lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040726152037.GA22326@tsunami.trustix.net>
Date: Mon, 26 Jul 2004 17:20:37 +0200
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSL-2004-0039 - multi


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0039

Package name:      apache, mod_php4, samba
Summary:           Several security vulnerabilities patched
Date:              2004-01-05
Affected versions: Trustix Secure Linux 1.5
                   Trustix Secure Linux 2.0
                   Trustix Secure Linux 2.1
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  apache:
  Apache is a full featured web server that is freely available, and also
  happens to be the most widely used.

  mod_php4:
  PHP is an HTML-embedded scripting language.  PHP attempts to make it
  easy for developers to write dynamically generated web pages.  PHP
  also offers built-in database integration for several commercial
  and non-commercial database management systems, so writing a
  database-enabled web page with PHP is fairly simple.  The most
  common use of PHP coding is probably as a replacement for CGI
  scripts.  The mod_php module enables the Apache web server to
  understand and process the embedded PHP language in web pages.

  samba:
  Samba provides an SMB server which can be used to provide network
  services to SMB (sometimes called "Lan Manager") clients, including
  various versions of MS Windows, OS/2, and other Linux machines. Samba
  uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI
  (Microsoft Raw NetBIOS frame) protocol.

Problem description:
  apache:
  Recent Apache 2.0 releases place no limit on the amount of folding of
  input headers, or in the total length after folding. With an input
  stream with infinite headers to be folded, the server will allocate as
  much memory as the system will allow leading to a Denial of Service.

  This issue was already fixed by a patch in our most recent apache 2.0.49
  package.  However, we have chosen to upgrade to 2.0.50 to avoid confusion.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0493 to this issue.

  mod_php4:
  The php project recomments that older versions of php be updated 4.3.8,
  as it fixes several issues.  Among these is CAN-2004-0594, also known as
  the "memory_limit" bug.

  samba:
  Two security issues were discovered in samba.
  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the names CAN-2004-0600 and CAN-2004-0686 to these issues.


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Public testing:
  Most updates for Trustix Secure Linux are made available for public
  testing some time before release.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://tsldev.trustix.org/horizon/>

  You may also use swup for public testing of updates:
  
  site {
      class = 0
      location = "http://tsldev.trustix.org/horizon/rdfs/latest.rdf"
      regexp = ".*"
  }
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-1.5/>,
  <URI:http://www.trustix.org/errata/trustix-2.0/> and
  <URI:http://www.trustix.org/errata/trustix-2.1/>
  or directly at
  <URI:http://www.trustix.org/errata/2004/xxxx>


MD5sums of the packages:
- --------------------------------------------------------------------------
c71604677f2f08530fd93dfa25b95998  2.1/rpms/apache-2.0.50-2tr.i586.rpm
cc9c1aadb050e0d097f7919b023312d4  2.1/rpms/apache-dbm-2.0.50-2tr.i586.rpm
2b217ba1503265a6e9e964bab36900d4  2.1/rpms/apache-devel-2.0.50-2tr.i586.rpm
75de971d9a08c9b80609cc80a03574d4  2.1/rpms/apache-manual-2.0.50-2tr.i586.rpm
4b3e17be7e608248b7d77fb2fbac04ac  2.1/rpms/mod_php4-4.3.8-2tr.i586.rpm
f8d51f060d9629eef1c79d6ec036a702  2.1/rpms/mod_php4-cli-4.3.8-2tr.i586.rpm
14e54adf43888b458590fc994c5cf9b7  2.1/rpms/mod_php4-devel-4.3.8-2tr.i586.rpm
6e94c2915ab4b1ea413d5cd86fb28ac6  2.1/rpms/mod_php4-domxml-4.3.8-2tr.i586.rpm
fb7b533d87e33a43b27d3d6ab4634101  2.1/rpms/mod_php4-exif-4.3.8-2tr.i586.rpm
ee79b4c6db9a6da3d2ea52295aab77d0  2.1/rpms/mod_php4-gd-4.3.8-2tr.i586.rpm
61b1b61c43c074a977e90a3336b5c3b0  2.1/rpms/mod_php4-imap-4.3.8-2tr.i586.rpm
206b9258348ed6540e8d8687837e61a2  2.1/rpms/mod_php4-ldap-4.3.8-2tr.i586.rpm
8d9555000504f77e80584f6b12ca7502  2.1/rpms/mod_php4-mysql-4.3.8-2tr.i586.rpm
a6a36abddb042315132fbf9186e85600  2.1/rpms/mod_php4-pgsql-4.3.8-2tr.i586.rpm
5bb1ee6a85b7c712221cfa7b8617f60e  2.1/rpms/mod_php4-test-4.3.8-2tr.i586.rpm
dd2a761b4f461b8da4d69277658859b7  2.1/rpms/samba-3.0.5-1tr.i586.rpm
a4081f08b767ef58729436c58acd61c9  2.1/rpms/samba-client-3.0.5-1tr.i586.rpm
e1f36fd097ae8f40ce1a7b5b89f21f46  2.1/rpms/samba-common-3.0.5-1tr.i586.rpm
3418f8968a9806de046889f72e39e29d  2.1/rpms/samba-mysql-3.0.5-1tr.i586.rpm
8ff55a1bd428bbc4850813f2788c20f9  2.0/rpms/apache-2.0.50-1tr.i586.rpm
ebb2d08cf1b4c851c6ca8bbd568d045c  2.0/rpms/apache-devel-2.0.50-1tr.i586.rpm
e3c999fed7505f32428e6f2681f293f9  2.0/rpms/apache-manual-2.0.50-1tr.i586.rpm
14366fb29927c508dd5f6e562b05abae  2.0/rpms/mod_php4-4.3.8-1tr.i586.rpm
60a57ea63e3c06aa91d5c50ff17c548e  2.0/rpms/mod_php4-cli-4.3.8-1tr.i586.rpm
4f38a5e4607096e7f920f1dd38fb82db  2.0/rpms/mod_php4-devel-4.3.8-1tr.i586.rpm
38b9666cb1a7136b9df64ec763ed64a5  2.0/rpms/mod_php4-domxml-4.3.8-1tr.i586.rpm
d2680cc8d82b62c3babe153d5561d71a  2.0/rpms/mod_php4-exif-4.3.8-1tr.i586.rpm
493e2de0cd7b8116ef23aabaed163203  2.0/rpms/mod_php4-gd-4.3.8-1tr.i586.rpm
07b06056fa5e799c0bf2b02d7c7dadbb  2.0/rpms/mod_php4-imap-4.3.8-1tr.i586.rpm
a7c790a912068b173e04e838b9995ff3  2.0/rpms/mod_php4-ldap-4.3.8-1tr.i586.rpm
2f1a1c4f212f765f2954acadd2ab96df  2.0/rpms/mod_php4-mysql-4.3.8-1tr.i586.rpm
7294ce4ec0808c9af5efe399c1c2d676  2.0/rpms/mod_php4-pgsql-4.3.8-1tr.i586.rpm
08eee3f456b33dfc9f7c96feca4cd7a2  2.0/rpms/mod_php4-test-4.3.8-1tr.i586.rpm
a38fffc2682fd34b3dffad3f491aa2e3  2.0/rpms/samba-2.2.10-1tr.i586.rpm
0ebde9d4a77928c7d72ad2d2f7e81be1  2.0/rpms/samba-client-2.2.10-1tr.i586.rpm
20ec540253b58e67bb44251b3048972e  2.0/rpms/samba-common-2.2.10-1tr.i586.rpm
1a7606260bd71422ed540146864ce176  e2/apache-2.0.50-2tr.i586.rpm
1a92ed8c36f1b198a9c9e71f229712c5  e2/apache-dbm-2.0.50-2tr.i586.rpm
73aeec169206bd87fcf528c618ab7ee4  e2/apache-devel-2.0.50-2tr.i586.rpm
58b7aba11a34c7d101a787a059bb19c0  e2/apache-manual-2.0.50-2tr.i586.rpm
812975726e45b18415ff6713246d0953  e2/mod_php4-4.3.8-2tr.i586.rpm
64babe5f70b3e73d8fff30f04123714a  e2/mod_php4-cli-4.3.8-2tr.i586.rpm
52134a1a3b8899774703489181301e81  e2/mod_php4-devel-4.3.8-2tr.i586.rpm
06e613755b0343e2d69b372da92de704  e2/mod_php4-domxml-4.3.8-2tr.i586.rpm
2aa324343b778af132cfe0e61415f3ee  e2/mod_php4-exif-4.3.8-2tr.i586.rpm
fa6396977985e5a9d4ea26fa5261dc0f  e2/mod_php4-gd-4.3.8-2tr.i586.rpm
9fbd30d724d356b5e17763f995cc69f0  e2/mod_php4-imap-4.3.8-2tr.i586.rpm
aa3dda6cb64050029d75c1d9d264437e  e2/mod_php4-ldap-4.3.8-2tr.i586.rpm
5d4aadbc2ac7dbb95679abf34ceb0e7c  e2/mod_php4-mysql-4.3.8-2tr.i586.rpm
4537f038482e25bbc88bdb1030f55b4a  e2/mod_php4-pgsql-4.3.8-2tr.i586.rpm
dac192fd51bdff0bd892a1e0083e233c  e2/mod_php4-test-4.3.8-2tr.i586.rpm
7385348d8cdb5f030250961a8753b76a  e2/samba-3.0.5-1tr.i586.rpm
b8d948b82a0acaf53b9f2477b3eb1599  e2/samba-client-3.0.5-1tr.i586.rpm
be0cc8095bff94815d85d65c6673e247  e2/samba-common-3.0.5-1tr.i586.rpm
151fb4d5cc565890c6c9dbe8d2b2df40  e2/samba-mysql-3.0.5-1tr.i586.rpm
1f12c5f983225ae3c78eb41be550cc87  1.5/samba-2.2.10-0.1tr.i586.rpm
a5888537d3c4dc0bfc75b41f6bccf7c4  1.5/samba-client-2.2.10-0.1tr.i586.rpm
793804b0da45db0fda738f17b711eb50  1.5/samba-common-2.2.10-0.1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBBSC9i8CEzsK9IksRAkAuAJ0fJWu0cAwbAICvgcz0UUSv8UpX3QCdHLAj
TjMMOex9C17qI+CCs/N6boo=
=sPYM
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ