最近有个公司应用找了安全公司评测,以下是一个漏洞描述和解决办法推荐:
Apache HTTP Server远程拒绝服务漏洞(CVE-2014-0231)
漏洞描述 Apache HTTP Server是Apache软件基金会的一个开放源码的网页服务器,可以在大多数计算机操作系统中运行,由于其多平台和安全性被广泛使用,是最流行的Web服务器端软件之一。它快速、可靠并且可通过简单的API扩展,将Perl/Python等解释器编译到服务器中。
Apache HTTP Server 2.4.9-2.4.6,2.4.4-2.4.1版本的mod_cgid模块没有超时机制,这可使远程攻击者通过请求CGI脚本(不从标准输入文件描述符读取),利用此漏洞造成拒绝服务(进程挂起)。
解决方案 Apache Group
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://httpd.apache.org/security/vulnerabilities_24.html
我去页面,看到的是:
然后点进去是下面的连接,而我并不知道怎么下载补丁包和安装。第一次弄,望各位大神相助。
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE
URL:http://www.securityfocus.com/archive/1/archive/1/535181/100/0/threaded
FULLDISC:20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE
URL:http://seclists.org/fulldisclosure/2015/Apr/5
MISC:http://packetstormsecurity.com/files/130769/RSA-Digital-Certificate-Solution-XSS-Denial-Of-Service.html
MISC:http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html
CONFIRM:http://httpd.apache.org/security/vulnerabilities_24.html
CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c
CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c?r1=1482522&r2=1535125&diff_format=h
CONFIRM:http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/generators/mod_cgid.c?r1=1565711&r2=1610509&diff_format=h
CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1120596
CONFIRM:http://advisories.mageia.org/MGASA-2014-0304.html
CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM:http://advisories.mageia.org/MGASA-2014-0305.html
CONFIRM:https://support.apple.com/HT204659
APPLE:APPLE-SA-2015-04-08-2
URL:http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
DEBIAN:DSA-2989
URL:http://www.debian.org/security/2014/dsa-2989
MANDRIVA:MDVSA-2014:142
URL:http://www.mandriva.com/security/advisories?name=MDVSA-2014:142
REDHAT:RHSA-2014:1019
URL:http://rhn.redhat.com/errata/RHSA-2014-1019.html
REDHAT:RHSA-2014:1020
URL:http://rhn.redhat.com/errata/RHSA-2014-1020.html
REDHAT:RHSA-2014:1021
URL:http://rhn.redhat.com/errata/RHSA-2014-1021.html
BID:68742
URL:http://www.securityfocus.com/bid/68742
SECUNIA:60536
URL:http://secunia.com/advisories/60536