SecurityFocus Updates 2 Apache Vulnerabilities

michael path writes "SecurityFocus released two updated Apache vulnerabilities, one affecting 2.0.x (a DOS vulnerability), the other affecting both the 1.3.x and 2.0.x revisions (a buffer overflow). IBM HTTP Server is also affected by these vulnerabilities in similar version numbers."

phew

[roll_w.it]

from my logs [Mon Apr 12 16:29:53 2004] [error] [client 64.229.154.62] request failed: URI too long

from the article

not vulnerable Apache Software Foundation
Apache 1.3.29
Apache Software Foundation Apache 2.0.48
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 2.1

From my machine $ httpd -v
Server version: Apache/1.3.29 (Unix)
Server built: Nov 3 2003 19:54:39

OS X

[b1t+r0t]

For those of you running OS X who don't want to scroll through the three thousand lines of version information in the securityfocus.com link, if you're running 10.3.3 you should be fine, because 10.3.3 uses Apache 1.3.29.

Old news

[slive]

These are both rather old.

If you want more complete information about
apache security issues, a better source is
http://www.apacheweek.com/features/security-20
and
http://www.apacheweek.com/features/security -13

That's a different bug.

[Inoshiro]

If you actually check your access_log for the partner entry, you'll see it's a request for the SEARCH command which seems to be a new IIS exploit heading around. My vulnerable 1.3.28 also spits out:
[Sun Apr 11 00:45:43 2004] [error] [client 24.78.143.66] request failed: URI too long

You haven't identified the problem at all. I just wish there was an easy way to filter out those requests before they hit by Apache and crapfill my logs.

Some information in incorrect.

[Inoshiro]

Slackware-current has Apache 1.3.29, which happens to be the version listed as not vulnerable.

If you're running Slack, just download the source, run apache.SlackBuild, and upgradepkg to become non-vulnerable.