The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Sun Alert 101841 Updated Solaris 8 Patches for Apache Security Vulnerabilities

Guest Author
Product: Solaris 8 Operating System

Sun Alerts 57628 and 57496 describe several security vulnerabilities in the Apache web server and modules. The Solaris 8 patches listed in these Sun Alerts did not include some of the Apache module files. Thus several of the vulnerabilities affecting the Apache modules were not completely addressed. The impact of this is that a local or remote unprivileged user may be able to execute arbitrary code on systems running Apache with the privileges of the Apache HTTP process. The Apache HTTP process normally runs as the unprivileged uid "nobody" (uid 60001). The ability to execute arbitrary code as the unprivileged uid "nobody" may lead to modified web content, denial of service, or further compromise.

The Apache module vulnerabilities affected are as follows:

CAN-2003-0987: "mod_digest issue" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987

CAN-2003-0993: "mod_access on 64-bit platforms" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993

CAN-2004-0492: "buffer overflow in mod_proxy" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492

CAN-2003-0542: "buffer overflows in mod_alias and mod_rewrite" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542

Solaris 8 sites running Apache should install the patches below to obtain the complete resolution for the Apache module security issues described in Sun Alerts 57628 and 57496. The Solaris 9 paches listed in Sun Alerts 57628 and 57496 are the complete resolution for these issues.

Avoidance: Patch
State: Resolved
First released: 10-Aug-2005

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.