A problem exists with all Apache servers prior to version 1.3.19. The
vulnerablity could allow directory indexing and path discovery on the
vulnerable servers with a custom crafted request consisting of a long
path name created artificially by using numerous slashes. This can
cause modules to misbehave and return a listing of the directory
contents by avoiding the error page.
Another vulnerability found by Procheckup (www.procheckup.com) was
that all directories, by default, were configured as browseable so
an attacker could list all files in the targeted directories. As
well, Procheckup found that the perl-proxy/management software on
port 8200 would supply dangerous information to attackers due to
a perl status script that was enabled. We have disabled directory
browsing by default and have disabled the perl status scripts.
There are a few steps required to update Apache properly for Single
Network Firewall 7.2. Please also note that you should not use the
automatic update facilities of the web interface to update Apache,
but should do this either locally or via ssh.
1) Stop apache (service httpd stop) if running
2) Stop httpd-naat (service httpd-naat stop)
3) Completely backup /etc/httpd/conf/*
4) Backup /var/log/httpd and /var/log/httpd-naat (the uninstall
scripts of the previous apache versions may remove the log files)
5) Remove the currently installed apache, mod_perl, mod_ssl, and php
packages from the system. You can do this using:
6) Upgrade mm/mm-devel
7) Install the download upgrade packages of apache components using
"rpm -ivh *.rpm"
8) Restore your /var/log/httpd and /var/log/httpd-naat backups
9) Start httpd-naat (service httpd-naat start)
10) Start apache if you were previously using it (service httpd start)
To upgrade automatically, use MandrivaUpdate.
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.