Upgrading our Apache Server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Upgrading our Apache Server

Stephens, Drew
Message
Due to a CPI Scan, we are being instructed to update our Apache software.  We are worried about how this will affect our OFBiz environment; what "gotcha's" should we look out for?  I am attaching a the scan report which explains the exposures the upgrade would address.
 
Any help will be appreciated.  Thanks in advance.
 

Drew Stephens
Rippe & Kingston Systems, Inc. 
[hidden email]
Phone: (513) 977-4573

Visit us at: www.rippe.com

1077 Celestial Street, Cincinnati, Ohio 45202-1696

===============================================================================

 
Reply | Threaded
Open this post in threaded view
|

Re: Upgrading our Apache Server

Walter Vaughan
Stephens, Drew wrote:

> Due to a CPI Scan, we are being instructed to update our Apache
> software.  We are worried about how this will affect our OFBiz
> environment; what "gotcha's" should we look out for?  I am attaching a
> the scan report which explains the exposures the upgrade would address.
>  
> Any help will be appreciated.  Thanks in advance.

First, what is a CPI scan?
Second, what OS are you running ofBiz on?
Third, what version of Apache http are you on now, and what version does it this
  mythical CPI recommend, or does it just say upgrade?
Forth, are you sure you are running ofBiz inside Apache http?

--
Walter
Reply | Threaded
Open this post in threaded view
|

RE: Upgrading our Apache Server

Stephens, Drew
In reply to this post by Stephens, Drew
Sorry, I should have said PCI Scan (must have dyslexia between the seat
and the keyboard).  This stands for "Payment Card Industry", the major
credit card companies (VISA, MC, etc.) got together and established some
security standards that their members must meet relative to credit card
security.  Once of the standards are quarterly system scans where they
test the various ports of an ecommerce website.  See
http://www.pcicomplianceguide.org for more info.

The errors are below.  Our system was scanned last night and we received
5 errors, 2 severe.  All were related to our level of Apache.

1.  Apache mod_proxy DoS-Apache versions between 1.3.25 and 1.3.31 may
allow aremote attacker to crash the web server via manipulation of the
HTTP ContentLength header.
2.  Apache Buffer Overflow-Apache versions prior to 1.3.27 or 2.0.42 can
result in a denial of service, and possibly, arbitoary code execution on
your server.
3.  Apache Rotate Logs DoS-Apache versions prio to 1.3.28 ar vulnerable
to a remote denial of service attach, this on only known on windows
servers.
4.  Apache mod_alia and mod_rewrite Buffer Overflow-If the user has
access to the Apache configuration, it's possible to take advantage of
the buffer overlow vulnerability in mod_alias and mod_rewrite.
5.  Apache Socket Starvation DoS-Apache versions prior to 1.3.31 and
2.0.49 are vulnerable to a denial of serivce attack.

Our application is running on Windows Server 2003

Now for your questionss.

I think our IBM HTTP server is 1.3.26 and the error messages references
any version of Apache between 1.3.25 and 1.3.31 are vulnerable to the
potential exposures (tried to attach the report but it's an image file).


As for the version of OFBiz, I can never remember where to find this.
When I look at the General Properties file, it references 1.7.  We
installed OFBiz in 2003 and due to our modifications, haven't upgraded
it.  If you can guide me where to find the release level I could provide
it.



Drew Stephens
Rippe & Kingston Systems, Inc.
[hidden email]
Phone: (513) 977-4573

Visit us at: www.rippe.com

1077 Celestial Street, Cincinnati, Ohio 45202-1696

========================================================================
=======



-----Original Message-----
From: Walter Vaughan [mailto:[hidden email]]
Sent: Tuesday, March 06, 2007 3:48 PM
To: [hidden email]
Subject: Re: Upgrading our Apache Server


Stephens, Drew wrote:

> Due to a CPI Scan, we are being instructed to update our Apache
> software.  We are worried about how this will affect our OFBiz
> environment; what "gotcha's" should we look out for?  I am attaching a

> the scan report which explains the exposures the upgrade would
address.
>  
> Any help will be appreciated.  Thanks in advance.

First, what is a CPI scan?
Second, what OS are you running ofBiz on?
Third, what version of Apache http are you on now, and what version does
it this
  mythical CPI recommend, or does it just say upgrade?
Forth, are you sure you are running ofBiz inside Apache http?

--
Walter
Reply | Threaded
Open this post in threaded view
|

Re: Upgrading our Apache Server

David Shere
You can find the version by going to your root ofbiz directory and
typing "svn info".

admin@raptor:/ofbiz$ svn info
Path: .
URL: http://svn.apache.org/repos/asf/ofbiz/trunk
Repository Root: http://svn.apache.org/repos/asf
Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
Revision: 515279
Node Kind: directory
Schedule: normal
Last Changed Author: jonesde
Last Changed Rev: 515235
Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007)
Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007)


Stephens, Drew wrote:
> As for the version of OFBiz, I can never remember where to find this.

Reply | Threaded
Open this post in threaded view
|

RE: Re: Upgrading our Apache Server

Stephens, Drew
In reply to this post by Stephens, Drew
The command you gave didn't work.

Drew Stephens
Rippe & Kingston Systems, Inc.
[hidden email]
Phone: (513) 977-4573

Visit us at: www.rippe.com

1077 Celestial Street, Cincinnati, Ohio 45202-1696

========================================================================
=======



-----Original Message-----
From: news [mailto:[hidden email]] On Behalf Of David Shere
Sent: Wednesday, March 07, 2007 6:41 AM
To: [hidden email]
Subject: Re: Upgrading our Apache Server


You can find the version by going to your root ofbiz directory and
typing "svn info".

admin@raptor:/ofbiz$ svn info
Path: .
URL: http://svn.apache.org/repos/asf/ofbiz/trunk
Repository Root: http://svn.apache.org/repos/asf
Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
Revision: 515279
Node Kind: directory
Schedule: normal
Last Changed Author: jonesde
Last Changed Rev: 515235
Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007)
Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007)


Stephens, Drew wrote:
> As for the version of OFBiz, I can never remember where to find this.

Reply | Threaded
Open this post in threaded view
|

RE: Re: Upgrading our Apache Server

cjhowe
What error did you receive?

--- "Stephens, Drew" <[hidden email]> wrote:

> The command you gave didn't work.
>
> Drew Stephens
> Rippe & Kingston Systems, Inc.
> [hidden email]
> Phone: (513) 977-4573
>
> Visit us at: www.rippe.com
>
> 1077 Celestial Street, Cincinnati, Ohio 45202-1696
>
>
========================================================================

> =======
>
>
>
> -----Original Message-----
> From: news [mailto:[hidden email]] On Behalf Of David Shere
> Sent: Wednesday, March 07, 2007 6:41 AM
> To: [hidden email]
> Subject: Re: Upgrading our Apache Server
>
>
> You can find the version by going to your root ofbiz directory and
> typing "svn info".
>
> admin@raptor:/ofbiz$ svn info
> Path: .
> URL: http://svn.apache.org/repos/asf/ofbiz/trunk
> Repository Root: http://svn.apache.org/repos/asf
> Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
> Revision: 515279
> Node Kind: directory
> Schedule: normal
> Last Changed Author: jonesde
> Last Changed Rev: 515235
> Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007)
> Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007)
>
>
> Stephens, Drew wrote:
> > As for the version of OFBiz, I can never remember where to find
> this.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Re: Upgrading our Apache Server

Jacques Le Roux
Administrator
Chris,

I suppose they do not use svn. Then I'm not sure how to retrieve version
... Any ideas ?

Jacques


> What error did you receive?
>
> --- "Stephens, Drew" <[hidden email]> wrote:
>
> > The command you gave didn't work.
> >
>
========================================================================

> > =======
> >
> >
> >
> > -----Original Message-----
> > From: news [mailto:[hidden email]] On Behalf Of David Shere
> > Sent: Wednesday, March 07, 2007 6:41 AM
> > To: [hidden email]
> > Subject: Re: Upgrading our Apache Server
> >
> >
> > You can find the version by going to your root ofbiz directory and
> > typing "svn info".
> >
> > admin@raptor:/ofbiz$ svn info
> > Path: .
> > URL: http://svn.apache.org/repos/asf/ofbiz/trunk
> > Repository Root: http://svn.apache.org/repos/asf
> > Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
> > Revision: 515279
> > Node Kind: directory
> > Schedule: normal
> > Last Changed Author: jonesde
> > Last Changed Rev: 515235
> > Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007)
> > Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb
2007)
> >
> >
> > Stephens, Drew wrote:
> > > As for the version of OFBiz, I can never remember where to find
> > this.
> >
> >

Reply | Threaded
Open this post in threaded view
|

Re: Re: Upgrading our Apache Server

cjhowe
It can be researched by the modified date property of a build file or
the latest date of anything he hasn't modified...and then cross
referenced to either an open taps build or svn point.
--- Jacques Le Roux <[hidden email]> wrote:

> Chris,
>
> I suppose they do not use svn. Then I'm not sure how to retrieve
> version
> ... Any ideas ?
>
> Jacques
>
>
> > What error did you receive?
> >
> > --- "Stephens, Drew" <[hidden email]> wrote:
> >
> > > The command you gave didn't work.
> > >
> >
>
========================================================================

> > > =======
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: news [mailto:[hidden email]] On Behalf Of David Shere
> > > Sent: Wednesday, March 07, 2007 6:41 AM
> > > To: [hidden email]
> > > Subject: Re: Upgrading our Apache Server
> > >
> > >
> > > You can find the version by going to your root ofbiz directory
> and
> > > typing "svn info".
> > >
> > > admin@raptor:/ofbiz$ svn info
> > > Path: .
> > > URL: http://svn.apache.org/repos/asf/ofbiz/trunk
> > > Repository Root: http://svn.apache.org/repos/asf
> > > Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
> > > Revision: 515279
> > > Node Kind: directory
> > > Schedule: normal
> > > Last Changed Author: jonesde
> > > Last Changed Rev: 515235
> > > Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007)
> > > Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb
> 2007)
> > >
> > >
> > > Stephens, Drew wrote:
> > > > As for the version of OFBiz, I can never remember where to find
> > > this.
> > >
> > >
>
>

Reply | Threaded
Open this post in threaded view
|

RE: Re: Upgrading our Apache Server

Stephens, Drew
In reply to this post by Stephens, Drew
The error is "'SVN' is not a recognize internal or external command".

I tried this command from both the server running the real website as
well as my local development environment, neither worked.

Drew Stephens
Rippe & Kingston Systems, Inc.
[hidden email]
Phone: (513) 977-4573

Visit us at: www.rippe.com

1077 Celestial Street, Cincinnati, Ohio 45202-1696

========================================================================
=======



-----Original Message-----
From: Chris Howe [mailto:[hidden email]]
Sent: Wednesday, March 07, 2007 9:15 AM
To: [hidden email]
Subject: RE: Re: Upgrading our Apache Server


What error did you receive?

--- "Stephens, Drew" <[hidden email]> wrote:

> The command you gave didn't work.
>
> Drew Stephens
> Rippe & Kingston Systems, Inc.
> [hidden email]
> Phone: (513) 977-4573
>
> Visit us at: www.rippe.com
>
> 1077 Celestial Street, Cincinnati, Ohio 45202-1696
>
>
========================================================================

> =======
>
>
>
> -----Original Message-----
> From: news [mailto:[hidden email]] On Behalf Of David Shere
> Sent: Wednesday, March 07, 2007 6:41 AM
> To: [hidden email]
> Subject: Re: Upgrading our Apache Server
>
>
> You can find the version by going to your root ofbiz directory and
> typing "svn info".
>
> admin@raptor:/ofbiz$ svn info
> Path: .
> URL: http://svn.apache.org/repos/asf/ofbiz/trunk
> Repository Root: http://svn.apache.org/repos/asf
> Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
> Revision: 515279
> Node Kind: directory
> Schedule: normal
> Last Changed Author: jonesde
> Last Changed Rev: 515235
> Last Changed Date: 2007-03-06 13:10:41 -0500 (Tue, 06 Mar 2007)
> Properties Last Updated: 2007-02-13 14:05:46 -0500 (Tue, 13 Feb 2007)
>
>
> Stephens, Drew wrote:
> > As for the version of OFBiz, I can never remember where to find
> this.
>
>