Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IBM HTTP Server, recently announced Apache httpd vulnerabilities

23 views
Skip to first unread message

Ryan Matteson

unread,
Jun 21, 2002, 12:20:14 PM6/21/02
to
In light of the recent advisory from the Apache Group regarding security
vulnerabilities
(http://httpd.apache.org/info/security_bulletin_20020620.txt) - has
there been any announcement from IBM as to vulerability of IBM HTTP
Server? Based purely on version numbers, it would appear that all
production-certified versions of IHS would be vulnerable.

Briefly: Apache 1.2.x and 1.3.x, up to and including 1.3.24, have a
vulnerability that could allow for DOS and execution of arbitrary code,
on Win32, 32 bit Unix, and 64 bit Unix platforms. 1.3.26, released
earlier this week, is the first 1.3.X release that is not vulnerable.

Tim_Evans

unread,
Jun 21, 2002, 4:07:01 PM6/21/02
to Ryan Matteson
Ryan Matteson wrote:

> In light of the recent advisory from the Apache Group regarding security
> vulnerabilities
> (http://httpd.apache.org/info/security_bulletin_20020620.txt) - has
> there been any announcement from IBM as to vulerability of IBM HTTP


They issued an announcement that very carefullly limited itself to the
"Linux Affinity" Apache server; never mentioning IHS.


Warren Rehman

unread,
Jun 21, 2002, 5:05:18 PM6/21/02
to
Hello Tim, Ryan,

For more information on this security issue:

http://www-1.ibm.com/support/manager.wss?rs=0&rt=0&org=SW&doc=1052777

Also, please contact IBM WebSphere support (WASIHS) in regards to this
issue - open a PMR and ask for the efix belonging to APAR PQ62369.

Regards,

-----------------------------------------
Warren Rehman
Software Developer, WCS Support
Electronic Commerce Development - IBM Canada Lab


"Tim_Evans" <tim_...@troweprice.com> wrote in message
news:3D138765...@troweprice.com...

Ryan Matteson

unread,
Jun 21, 2002, 6:14:08 PM6/21/02
to
Warren,

The URL you provided refers to CERT CAN-2002-0061/VU#124003, which has
to do with executing .bat or .cmd files as CGIs from httpd and impacts
only Win32 platforms.

The issue I was referring to stems from CERT CA-2002-17/CAN-2002-0392/
VU#944335, which involves potential overflow in handling of
chunked-encoded data - and impacts all platforms.

Is APAR PQ62369 for the latter issue?

Warren Rehman wrote:

> Hello Tim, Ryan,
>
> For more information on this security issue:
>
> http://www-1.ibm.com/support/manager.wss?rs=0&rt=0&org=SW&doc=1052777
>
> Also, please contact IBM WebSphere support (WASIHS) in regards to this
> issue - open a PMR and ask for the efix belonging to APAR PQ62369.
>
> Regards,
>
> -----------------------------------------
> Warren Rehman
> Software Developer, WCS Support
> Electronic Commerce Development - IBM Canada Lab
>
>
> "Tim_Evans" <tim_...@troweprice.com> wrote in message
> news:3D138765...@troweprice.com...
>
>> Ryan Matteson wrote:
>>
>>> In light of the recent advisory from the Apache Group regarding security
>>> vulnerabilities
>>> (http://httpd.apache.org/info/security_bulletin_20020620.txt) - has
>>> there been any announcement from IBM as to vulerability of IBM HTTP
>>

<TRIMMED>

>>>

Ryan Matteson

unread,
Jun 25, 2002, 11:04:52 AM6/25/02
to
The efix for PQ62369 is in fact correct for this issue. I found it via
http://www-1.ibm.com/support/manager.wss?rs=0&rt=0&org=SW&doc=4001443

Thanks Warren!

Robert Reynolds

unread,
Jun 26, 2002, 5:10:46 PM6/26/02
to
We are running IBM_HTTP_SERVER-1.3.12-2 but the closest efix for PQ62369
lists version 1.3.12-6. Can I use the 1.3.12-6 efix on 1.3.12-2?

Thank you
Robert

0 new messages