Updated Apache and mod_ssl packages which fix a number of security issues are now available for iSeries and pSeries systems.
The Apache HTTP Web Server is a secure, efficient, and extensible web server. This erratum provides updated Apache and mod_ssl packages for iSeries and pSeries that correct a number of security issues: Versions of the Apache Web server up to and including 1.3.24 contain a bug in the routines which deal with requests using "chunked" encoding. A carefully crafted invalid request can cause an Apache child process to call the memcpy() function in a way that will write past the end of its buffer, corrupting the stack. On some platforms this can be remotely exploited -- allowing arbitrary code to be run on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue. Buffer overflows in the ApacheBench support program (ab.c) in Apache versions prior to 1.3.27, and Apache versions 2.x prior to 2.0.43, allow a malicious Web server to cause a denial of service (DoS) and possibly execute arbitrary code via a long response. (CAN-2002-0843) Two cross-site scripting (XSS) vulnerabilities are present in the error pages for the default "404 Not Found" error and for the error response when a plain HTTP request is received on an SSL port. Both of these issues are only exploitable if the "UseCanonicalName" setting has been changed to "Off" and wildcard DNS is in use. These issues could allow remote attackers to execute scripts as other webpage visitors, for instance, to steal cookies. These issues affect versions of Apache 1.3 before 1.3.26, versions of Apache 2.0 before 2.0.43, and versions of mod_ssl before 2.8.12. (CAN-2002-0840, CAN-2002-1157) The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Versions of mod_ssl prior to 2.8.10 are subject to a single NULL overflow that can cause arbitrary code execution. (CAN-2002-0653) The shared memory scoreboard in the HTTP daemon for Apache 1.3, prior to version 1.3.27, allows a user running as the "apache" UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or other such behavior that would not normally be allowed. (CAN-2002-0839). After the updated packages are installed, restart the httpd service by running the following command: /sbin/service httpd restart