lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 20 May 2004 06:51:49 -0000
From: Mandrake Linux Security Team <security@...ux-mandrake.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2004:046-1 - apache-mod_perl packages are now available


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           apache-mod_perl
 Advisory ID:            MDKSA-2004:046-1
 Date:                   May 20th, 2004
 Original Advisory Date: May 17th, 2004
 Affected versions:	 10.0, 9.1, 9.2, Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Four security vulnerabilities were fixed with the 1.3.31 release of
 Apache.  All of these issues have been backported and applied to the
 provided packages.  Thanks to Ralf Engelschall of OpenPKG for providing
 the patches.
 
 Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences
 from its error logs.  This could make it easier for attackers to insert
 those sequences into the terminal emulators of administrators viewing
 the error logs that contain vulnerabilities related to escape sequence
 handling (CAN-2003-0020).
 
 mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the
 nonce of a client response by using an AuthNonce secret.  Apache now
 verifies the nonce returned in the client response to check whether it
 was issued by itself by means of a "AuthDigestRealmSeed" secret exposed
 as an MD5 checksum (CAN-2003-0987).
 
 mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian
 64-bit platforms, did not properly parse Allow/Deny rules using IP
 addresses without a netmask.  This could allow a remote attacker to
 bypass intended access restrictions (CAN-2003-0993).
 
 Apache 1.3 prior to 1.3.30, when using multiple listening sockets on
 certain platforms, allows a remote attacker to cause a DoS by blocking
 new connections via a short-lived connection on a rarely-accessed
 listening socket (CAN-2004-0174).  While this particular vulnerability
 does not affect Linux, we felt it prudent to include the fix.
  
Update:

 Due to the changes in mod_digest.so, mod_perl needed to be rebuilt
 against the patched Apache packages in order for httpd-perl to
 properly load the module.  The appropriate mod_perl packages have
 been rebuilt and are now available.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 63acd52155d098a1f7f366f9022e22d2  10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.i586.rpm
 965ea6d33ad296e8ebf2e3ff493510a7  10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.i586.rpm
 d9677587622c98969032258d28fab962  10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.i586.rpm
 5fc0a04b29dc963a8198ba43231b5062  10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.i586.rpm
 705caa117fd889d8f47b8672a63f7b0a  10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 8684baaf82445ae2aa10c688241f7d22  amd64/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.amd64.rpm
 d8ed6249524aa168bd2de1175b60ab0e  amd64/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.amd64.rpm
 7cd33d82e9143c229f6f7545c73a89ce  amd64/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.amd64.rpm
 33c10b3b423dc9496c785437f1f46e13  amd64/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.amd64.rpm
 705caa117fd889d8f47b8672a63f7b0a  amd64/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

 Corporate Server 2.1:
 eccb615f3e80136147a846a7827ee086  corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.i586.rpm
 417f2e3022591b2c32fb3da2eea493f6  corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.i586.rpm
 06f9ba2f38c157eea76f16d54da3520e  corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.i586.rpm
 5f27ce00d7d11bd201873840f5ee1337  corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.i586.rpm
 2d5741904c5a87b53eaef9351dfbe16d  corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 ccfaf2869f3b93b58bb82985522d6a6a  x86_64/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.x86_64.rpm
 ec45dfb7d782e164c3eb200a417839db  x86_64/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
 dede6137003aa366b8f57007f0769c50  x86_64/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
 2cab584c8d30778cdeb54521b3fe9537  x86_64/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
 2d5741904c5a87b53eaef9351dfbe16d  x86_64/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

 Mandrakelinux 9.1:
 3e12f0d068d6e7979edc6c70a9e57fc0  9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.i586.rpm
 7d893f2d67c0b0146cc9b7307ebb4d8a  9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.i586.rpm
 920082a37fb424a9df9e0f942393a0b2  9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.i586.rpm
 69172f9d1315939c6e4d05c3395ce212  9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.i586.rpm
 043f2c9c57767318b7dd3c33fa90899f  9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

 Mandrakelinux 9.1/PPC:
 1c9a84b031aab153bc8dea7610b0eedc  ppc/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.ppc.rpm
 ca8aa7f53e5b6dd6ba852b3e12fe9ea8  ppc/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.ppc.rpm
 844ca50fb72aad0225e99c9268577f2a  ppc/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.ppc.rpm
 eaa68e38912c3be140f6379d59296c08  ppc/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.ppc.rpm
 043f2c9c57767318b7dd3c33fa90899f  ppc/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

 Mandrakelinux 9.2:
 1d88e2ef611d80ba3f0c9602e81f77d9  9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.i586.rpm
 7ccb9d87d744755f57536684fef6d820  9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.i586.rpm
 c7167fb4d1e1416e7f8ffef7979a3906  9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.i586.rpm
 2b2004d1e4514d720a80f7ecec22b1d2  9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.i586.rpm
 4bf5804d6155bf7d06705e5c4e46cf3e  9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 fe4885d9af3da5107101fbfac0a7f25f  amd64/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.amd64.rpm
 b15da8abc8d7914528b90c612b6a558b  amd64/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.amd64.rpm
 cd878dc7e721615e9b0ffdb8a8849f93  amd64/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.amd64.rpm
 75109c17f579d2d108a4258ef1e12ba4  amd64/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.amd64.rpm
 4bf5804d6155bf7d06705e5c4e46cf3e  amd64/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFArFWFmqjQ0CJFipgRAsS6AKDSG3UNuC76NTZBpDnKVUwP0kI6xwCgqIfp
AxrWu1bC+83ssGHLt2UknFc=
=kQPR
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists