Bugtraq mailing list archives

Stronghold v1.3.3: Security Release

From: hamors () litterbox org (Sean B. Hamor)
Date: Mon, 13 Jan 1997 15:21:03 -0500


-----BEGIN PGP SIGNED MESSAGE-----

I received this from C2Net's Stronghold mailing list.  Figured it would be
of interest even though the Apache hole has already been mentioned.

Finger hamors () ishiboo com          /\_/\         mailto:hamors () litterbox org
for PGP public key block.         ( o.o )    http://www.ishiboo.com/~hamors/
alt.litterbox, The Home of TOCA    > ^ <   http://www.litterbox.org/~hamors/

- ---------- Forwarded message ----------
Date: Sun, 12 Jan 1997 19:25:55 -0800 (PST)
From: Eric Thomas <ethomas () c2 net>
Reply-To: stronghold-support () c2 net
To: stronghold-announce () c2 net
Subject: Stronghold v1.3.3: Security Release

[This message is going out to everyone who has registered for a
Stronghold download, as well as the stronghold-announce mailing
list.]

Over the course of the past few days, two security holes were found in
Apache 1.1.1. Because Stronghold v1.3.2 is based on Apache 1.1.1, the
security holes are also present in Stronghold v1.3.2. The Apache Group
has released Apache 1.1.2, and we are now releasing Stronghold v1.3.3,
both of which incorporate fixes to the two holes found.

1) A hole in mod_cookies which allows outside users to scribble the
memory stack, possibly allowing the user to execute instructions on
the server as the user the httpsd children run as. Thanks to Secure
Networks for advising us of this hole ahead of time and providing a
patch for the problem.

2) A hole in mod_dir which causes long URL's of a particular pattern
to cause a "not found" error when looking for an index.html in a
directory, and thus returning a complete list of the directory
content. Thanks to Henry Strickland for finding this bug.

If you are running Stronghold v1.3.2, you must do one of the following:

1) Download a copy of Stronghold 1.3.3 and run the "UPGRADE.sh".
   The latest version of Stronghold is available at
   http://stronghold.c2.net/get/download/. Full 1.3.3 packages are
   not yet available for all supported platforms. If your platform is
   not yet available, apply the Stronghold patch.
2) Apply the Stronghold patch against Stronghold version 1.3.2
   which is available at
   http://stronghold.c2.net/support/ups_and_bugs.php
3) Discontinue use of the cookie module and turn the "Indexing" option off.

If you are running a version older than 1.3.2, please upgrade to
Stronghold 1.3.2 immediately.

Stronghold v2.0b1 is not susceptible to the mod_cookies bug, but is
susceptible to the directory indexing bug. The next Stronghold 2.0
beta will incorporate a fix to the directory indexing bug.

Information on the mod_cookies bug is available at
ftp://ftp.secnet.com/pub/advisories/APACHE_MOD.advisory.1.13.97.

Commercial and commercial evaluation users of Stronghold may obtain
free email support regarding upgrade, patch, and workaround issues by
sending email to stronghold-support () c2 net.

We would just like to conclude by saying that these holes have been
discovered not because Stronghold is necessarily more buggy than other
servers, but because source code is available to everyone, and thus
it's easier to look for holes.  Very similar holes may exist in other
commercial servers, but without source no one outside the companies
who own the code can know for sure, save for those who are actively
exploiting them.

[Portions of this announcement have been taken from the Apache Group
security update announcement]

- --
Eric Thomas                                     Voice:   510-986-8770
Technical Support Manager                       FAX:     510-986-8777
C2Net
http://www.c2.net/                              ethomas () c2 net

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBMtqZNTU6HlxZIJ+FAQGd3gf/R8HDiiNeXNSYeBRFqPXL+kfTEVn1FBZg
F4oJsPrkQSGTozL3Mq+zfVt6IVCH9LmMi9UfYOfUYybUaApZbP4/0zhyxVrqdnw4
dmY1VFXCFem1PiN8HOpveOwiQarLRqBAH3DbBI32UYHSR6jcS9uRiPKWpvKZwNKm
+xjFe7DduxlRFXktm34YW8nv9gLo261fscmHxin4HWrTL9dxTuIdB1j/Y2GIz/TU
fU+SIajcpkUclSur/K9tt8t5rdtx32bQAQg9IZpnX3CzzWjUE6+77JarRRHGiaNv
UT4J7aimykGBna3WVF41pU15vJPM4kV5awW/DFn2h3rxEoYxZfdrzA==
=M1h4
-----END PGP SIGNATURE-----

Current thread:

Re: BoS: serious security bug in wu-ftpd v2.4 Dave Kinchlea (Jan 05)
- BoS: serious security bug in wu-ftpd v2.4 -- PATCH Dave Kinchlea (Jan 05)
  - Re: BoS: serious security bug in wu-ftpd v2.4 -- PATCH Henrik P Johnson (Jan 12)
  - Stronghold v1.3.3: Security Release Sean B. Hamor (Jan 13)
  - [linux-security] SECURITY: Important bug fix for /sbin/login Erik Troan (Jan 16)
  - Smashing the stack on a DEC Alpha Lamont Granquist (Jan 16)
    - Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
    - Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
    - FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
    - Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
    - talkd problem Theo de Raadt (Jan 20)
    - Re: talkd problem David Holland (Jan 20)
    - Smashing the stack Zygo Blaxell (Jan 20)
    - Re: Smashing the stack David Holland (Jan 20)

(Thread continues...)