-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1998.03: Vulnerabilities in Apache

Advisory issue date: 27-Jan-1998

Topic: Vulnerabilities in the Apache web server


I. Problem Description

	The Apache group has released an Apache Security Advisory
	that describes several security problems that have been
	identified and resolved in Apache 1.2.5.

II. Impact

	Only one medium risk vulnerability in the 6-Jan-1998 advisory
	can be exploited without having been given direct access to
	the apache server. This attack is a Denial of Service attack
	(know as the "beck" attack, posted to BugTraq on 30-Dec-1997)
	which effectively renders the server inoperable by increasing
	its workload.

	Read the Apache group advisory for addition information about
	this attack and the other less severe vulnerabilities.

	These problems were present on the following OpenLinux releases:

		CND 1.0
		Base 1.0
		Lite 1.1
		Base 1.1
		Standard 1.1
	
III. Solution

	Obtain the new Apache packages from Caldera's FTP server
	(ftp.caldera.com):

	/pub/openlinux/updates/1.1/current/RPMS/apache-1.2.5-0.i386.rpm
	/pub/openlinux/updates/1.1/current/RPMS/apache-docs-1.2.5-0.i386.rpm

	Source code in an RPM format can also be obtained from:

	/pub/openlinux/updates/1.1/current/SRPMS/apache-1.2.5-0.src.rpm

	To install the new package execute (as root) the following commands:

		/etc/rc.d/init.d/httpd stop
		rpm -U --force apache-1.2.5-0.i386.rpm
		/etc/rc.d/init.d/httpd start

	The MD5 checksums (from the "md5sum" command) for these packages
	are:

	f47fe95961b921abfd1652b1401a121c  apache-1.2.5-0.i386.rpm
	daa5b2f730299f7b77b1ce27714578bb  apache-docs-1.2.5-0.i386.rpm
	e5d12950cd444242c841a68909b0d350  apache-1.2.5-0.src.rpm


IV. References

	This and other Caldera security resources are located at:

		http://www.caldera.com/tech-ref/security/

	This security advisory report is based in part on the postings to
	the BugTraq email list:

	From:		(Micha³ Zalewski) lcamtuf@POLBOX.COM
	To:		BUGTRAQ@NETSPACE.ORG
	Date:		Tue, 30 Dec 1997 11:07:04 +0100
	Subject:	Apache DoS attack?
	Message-ID:	01bd150a$adb1aa40$987c74c3@lcamtuf

	http://www.netspace.org/cgi-bin/wa?A1=ind9712e&L=bugtraq#2

	From:           (Marc Slemko) marcs@ZNEP.COM
	To:             BUGTRAQ@NETSPACE.ORG
	Date:           Tue, 6 Jan 1998 16:12:36 -0700
	Subject:        Apache security advisory
	Message-ID:     Pine.BSF.3.95.980106161024.18326M-100000@alive.znep.com

	http://www.netspace.org/cgi-bin/wa?A1=ind9801a&L=bugtraq#1

	http://www.apache.org

	This update closes Caldera internal problem reports #1478 and
	#1517.


V. PGP Signature

	This message was signed with the PGP key for security@caldera.com.

	This key can be obtained from:
		ftp://ftp.caldera.com/pub/pgp-keys/

	Or on an OpenLinux CDROM under:
		/OpenLinux/pgp-keys/

	$Id: SA-1997.35,v 1.4 1998/01/01 00:27:26 ron Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNM46ZOn+9R4958LpAQHLGwP9EEAY3WCCQL9qGMnXH2IVLeicTYdWu6Xu
AFayU7Wr2fr5ENUG4r+yCGe3+2dE8+v2tjpboxsmuNZqwOVq4bPKFg6xHuwFl2CL
QtP4uFA6zR+s0w5e36eDjhbbiMJVUDgruivoDRUI4yztdE7bD8OViPiaEqMRmDTc
cCbpjdKW83c=
=kyt8
-----END PGP SIGNATURE-----