copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ESB-2001.516 -- RHSA-2001:126-27 -- Updated apache packages available

Date: 05 December 2001
References: ESB-2001.532  

Click here for printable version
Click here for PGP verifiable version

             AUSCERT External Security Bulletin Redistribution

                     ESB-2001.516 -- RHSA-2001:126-27
                     Updated apache packages available
                              5 December 2001


        AusCERT Security Bulletin Summary

Product:                apache
Vendor:                 Red Hat
Operating System:       Red Hat Linux 6.2
                        Red Hat Linux 7.0
                        Red Hat Linux 7.1
                        Red Hat Linux 7.2
Platform:               Alpha
Impact:                 Inappropriate Access
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- ---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated apache packages available
Advisory ID:       RHSA-2001:126-27
Issue date:        2001-10-09
Updated on:        2001-12-04
Product:           Red Hat Linux
Keywords:          apache directory listing
Cross references:  
Obsoletes:         RHSA-2000:088
- ---------------------------------------------------------------------

1. Topic:

Updated Apache packages are now available for Red Hat Linux 6.2, 7, 7.1,
and 7.2.  These packages upgrade the Apache Web server to version 1.3.22,
which closes a potential security bug which would present clients with a
listing of the contents of a directory instead of the contents of an index
file, or in case of an error, the error message.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386

3. Problem description:

By using a carefully constructed HTTP request, a server with
mod_negotiation and either mod_dir or mod_autoindex loaded could be tricked
into displaying a listing of the contents of a directory, despite the
presence of an index file.

The Common Vulnerabilities and Exposures project ( has
assigned the names CAN-2001-0730, and CAN-2001-0731 to these

4. Solution:

Note: The updated apache (and apache-devel) packages for Red Hat Linux 7,
7.1, and 7.2 require installation of mm and expat (as well as mm-devel and
expat-devel for apache-devel).  Because mm and expat were not previously
released for Red Hat Linux 7, and mm was not previously released for Red
Hat Linux 7.1, they will need to either be installed simultaneously with or
before the apache packages.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.  Users of Red Hat Linux 7 and
7.1 will find that the mod_bandwidth, mod_put, and mod_throttle packages
are now built as separate packages, and that they will need to manually
install these packages as well.

To update all other RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Users of Red Hat Linux 7 will find that these updates enable the suexec
feature by default, which was not the case in previous versions of this
package.  Administrators who have configured their servers to run CGI
scripts from user home directories should read the suexec documentation
included in the apache-manual package.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:


This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed ( for more info):

34772 - Apache 1.3.14 breaks byterange functionality (hinders serving of PDFs)

6. RPMs required:

Red Hat Linux 6.2:





Red Hat Linux 7.0:




Red Hat Linux 7.1:





Red Hat Linux 7.2:



7. Verification:

MD5 sum                          Package Name
- --------------------------------------------------------------------------
bc9a7598e452fd0a5e2b05173216ef81 6.2/en/os/SRPMS/apache-1.3.22-0.6.src.rpm
a181a9ffff1759abbf42e05c824ddb2f 6.2/en/os/alpha/apache-1.3.22-0.6.alpha.rpm
3360fda64d65cbf60a8634e7991e5a6d 6.2/en/os/alpha/apache-devel-1.3.22-0.6.alpha.rpm
f045b315ecc6a11e23131fa86e2d0a72 6.2/en/os/alpha/apache-manual-1.3.22-0.6.alpha.rpm
dc567a3074e237efd73622596dfc2c13 6.2/en/os/i386/apache-1.3.22-0.6.i386.rpm
36b1dd6f65c83f3c47326ae976567ce3 6.2/en/os/i386/apache-devel-1.3.22-0.6.i386.rpm
13d4d3822f4b2de1f198d5bc24884a8a 6.2/en/os/i386/apache-manual-1.3.22-0.6.i386.rpm
ef85d7e0d44abd776d4b76a75553cc86 6.2/en/os/sparc/apache-1.3.22-0.6.sparc.rpm
4eb62d0355f51df33e62ea6647a061ec 6.2/en/os/sparc/apache-devel-1.3.22-0.6.sparc.rpm
7138fb9b44085ee557d291c081e46d3c 6.2/en/os/sparc/apache-manual-1.3.22-0.6.sparc.rpm
5cf136a2bfb482501254fa6630f9e6e8 7.0/en/os/SRPMS/apache-1.3.22-1.7.1.src.rpm
d0cbe11cfd0c2fad460d749a4afadf8f 7.0/en/os/SRPMS/expat-1.95.1-1.src.rpm
85f0ff3830d540a3235e2d7471ca2e27 7.0/en/os/SRPMS/mm-1.1.3-2.src.rpm
9cd99798f41854041ed50e5c2b9c9d4a 7.0/en/os/SRPMS/mod_bandwidth-2.0.3-2.src.rpm
392c6c20c9ca7d5ad437b91ea08bac2a 7.0/en/os/SRPMS/mod_put-1.3-2.src.rpm
4d9b105c543162987b6a0755080e73b1 7.0/en/os/SRPMS/mod_ssl-2.8.5-0.7.src.rpm
15398a5663f14b8e5babbb5309d6739c 7.0/en/os/SRPMS/mod_throttle-3.1.2-3.src.rpm
8f8ea759a9ff2d61c60104ee9b3edc09 7.0/en/os/alpha/apache-1.3.22-1.7.1.alpha.rpm
ea3bd3c37081fd9a303c8f656a31b52f 7.0/en/os/alpha/apache-devel-1.3.22-1.7.1.alpha.rpm
e6f023bd016b75e40e390b2cdf5fe77f 7.0/en/os/alpha/apache-manual-1.3.22-1.7.1.alpha.rpm
4b4d4c5fdf897457c7286d2b4fd2ac39 7.0/en/os/alpha/expat-1.95.1-1.alpha.rpm
aa8555291135f9b681d1d519f5fe5539 7.0/en/os/alpha/expat-devel-1.95.1-1.alpha.rpm
13cfd219c25232decce6703c70419f4a 7.0/en/os/alpha/mm-1.1.3-2.alpha.rpm
f9b26ec0d52c79444de07f10bceb2262 7.0/en/os/alpha/mm-devel-1.1.3-2.alpha.rpm
3be3121fa4b5490a1ace387526cf2406 7.0/en/os/alpha/mod_bandwidth-2.0.3-2.alpha.rpm
25f1a3961b8c2aa6f2b63288535abc73 7.0/en/os/alpha/mod_put-1.3-2.alpha.rpm
b4b100f56cefc614b878a191fb5ed6f0 7.0/en/os/alpha/mod_ssl-2.8.5-0.7.alpha.rpm
d3f81d978bb81de0b2e357b79ade1d7e 7.0/en/os/alpha/mod_throttle-3.1.2-3.alpha.rpm
6bcd4368b5106127787cbac0248f669b 7.0/en/os/i386/apache-1.3.22-1.7.1.i386.rpm
052ac912ba5dd85f2f81a1dc0c7472fd 7.0/en/os/i386/apache-devel-1.3.22-1.7.1.i386.rpm
26752f2274eec2d5e399d03a6f973ea7 7.0/en/os/i386/apache-manual-1.3.22-1.7.1.i386.rpm
fb87db480ce7f5317f0464640b419e43 7.0/en/os/i386/expat-1.95.1-1.i386.rpm
87978a5568dccb618c1646110443ad87 7.0/en/os/i386/expat-devel-1.95.1-1.i386.rpm
bffbf64db212e970ad139b5e61dc4ad2 7.0/en/os/i386/mm-1.1.3-2.i386.rpm
541a185e0e63970cdbb573eb5afc6d45 7.0/en/os/i386/mm-devel-1.1.3-2.i386.rpm
414b7a5cb5a0153b9cd41c0b10a7c155 7.0/en/os/i386/mod_bandwidth-2.0.3-2.i386.rpm
c1bc1dd8b81ed2669ea31a0338cf8e8d 7.0/en/os/i386/mod_put-1.3-2.i386.rpm
ef3ec4f2b0775440f7b9f7b2274e5a3f 7.0/en/os/i386/mod_ssl-2.8.5-0.7.i386.rpm
e80083a4d622f91d14125d291e542b24 7.0/en/os/i386/mod_throttle-3.1.2-3.i386.rpm
5cf136a2bfb482501254fa6630f9e6e8 7.1/en/os/SRPMS/apache-1.3.22-1.7.1.src.rpm
85f0ff3830d540a3235e2d7471ca2e27 7.1/en/os/SRPMS/mm-1.1.3-2.src.rpm
9cd99798f41854041ed50e5c2b9c9d4a 7.1/en/os/SRPMS/mod_bandwidth-2.0.3-2.src.rpm
392c6c20c9ca7d5ad437b91ea08bac2a 7.1/en/os/SRPMS/mod_put-1.3-2.src.rpm
4d9b105c543162987b6a0755080e73b1 7.1/en/os/SRPMS/mod_ssl-2.8.5-0.7.src.rpm
15398a5663f14b8e5babbb5309d6739c 7.1/en/os/SRPMS/mod_throttle-3.1.2-3.src.rpm
8f8ea759a9ff2d61c60104ee9b3edc09 7.1/en/os/alpha/apache-1.3.22-1.7.1.alpha.rpm
ea3bd3c37081fd9a303c8f656a31b52f 7.1/en/os/alpha/apache-devel-1.3.22-1.7.1.alpha.rpm
e6f023bd016b75e40e390b2cdf5fe77f 7.1/en/os/alpha/apache-manual-1.3.22-1.7.1.alpha.rpm
13cfd219c25232decce6703c70419f4a 7.1/en/os/alpha/mm-1.1.3-2.alpha.rpm
f9b26ec0d52c79444de07f10bceb2262 7.1/en/os/alpha/mm-devel-1.1.3-2.alpha.rpm
3be3121fa4b5490a1ace387526cf2406 7.1/en/os/alpha/mod_bandwidth-2.0.3-2.alpha.rpm
25f1a3961b8c2aa6f2b63288535abc73 7.1/en/os/alpha/mod_put-1.3-2.alpha.rpm
b4b100f56cefc614b878a191fb5ed6f0 7.1/en/os/alpha/mod_ssl-2.8.5-0.7.alpha.rpm
d3f81d978bb81de0b2e357b79ade1d7e 7.1/en/os/alpha/mod_throttle-3.1.2-3.alpha.rpm
6bcd4368b5106127787cbac0248f669b 7.1/en/os/i386/apache-1.3.22-1.7.1.i386.rpm
052ac912ba5dd85f2f81a1dc0c7472fd 7.1/en/os/i386/apache-devel-1.3.22-1.7.1.i386.rpm
26752f2274eec2d5e399d03a6f973ea7 7.1/en/os/i386/apache-manual-1.3.22-1.7.1.i386.rpm
bffbf64db212e970ad139b5e61dc4ad2 7.1/en/os/i386/mm-1.1.3-2.i386.rpm
541a185e0e63970cdbb573eb5afc6d45 7.1/en/os/i386/mm-devel-1.1.3-2.i386.rpm
414b7a5cb5a0153b9cd41c0b10a7c155 7.1/en/os/i386/mod_bandwidth-2.0.3-2.i386.rpm
c1bc1dd8b81ed2669ea31a0338cf8e8d 7.1/en/os/i386/mod_put-1.3-2.i386.rpm
ef3ec4f2b0775440f7b9f7b2274e5a3f 7.1/en/os/i386/mod_ssl-2.8.5-0.7.i386.rpm
e80083a4d622f91d14125d291e542b24 7.1/en/os/i386/mod_throttle-3.1.2-3.i386.rpm
d72a44ce73899c1ae8502a4dac44977a 7.1/en/os/ia64/apache-1.3.22-1.7.1.ia64.rpm
91d505625bfc721907beead7f79fa565 7.1/en/os/ia64/apache-devel-1.3.22-1.7.1.ia64.rpm
235d62371a30d4f8817ff873f8948dae 7.1/en/os/ia64/apache-manual-1.3.22-1.7.1.ia64.rpm
93ebc06c4d160fd82430b983093e9f40 7.1/en/os/ia64/mm-1.1.3-2.ia64.rpm
e31a027184bdc9a202994c57f9b96a10 7.1/en/os/ia64/mm-devel-1.1.3-2.ia64.rpm
c091e03032e4f7d628e8bb2f706e66ab 7.1/en/os/ia64/mod_bandwidth-2.0.3-2.ia64.rpm
4678335e17b5e09c42d679480493f2a0 7.1/en/os/ia64/mod_put-1.3-2.ia64.rpm
1e5337f03080b9f28c951cc06fa7aa14 7.1/en/os/ia64/mod_ssl-2.8.5-0.7.ia64.rpm
47691815f0bad537d3305aa379083500 7.1/en/os/ia64/mod_throttle-3.1.2-3.ia64.rpm
bf518904d1b4ef0edd07ce3a7dd34871 7.2/en/os/SRPMS/apache-1.3.22-2.src.rpm
bc734ceff3e2dee5d5a4ff230b5e8293 7.2/en/os/SRPMS/mod_ssl-2.8.5-1.src.rpm
6dd421e90d6de5cb9a5ae25e428724e8 7.2/en/os/i386/apache-1.3.22-2.i386.rpm
19aa4f624d8263756374095b352c274a 7.2/en/os/i386/apache-devel-1.3.22-2.i386.rpm
c352198baaeb451d6e1797458cfcad4e 7.2/en/os/i386/apache-manual-1.3.22-2.i386.rpm
cec3188aea446e454e92efcf9246abd5 7.2/en/os/i386/mod_ssl-2.8.5-1.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

Copyright(c) 2000, 2001 Red Hat, Inc.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email:
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv