oreilly.comSafari Books Online.Conferences.


Security Alerts Apache Vulnerabilities

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Apache, PHP, CUPS, ghostscript, glibc, Apache Portable Runtime, gps, mod_gzip, Batalla Naval, and Xmame.


The Apache web server is vulnerable to multiple denial-of-service attacks. These denial-of-service attacks include an attack launched using mod_dav (versions 2.0.37 through 2.0.45) and an attack that used flaws in the code of the apr_password_validate() function (versions 2.0.40 through 2.0.45).

The Apache Software Foundation has released Apache 2.0.46. This version fixes the denial-of-service attacks and many other bugs. Affected users are encouraged to upgrade.

PHP 4.3.2

A new version of PHP has been released that repairs several buffer overflows, fixes problems in the 64-bit code, repairs some problems with Berkeley db libraries, adds a disable_classes option to the php.ini file, and repairs many other bugs. It is highly recommended that users upgrade as soon as possible.

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz


CUPS (Common Unix Printing System) is vulnerable to a remote denial-of-service attack that will stop it from servicing print jobs.

Users should upgrade to CUPS 1.1.19 as soon as possible or watch their vendor for an updated package.

Users of systems that have the printing sub-system installed but not used should consider disabling or removing the printing system.


ghostscript is an interpreter for the PostScript language and is often used in the printing sub-system to print PostScript files on non-PostScript capable printers. ghostscript contains a bug that can be exploited using a carefully crafted file and result in the execution of arbitrary commands. This bug affects ghostscript when using the -dSAFER command line argument but does not affect ghostscript when the Red Hat -dPARANOIDSAFER argument is used.

It is recommended that users upgrade to version 7.07 of ghostscript, apply a patch to their version, or watch their vendor for updated packages. Packages have been announced for Red Hat Linux that contain a version of ghostscript with a back-ported patch.


A buffer overflow has been discovered in the xdrmem_getbytes() function call in the glibc library. It has been reported that this buffer overflow can be exploited by a remote attacker if the system is running any RPC based services and a local attacker if they can execute an RPC client.

Users should watch their vendor for an updated glibc package that repairs this buffer overflow. If RPC services are not needed they should be disabled.

Apache Portable Runtime (APR)

The Apache Portable Runtime is a free c library that provides a system portability layer to as many operating systems as it can. The apr_psprintf() function in the library contains a bug that may under some condition be exploitable to execute arbitrary code. Several projects other than the Apache web server are known to be using the library including: some Covalent commercial products, Flood load test tool, JXTA-C, Tomcat's mod_jk v2, mod_webapp, Subversion, and OPENdj.

A patch has been released that repairs this bug. It is recommended that users apply this patch or obtain a repaired version of the library (such as the one distributed with Apache HTTP Server 2.0.46).


gps, a graphical tool used to watch system processes similar to the ps command, has several bugs, including: a problem with rgpsp that can be exploited under some conditions to allow any host to connect regardless of what is configured in /etc/rgpsp.conf; several possible buffer overflows that may under some conditions be exploitable to execute arbitrary code; and a problem with parsing command lines in the rgpsp protocol.

Version 1.1.0 of gps has been released and fixes these problems. Users should upgrade as soon as possible and should consider disabling gps until if it can not be upgraded immediately.

mod_gzip Debug Mode

mod_gzip, a web page acceleration module for the Apache web server that compresses web pages before sending them to the user, has several serious bugs that are reported to be expressed only when mod_gzip has been compiled in debug mode. These vulnerabilities are a buffer overflow in the code that handles logging the file name, a format string vulnerability in the logging code, and a temporary file symbolic link race condition.

Anyone using mod_gzip compiled in the debug mode should recompile it selecting its normal mode. Affected users should watch for a version with a repaired debug mode. The repaired version of mod_gzip is reported to be delayed until the next normal release of mod_gzip.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Batalla Naval

Batalla Naval is a networked, multi player battleship game with robots. The server component gbnserver is reported to be vulnerable to a buffer overflow that a remote attacker can exploit to execute arbitrary code with the permissions of the user account running the server. The buffer overflow is reported to affect the Gnome version of the server, it is not known if the earlier version of the software is vulnerable. A script to automate the exploitation of this vulnerability has been released to the public.

It is recommended that users watch for a repaired version of Batalla Naval and either not run the server until it has been repaired or protect it using a firewall and only allow trusted hosts to connect.


Xmame is an X11 port of MAME (the Multiple Arcade Machine Emulator). A buffer overflow has been reported that may be exploitable by a local attacker to execute arbitrary code with the permissions of the user account running Xmame. A program has been released that is reported to automate the exploitation of Xmame.

Users should watch for an update to Xmame that repairs this overflow and should consider removing any set user or group bits from the game.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: