mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.

New apache packages are available for Slackware 8.1, 9.0, 9.1, and
-current to fix security issues. These include a possible denial-of-service attack as well as the ability to possible pipe shell escapes through Apache's errorlog (which could create an exploit if the error log is read in a terminal program that does not filter such escapes). We recommend that sites running Apache upgrade to the new Apache package.

Updated apache and mod_ssl packages that fix various minor security issues and bugs in the Apache Web server are now available for Red Hat Enterprise Linux 2.1.

The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

A buffer overflow was discovered in the mod_include module. This flaw could allow a local user who is authorized to create server-side include (SSI) files to gain the privileges of a httpd child (user 'apache'). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0940 to this issue.

The mod_digest module does not properly verify the nonce of a client response by using a AuthNonce secret. This could allow a malicious user who is able to sniff network traffic to conduct a replay attack against a website using Digest protection. Note that mod_digest implements an older version of the MD5 Digest Authentication specification, which is known not to work with modern browsers. This issue does not affect mod_auth_digest. (CVE-2003-0987).

An issue has been discovered in the mod_ssl module when configured to use the 'SSLCipherSuite' directive in a directory or location context.
If a particular location context has been configured to require a specific set of cipher suites, then a client is able to access that location using any cipher suite allowed by the virtual host configuration. (CVE-2004-0885).

Several bugs in mod_ssl were also discovered, including :

  - memory leaks in SSL variable handling

  - possible crashes in the dbm and shmht session caches

Red Hat Enterprise Linux 2.1 users of the Apache HTTP Server should upgrade to these erratum packages, which contains Apache version 1.3.27 with backported patches correcting these issues.

The remote host is missing Security Update 2004-12-02. This security update contains a number of enhancements for the following programs :

 - Apache
 - Apache2
 - AppKit
 - Cyrus IMAP
 - HIToolbox
 - Kerberos
 - Postfix
 - PSNormalizer
 - QuickTime Streaming Server
 - Safari
 - Terminal

The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs :

  - Apache
  - Apache2
  - AppKit
  - Cyrus IMAP
  - HIToolbox
  - Kerberos
  - Postfix
  - PSNormalizer
  - QuickTime Streaming Server
  - Safari
  - Terminal

These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.

SunOS 5.8_x86: Apache Patch.
Date this patch was last updated by Sun : Apr/23/08

SunOS 5.8: Apache Patch.
Date this patch was last updated by Sun : Apr/24/08

The remote host is affected by the vulnerability described in GLSA-200405-22 (Apache 1.3: Multiple vulnerabilities)

    On 64-bit big-endian platforms, mod_access does not properly parse     Allow/Deny rules using IP addresses without a netmask which could result in     failure to match certain IP addresses.
    Terminal escape sequences are not filtered from error logs. This could be     used by an attacker to insert escape sequences into a terminal emulator     vulnerable to escape sequences.
    mod_digest does not properly verify the nonce of a client response by using     a AuthNonce secret. This could permit an attacker to replay the response of     another website. This does not affect mod_auth_digest.
    On certain platforms there is a starvation issue where listening sockets     fails to handle short-lived connection on a rarely-accessed listening     socket. This causes the child to hold the accept mutex and block out new     connections until another connection arrives on the same rarely-accessed     listening socket thus leading to a denial of service.
  Impact :

    These vulnerabilities could lead to attackers bypassing intended access     restrictions, denial of service, and possibly execution of arbitrary code.
  Workaround :

    There is no known workaround at this time.

Four security vulnerabilities were fixed with the 1.3.31 release of Apache. All of these issues have been backported and applied to the provided packages. Thanks to Ralf Engelschall of OpenPKG for providing the patches.

Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CVE-2003-0020).

mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a 'AuthDigestRealmSeed' secret exposed as an MD5 checksum (CVE-2003-0987).

mod_access in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow a remote attacker to bypass intended access restrictions (CVE-2003-0993).

Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CVE-2004-0174). While this particular vulnerability does not affect Linux, we felt it prudent to include the fix.

Update :

Due to the changes in mod_digest.so, mod_perl needed to be rebuilt against the patched Apache packages in order for httpd-perl to properly load the module. The appropriate mod_perl packages have been rebuilt and are now available.

SunOS 5.9_x86: Apache Security Patch.
Date this patch was last updated by Sun : Mar/05/10

SunOS 5.9: Apache Security Patch.
Date this patch was last updated by Sun : Mar/05/10

ID	Name	Product	Family	Severity
18787	Slackware 8.1 / 9.0 / 9.1 / current : apache (SSA:2004-133-01)	Nessus	Slackware Local Security Checks	high
15960	RHEL 2.1 : apache, mod_ssl (RHSA-2004:600)	Nessus	Red Hat Local Security Checks	high
2444	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus Network Monitor	Web Clients	high
15898	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus	MacOS X Local Security Checks	high
15483	Solaris 8 (x86) : 116974-07	Nessus	Solaris Local Security Checks	critical
15482	Solaris 8 (sparc) : 116973-07	Nessus	Solaris Local Security Checks	critical
14508	GLSA-200405-22 : Apache 1.3: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
14145	Mandrake Linux Security Advisory : apache-mod_perl (MDKSA-2004:046-1)	Nessus	Mandriva Local Security Checks	high
13593	Solaris 9 (x86) : 114145-12	Nessus	Solaris Local Security Checks	critical
13530	Solaris 9 (sparc) : 113146-13	Nessus	Solaris Local Security Checks	critical
800800	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Log Correlation Engine	Operating System Detection	medium

Detections

Analytics

CVE-2003-0987

high

Tenable Plugins

high

high

high

high

critical

critical

high

high

critical

critical

medium