Overview
Urchin 4 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. As reported in the following ISS security advisory:
Apache versions up through 1.3.28 are vulnerable to a buffer overflow in the mod_alias and mod_rewrite modules. Urchin 4.101 through 4.106 ship with Apache 1.3.27.Impact on Urchin Customers
After careful examination of the fix and the threat, Urchin Software Corporation's position on this issue is that:
- When used in a standard configuration, the Apache shipped with Urchin 4 is not vulnerable because neither mod_alias or mod_rewrite are configured or used. In order for an Urchin installation to be vulnerable, explicit unsupported changes to the webserver configuration would need to be made.
- Urchin Software Corporation has made updated urchinwebd binaries available on our web site at ftp://ftp.urchin.com/pub/support for those customers who wish to upgrade the binaries in their Urchin 4 distributions. These urchinwebd binaries are based on Apache 1.3.29, which is not vulnerable to the buffer overflows.
See Also