OpenPKG Corporation → Security → Security Advisories

OpenPKG Security Advisory

OpenPKG-SA-2006.015

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2006.015
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2006.015
Advisory Published:      2008-11-19 12:34 UTC

Issue Id (internal):     OpenPKG-SI-20060728.01
Issue First Created:     2006-07-28
Issue Last Modified:     2006-12-07
Issue Revision:          08


Subject Name:            Apache mod_rewrite
Subject Summary:         Apache HTTP Server
Subject Home:            http://httpd.apache.org/
Subject Versions:        * <= 2.2.2

Vulnerability Id:        CVE-2006-3747
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           denial of service, arbitrary code execution

Description:
    According to a vendor announcement [0], a vulnerability exists in the
    mod_rewrite module of the Apache HTTP Server [1]. Depending on the
    manner in which the Apache HTTP Server was compiled, the software
    defect may result in a vulnerability which, in combination with
    certain types of "RewriteRule" directives in the server configuration
    files, could be triggered remotely. The nature of the vulnerability
    can be Denial of Service (DoS) or potentially allow arbitrary code
    execution. This issue only affects installations using a "RewriteRule"
    with the following characteristics: it allows the attacker to control
    the initial part of the rewritten URL (for example if the substitution
    URL starts with "$1") or the RewriteRule flags do NOT include any of
    the flags Forbidden (F), Gone (G), or NoEscape (NE).
    
    This issue has been rated as having important security impact by the
    Apache HTTP Server Security Team.

References:
    [0] http://www.apache.org/dist/httpd/Announcement2.2.html
    [1] http://httpd.apache.org/


Primary Package Name:    apache
Primary Package Home:    http://openpkg.org/go/package/apache

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Community        2.5-SOLID         apache-1.3.33-2.5.5
OpenPKG Community        2-STABLE          apache-1.3.36-2.20060627
OpenPKG Community        2-STABLE          apache2-2.2.2-2.20060622
OpenPKG Community        CURRENT           apache-1.3.36-20060720
OpenPKG Community        CURRENT           apache2-2.2.2-20060622

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Community        2.5-SOLID         apache-1.3.33-2.5.6
OpenPKG Community        2-STABLE          apache-1.3.37-2.20060728
OpenPKG Community        2-STABLE          apache2-2.2.3-2.20060728
OpenPKG Community        CURRENT           apache-1.3.37-20060728
OpenPKG Community        CURRENT           apache2-2.2.3-20060728

→ Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
→ more...

Validation: XHTML | CSS

Organisations
Products
- OpenPKG Community
- Features
- Technology Pitch
- Package Database
- Registration
  - Registration Overview
  - Registry Service
- Download
  - Download Policy
  - Download Service
- Sales
  - Request
Services
Security
Documentation
- Flyer
- Presentation
- Showcase
- Article
- Thesis
- Tutorial
- Packaging
- F.A.Q
Community
My OpenPKG