On May 24, 2012 13:05 , Luke Lozier <l...@bibliopolis.com> wrote:
One of the PCI scanning companies is demanding an upgrade to 2.4.2 due
to the issues described in this CVE:
Changes with Apache 2.2.23
*) SECURITY: CVE-2012-0883 (cve.mitre.org <http://cve.mitre.org>)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the
current working directory to be searched for DSOs. [Stefan Fritsch]
Is there any idea when 2.2.23 will be released? I'd rather not upgrade
to 2.4.2
The actual text is, "envvars (aka envvars-std) in the Apache HTTP Server
before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH,
which allows local users to gain privileges via a Trojan horse DSO in
the current working directory during execution of apachectl."
And envvars-std (envvars) appears to only be used by apachectl. So,
instead of upgrading, what about changing the owner of apachectl to root
and the permissions to 700? Then tell your auditor that you have
implemented a compensating control for CVE-2012-0883 such that apachectl
can only be run by the trusted root user.
Am I misunderstanding the vulnerability?
Or, alternatively, edit /usr/sbin/envvars and/or apachectl to fix
LD_LIBRARY_PATH, if it is in fact being handled insecurely on your
system (it appeared to be fine on the two older systems where I checked
for this vulnerability).
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
