbox that I haven't gotten to yet.)
-- Michael (mbrennen@fni.com)
On Mon, 13 Jan 1997, Daniel Rinehart wrote:
> For those not on the Apache Announcement list this was recently
> sent out. Note: the file attachments were removed.
>
> - Daniel R. <danielr@ccs.neu.edu>
>
> Date: Sun, 12 Jan 1997 16:58:43 -0800 (PST)
> From: Brian Behlendorf <brian@organic.com>
> To: apache-announce@apache.org
> Subject: Security release: Apache 1.1.2
>
> Two security problems have been noticed in the Apache 1.1.1 code base:
>
> 1) A hole in mod_cookies which allows outside users to attempt to
> scribble the memory stack used by Apache, which could lead to the
> granting of shell access to an outsider as the same user the httpd
> children are. Mod_cookies is *not* compiled into the server by default -
> if you did not uncomment the mod_cookies line in your Configuration, you
> are not at risk from this hole.
>
> 2) mod_dir contains a bug whereby carefully crafted URL's can cause a
> search for an "index.html" in a directory to fail, even when one exists,
> thereby bypassing index.html and providing an index of files in a directory.
> If you do not allow "Indexes" as an argument to "Options" (the "All"
> argument includes "Indexes", too) you are not at risk from this hole.
> .....
