Bugtraq mailing list archives
Stronghold v1.3.3: Security Release
From: hamors () litterbox org (Sean B. Hamor)
Date: Mon, 13 Jan 1997 15:21:03 -0500
-----BEGIN PGP SIGNED MESSAGE----- I received this from C2Net's Stronghold mailing list. Figured it would be of interest even though the Apache hole has already been mentioned. Finger hamors () ishiboo com /\_/\ mailto:hamors () litterbox org for PGP public key block. ( o.o ) http://www.ishiboo.com/~hamors/ alt.litterbox, The Home of TOCA > ^ < http://www.litterbox.org/~hamors/ - ---------- Forwarded message ---------- Date: Sun, 12 Jan 1997 19:25:55 -0800 (PST) From: Eric Thomas <ethomas () c2 net> Reply-To: stronghold-support () c2 net To: stronghold-announce () c2 net Subject: Stronghold v1.3.3: Security Release [This message is going out to everyone who has registered for a Stronghold download, as well as the stronghold-announce mailing list.] Over the course of the past few days, two security holes were found in Apache 1.1.1. Because Stronghold v1.3.2 is based on Apache 1.1.1, the security holes are also present in Stronghold v1.3.2. The Apache Group has released Apache 1.1.2, and we are now releasing Stronghold v1.3.3, both of which incorporate fixes to the two holes found. 1) A hole in mod_cookies which allows outside users to scribble the memory stack, possibly allowing the user to execute instructions on the server as the user the httpsd children run as. Thanks to Secure Networks for advising us of this hole ahead of time and providing a patch for the problem. 2) A hole in mod_dir which causes long URL's of a particular pattern to cause a "not found" error when looking for an index.html in a directory, and thus returning a complete list of the directory content. Thanks to Henry Strickland for finding this bug. If you are running Stronghold v1.3.2, you must do one of the following: 1) Download a copy of Stronghold 1.3.3 and run the "UPGRADE.sh". The latest version of Stronghold is available at http://stronghold.c2.net/get/download/. Full 1.3.3 packages are not yet available for all supported platforms. If your platform is not yet available, apply the Stronghold patch. 2) Apply the Stronghold patch against Stronghold version 1.3.2 which is available at http://stronghold.c2.net/support/ups_and_bugs.php 3) Discontinue use of the cookie module and turn the "Indexing" option off. If you are running a version older than 1.3.2, please upgrade to Stronghold 1.3.2 immediately. Stronghold v2.0b1 is not susceptible to the mod_cookies bug, but is susceptible to the directory indexing bug. The next Stronghold 2.0 beta will incorporate a fix to the directory indexing bug. Information on the mod_cookies bug is available at ftp://ftp.secnet.com/pub/advisories/APACHE_MOD.advisory.1.13.97. Commercial and commercial evaluation users of Stronghold may obtain free email support regarding upgrade, patch, and workaround issues by sending email to stronghold-support () c2 net. We would just like to conclude by saying that these holes have been discovered not because Stronghold is necessarily more buggy than other servers, but because source code is available to everyone, and thus it's easier to look for holes. Very similar holes may exist in other commercial servers, but without source no one outside the companies who own the code can know for sure, save for those who are actively exploiting them. [Portions of this announcement have been taken from the Apache Group security update announcement] - -- Eric Thomas Voice: 510-986-8770 Technical Support Manager FAX: 510-986-8777 C2Net http://www.c2.net/ ethomas () c2 net -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMtqZNTU6HlxZIJ+FAQGd3gf/R8HDiiNeXNSYeBRFqPXL+kfTEVn1FBZg F4oJsPrkQSGTozL3Mq+zfVt6IVCH9LmMi9UfYOfUYybUaApZbP4/0zhyxVrqdnw4 dmY1VFXCFem1PiN8HOpveOwiQarLRqBAH3DbBI32UYHSR6jcS9uRiPKWpvKZwNKm +xjFe7DduxlRFXktm34YW8nv9gLo261fscmHxin4HWrTL9dxTuIdB1j/Y2GIz/TU fU+SIajcpkUclSur/K9tt8t5rdtx32bQAQg9IZpnX3CzzWjUE6+77JarRRHGiaNv UT4J7aimykGBna3WVF41pU15vJPM4kV5awW/DFn2h3rxEoYxZfdrzA== =M1h4 -----END PGP SIGNATURE-----
Current thread:
- Re: BoS: serious security bug in wu-ftpd v2.4 Dave Kinchlea (Jan 05)
- BoS: serious security bug in wu-ftpd v2.4 -- PATCH Dave Kinchlea (Jan 05)
- Re: BoS: serious security bug in wu-ftpd v2.4 -- PATCH Henrik P Johnson (Jan 12)
- Stronghold v1.3.3: Security Release Sean B. Hamor (Jan 13)
- [linux-security] SECURITY: Important bug fix for /sbin/login Erik Troan (Jan 16)
- Smashing the stack on a DEC Alpha Lamont Granquist (Jan 16)
- Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
- Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
- FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
- Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
- talkd problem Theo de Raadt (Jan 20)
- Re: talkd problem David Holland (Jan 20)
- Smashing the stack Zygo Blaxell (Jan 20)
- Re: Smashing the stack David Holland (Jan 20)
- BoS: serious security bug in wu-ftpd v2.4 -- PATCH Dave Kinchlea (Jan 05)