SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: MDKSA-2003:096 - Updated apache2 packages fix CGI scripting deadlock Date: Sep 26 2003 11:03PM Author: Mandrake Linux Security Team Message-ID: <20030926230312.21849.qmail@updates.mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: apache2 Advisory ID: MDKSA-2003:096 Date: September 26th, 2003 Affected versions: 9.1 ________________________________________________________________________ Problem Description: A problem was discovered in Apache2 where CGI scripts that output more than 4k of output to STDERR will hang the script's execution which can cause a Denial of Service on the httpd process because it is waiting for more input from the CGI that is not forthcoming due to the locked write() call in mod_cgi. On systems that use scripts that output more than 4k to STDERR, this could cause httpd processes to hang and once the maximum connection limit is reached, Apache will no longer respond to requests. The updated packages provided use the latest mod_cgi.c from the Apache 2.1 CVS version. Users may have to restart apache by hand after the upgrade by issuing a "service httpd restart". ________________________________________________________________________ References: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 ________________________________________________________________________ Updated Packages: Mandrake Linux 9.1: bcd0c73afb901bced97ee201aeb24f1a 9.1/RPMS/apache2-2.0.47-1.3.91mdk.i586.rpm 38379cd70d8e452f6b582b9e4ff59be4 9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.i586.rpm b44270899ca67a657c870a57baba3e2e 9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.i586.rpm 21e9c7f6d4649a1f2c60e2213e3d9d87 9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.i586.rpm cbcb9f567273fe80ad754ba5338825a6 9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.i586.rpm 1940d731a5bde39f3a8c1609b5623330 9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.i586.rpm 5508b5bef150a88e80535d9230113735 9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.i586.rpm 56267cf09af350b8a383abc2b9ebedbc 9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.i586.rpm f7ff9796a95d63dc5691ea434fb0efa3 9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.i586.rpm 859c7126af782efa3dcebbda669d7f5d 9.1/RPMS/libapr0-2.0.47-1.3.91mdk.i586.rpm 60261a3a810ceee306cd6bdd1baf3af1 9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm Mandrake Linux 9.1/PPC: 81fa02d2441b1ad2a59073fae3618923 ppc/9.1/RPMS/apache2-2.0.47-1.3.91mdk.ppc.rpm d903f0a0e9d6d2aa90bc14bb2452dc1b ppc/9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.ppc.rpm 0ecc1e79b817d1efe346211dda9090de ppc/9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.ppc.rpm 398c1db00d0fb47fb57d0a217d1a63f4 ppc/9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.ppc.rpm 7adfa25d0d80e968c95306a70e60cfdb ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.ppc.rpm e524f04403d6634d970261bae094b545 ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.ppc.rpm c76c5664ff6594c2857e32b3ea62e280 ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.ppc.rpm dce9ebbf7059a0194285467615d52b94 ppc/9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.ppc.rpm 9a7d2c7b8b3eeb8a566fa713a629d20f ppc/9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.ppc.rpm 9e98058a1154352d3e8bbe5f74536c1e ppc/9.1/RPMS/libapr0-2.0.47-1.3.91mdk.ppc.rpm 60261a3a810ceee306cd6bdd1baf3af1 ppc/9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm ________________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________ To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/dMWvmqjQ0CJFipgRAg7mAKCKnd0X7NWGXzqIQ3iJCVJgmKZJJACgrSqR SFlz34CEPL/8FG3WzrHTOaI= =TH/h -----END PGP SIGNATURE----- Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus