Home

Products

Services

Knowledge Base

Contact

Partner With Us


  Main Index Main
Index 		Search Posts Search Posts Who's Online WHO'S Online Log in LOG
IN
Search for (options) Forum Rules :: Thu. Aug 28, 2008
Home: Scorpio Informatics: Announcements:
Scheduled Downtime For Apache Upgrade -- Security Vulnerability Issues

 
 


Admin
Deleted

May 29, 2004, 12:51 PM

Post #1 of 8 (3087 views)
Shortcut

Scheduled Downtime For Apache Upgrade -- Security Vulnerability Issues Can't Post
Hi.

We shall be scheduling a webserver upgrade of about 60 minutes for upgrading the Web Server software to the latest version Apache 1.3.31 from the current 1.3.29. Of particular note is that 1.3.31 addresses and fixes the following 4 security related issues:

In mod_digest, verify whether the nonce returned in the client response. This problem does not affect mod_auth_digest.

[CAN-2003-0987 (cve.mitre.org)]

Escape arbitrary data before writing into the errorlog.
[CAN-2003-0020 (cve.mitre.org)]

Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket.
[CAN-2004-0174 (cve.mitre.org)]

Fix parsing of Allow/Deny rules using IP addresses without a netmask; issue is only known to affect big-endian 64-bit platforms
[CAN-2003-0993 (cve.mitre.org)]

The upgrade shall be starting at 01:00 Hrs. Though we would not be taking anything offline, but it could be that during the upgrade run, certain things may not be accessible. The maximum duration is scheduled to be about 60 minutes from 01:00 Hrs on 31st May 2004. This would also involve retuning certain aspects which control the webmail, directory and forum software. This is just a security update. This is for information to all our clients.

Cheers
Admin
Scorpio Informatics

(This post was edited by Admin on Jun 6, 2004, 8:47 PM)


Admin
Deleted

May 30, 2004, 8:48 AM

Post #2 of 8 (3062 views)
Shortcut

Re: [Admin] Scheduled Downtime For Apache Upgrade 31st May 2004 01:00 Hrs [In reply to] Can't Post
Hi.

The upgrade schedule was preponed by a day and lasted for about 20 minutes in all during which for about 5 minutes the http access was not available. To most of the users this would have been invisible.

Web Server is now Apache 1.3.31 the latest release in 1.3

Cheers
Admin


Admin
Deleted

Jun 6, 2004, 9:01 PM

Post #3 of 8 (3051 views)
Shortcut

Re: [Admin] Scheduled Downtime For Apache Upgrade 31st May 2004 01:00 Hrs [In reply to] Can't Post
Hi,

Due to mod_ssl security vulnerability reported , we have recompiled apache with upgraded version of mod_ssl. The same was finished within 20 minutes and there was no downtime visible to users as a consequence of this upgrade.

All Security Upgrade Notifications To Apache WebServer shall be continued in this Thread Only, in order to maintain a proper record of upgrades done.

Further details of reasons which called for this upgrade are available at following url:

http://www.osvdb.org/...ln.php?osvdb_id=6472

Cheers
Admin
Scorpio Informatics


Admin
Deleted

Jun 10, 2004, 4:06 AM

Post #4 of 8 (3022 views)
Shortcut

Re: [Admin] Scheduled Downtime For Apache Upgrade 31st May 2004 01:00 Hrs [In reply to] Can't Post
Hi.

Recently reported security vulnerability in frontpage extension and mod_php has been fixed by upgrading Apache to latest version of frontpage extensions and php/mod_php. This upgrade was done at 03:30 hrs on 10th June 2004.

Cheers
Admin
Scorpio Informatics


Administrator
Administrator / Moderator


Sep 27, 2004, 3:33 PM

Post #5 of 8 (2933 views)
Shortcut

Private Reply
Re: [Admin] Scheduled Downtime For Apache Upgrade -- Security Vulnerability Issues [In reply to] Can't Post
Hi.

All the applications have been moved to a Firewalled Back end server and also the Front End Web Server has been hardened against common web attacks and Denail Of Service Attacks.

Cheers
Administrator
-------------------------------------------------------------------------------
Scorpio Informatics
-------------------------------------------------------------------------------


Administrator
Administrator / Moderator


Oct 22, 2004, 12:59 PM

Post #6 of 8 (2881 views)
Shortcut

Private Reply
Re: [Admin] Scheduled Downtime For Apache Upgrade -- Security Vulnerability Issues [In reply to] Can't Post
Hi.

Due to mod_ssl security advisory, the webserver was recompiled and mod_ssl upgraded to the latest version on 21st October 2004. This upgrade was done without any downtime visible to end users. Apache version remains same at 1.3.31. Simultaneous with this was a PHP upgrade to version 4.3.9

Cheers
Administrator
-------------------------------------------------------------------------------
Scorpio Informatics
-------------------------------------------------------------------------------


Administrator
Administrator / Moderator


Oct 26, 2004, 1:59 AM

Post #7 of 8 (2878 views)
Shortcut

Private Reply
Re: [Admin] Scheduled Downtime For Apache Upgrade -- Security Vulnerability Issues [In reply to] Can't Post
Hi.

Apache upgraded to version 1.3.32 which is a bugfix release over 1.3.31
Alongwith this mod_ssl has also been upgraded to a compatible version.
Other Apache modules have also been recompiled against this newwer version of Apache WebServer.
All the upgrades were completed without any noticeable downtime.

This upgrade was done and completed within 72 Hours of release of mod_ssl compatible with apache 1.3.32

Cheers
Administrator
-------------------------------------------------------------------------------
Scorpio Informatics
-------------------------------------------------------------------------------


Administrator
Administrator / Moderator


Oct 30, 2004, 2:48 AM

Post #8 of 8 (2847 views)
Shortcut

Private Reply
Re: [Administrator] Scheduled Downtime For Apache Upgrade -- Security Vulnerability Issues [In reply to] Can't Post
Hi

Security Bugfix Apache Upgrade: Apache upgraded to 1.3.33
This version of Apache is principally a security and bug fix release.
Of particular note is that 1.3.33 addresses and fixes the following 2 security related issues:
Fix potential buffer overflow with escaped characters in SSI tag string.

[CAN-2004-0940 (cve.mitre.org)]
Reject responses from a remote server if sent an invalid (negative) Content-Length.

[CAN-2004-0492 (cve.mitre.org)] Once a compatible mod_ssl is also released, Apache1.3.33 would be recompiled with that version of mod_ssl in place. This upgrade went about without any downtime.

Cheers
Administrator
-------------------------------------------------------------------------------
Scorpio Informatics
-------------------------------------------------------------------------------

 
 
 


Forum Loading Time : 0.29 seconds
Search for (options) Scorpio Informatics

Scorpio Informatics

Home

Products

Services

Knowledge Base

Contact

Partner With Us