Mandrake alert: Updated apache2 packages fix CGI scripting deadlock

Posted by dave on Sep 26, 2003 3:09 PM EDT
Mailing list
Mail this story
Print this story

A problem was discovered in Apache2 where CGI scripts that output more than 4k of output to STDERR will hang the script's execution which can cause a Denial of Service on the httpd process because it is waiting for more input from the CGI that is not forthcoming due to the locked write() call in mod_cgi.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

                Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           apache2
Advisory ID:            MDKSA-2003:096
Date:                   September 26th, 2003

Affected versions:	9.1
________________________________________________________________________

Problem Description:

 A problem was discovered in Apache2 where CGI scripts that output more
 than 4k of output to STDERR will hang the script's execution which can
 cause a Denial of Service on the httpd process because it is waiting
 for more input from the CGI that is not forthcoming due to the locked
 write() call in mod_cgi.
 
 On systems that use scripts that output more than 4k to STDERR, this
 could cause httpd processes to hang and once the maximum connection
 limit is reached, Apache will no longer respond to requests. 
 
 The updated packages provided use the latest mod_cgi.c from the Apache
 2.1 CVS version.
 
 Users may have to restart apache by hand after the upgrade by issuing
 a "service httpd restart".
________________________________________________________________________

References:
  
  http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
________________________________________________________________________

Updated Packages:
  
 Mandrake Linux 9.1:
 bcd0c73afb901bced97ee201aeb24f1a  9.1/RPMS/apache2-2.0.47-1.3.91mdk.i586.rpm
 38379cd70d8e452f6b582b9e4ff59be4  9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.i586.rpm
 b44270899ca67a657c870a57baba3e2e  9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.i586.rpm
 21e9c7f6d4649a1f2c60e2213e3d9d87  9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.i586.rpm
 cbcb9f567273fe80ad754ba5338825a6  9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.i586.rpm
 1940d731a5bde39f3a8c1609b5623330  9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.i586.rpm
 5508b5bef150a88e80535d9230113735  9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.i586.rpm
 56267cf09af350b8a383abc2b9ebedbc  9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.i586.rpm
 f7ff9796a95d63dc5691ea434fb0efa3  9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.i586.rpm
 859c7126af782efa3dcebbda669d7f5d  9.1/RPMS/libapr0-2.0.47-1.3.91mdk.i586.rpm
 60261a3a810ceee306cd6bdd1baf3af1  9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 81fa02d2441b1ad2a59073fae3618923  ppc/9.1/RPMS/apache2-2.0.47-1.3.91mdk.ppc.rpm
 d903f0a0e9d6d2aa90bc14bb2452dc1b  ppc/9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.ppc.rpm
 0ecc1e79b817d1efe346211dda9090de  ppc/9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.ppc.rpm
 398c1db00d0fb47fb57d0a217d1a63f4  ppc/9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.ppc.rpm
 7adfa25d0d80e968c95306a70e60cfdb  ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.ppc.rpm
 e524f04403d6634d970261bae094b545  ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.ppc.rpm
 c76c5664ff6594c2857e32b3ea62e280  ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.ppc.rpm
 dce9ebbf7059a0194285467615d52b94  ppc/9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.ppc.rpm
 9a7d2c7b8b3eeb8a566fa713a629d20f  ppc/9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.ppc.rpm
 9e98058a1154352d3e8bbe5f74536c1e  ppc/9.1/RPMS/libapr0-2.0.47-1.3.91mdk.ppc.rpm
 60261a3a810ceee306cd6bdd1baf3af1  ppc/9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________

To upgrade automatically, use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:

  gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/dMWvmqjQ0CJFipgRAg7mAKCKnd0X7NWGXzqIQ3iJCVJgmKZJJACgrSqR
SFlz34CEPL/8FG3WzrHTOaI=
=TH/h
-----END PGP SIGNATURE-----

  Nav
» Read more about: Story Type: Security; Groups: Mandriva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.