Apache Chunk Handling Roundup
by Berislav Kucan - revised on 20 June 2002

Robert Lemos - rob.lemos(a)cnet.com article on CNET

Chris Rouland, director of ISS's research and development team, known as X-Force, maintains that the company did the right thing when it released an advisory on the issue and included a patch as well. "We are competing with the 10 million hackers out there, who are trying to break in to Web servers," he said. "The hackers were the real ones that were ticked off that we released the advisory. That's one less exploit that they could use."

Read this article on CNET (http://www.cnet.com/investor/news/newsitem/0-9900-1028-20051547-0.html).

3) Solutions and patches

ISS X-Force has developed a patch for "Remote Compromise Vulnerability in Apache HTTP Serve" issue. The patch is available from the ISS advisory located on the top of this paper.

(Please note that the patch provided by ISS does not correct the vulnerability found by NGSSoftware).

CERT advice: The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.25 or 2.0.39. The new versions of Apache will be available from their web site at http://httpd.apache.org/

Update: Version 1.3.26 is available to download as of 19.06.2002.

Update: New version of mod_ssl was released and is available on the following address:

4) Vendor security advisories

Vendor: SGI
Vulnerable: SGI is currently investigating this security issue
Advisory: http://www.net-security.org/advisory.php?id=776

Vendor: Debian
Vulnerable: Debian GNU/Linux 2.2
Advisory: http://www.net-security.org/advisory.php?id=778

Vendor: Debian
Vulnerable: Debian GNU/Linux 2.2 - revised advisory
Advisory: http://www.net-security.org/advisory.php?id=783

Vendor: Debian
Vulnerable: Debian GNU/Linux 2.2 - (apache-ssl advisory)
Advisory: http://www.net-security.org/advisory.php?id=784

Vendor: EnGarde Linux
Vulnerable: EnGarde Secure Linux
Advisory: http://www.net-security.org/advisory.php?id=779

Vendor: SuSE
Vulnerable: SuSE Linux 6.4-8.0, SuSE Linux Database Server, SuSE eMail Server III and SuSE Linux Enterprise Server
Advisory: http://www.net-security.org/advisory.php?id=780

Vendor: Conectiva
Vulnerable: Conectiva Linux 6.0-8
Advisory: http://www.net-security.org/advisory.php?id=781


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th