lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040915184809.2107.qmail@updates.mandrakesoft.com>
Date: 15 Sep 2004 18:48:09 -0000
From: Mandrake Linux Security Team <security@...ux-mandrake.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2004:096 - Updated apache2 packages fix multiple vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           apache2
 Advisory ID:            MDKSA-2004:096
 Date:                   September 15th, 2004

 Affected versions:	 10.0, 9.2
 ______________________________________________________________________

 Problem Description:

 Two Denial of Service conditions were discovered in the input filter
 of mod_ssl, the module that enables apache to handle HTTPS requests.
 
 Another vulnerability was discovered by the ASF security team using
 the Codenomicon HTTP Test Tool.  This vulnerability, in the apr-util
 library, can possibly lead to arbitray code execution if certain
 non-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK
 define).
 
 As well, the SITIC have discovered a buffer overflow when Apache
 expands environment variables in configuration files such as .htaccess
 and httpd.conf, which can lead to possible privilege escalation.  This
 can only be done, however, if an attacker is able to place malicious
 configuration files on the server.
 
 Finally, a crash condition was discovered in the mod_dav module by
 Julian Reschke, where sending a LOCK refresh request to an indirectly
 locked resource could crash the server.
 
 The updated packages have been patched to protect against these
 vulnerabilities.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786
  http://www.uniras.gov.uk/vuls/2004/403518/index.htm
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 577abf316e5d985744e3a55c00ba1ed3  10.0/RPMS/apache2-2.0.48-6.6.100mdk.i586.rpm
 0f57531ce5bfd8034f1d485d55a8dc36  10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.i586.rpm
 8931749f97b852f34500348a4d1f3ae0  10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.i586.rpm
 abd6661337d00c261462d9dc4a7e7a27  10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.i586.rpm
 d4ece1caa7d12cdcad37fc179a3a507a  10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.i586.rpm
 b33b960cc734861a8b12f157c2754d37  10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.i586.rpm
 c49321208ca8c4e3f867acf481b56aea  10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.i586.rpm
 f03a0281374080c36351c6994ca83fef  10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.i586.rpm
 e6d2e946c1a4006d7da12e0d4970efdf  10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.i586.rpm
 4b121a7f3ac76c4d6d47b3b2dd303afc  10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.i586.rpm
 fabdc95624a9d4863ce6a0773ba41769  10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.i586.rpm
 386f4203719e4dbed7ec22c2b2416a6f  10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.i586.rpm
 39fb6ee3fb9a25fe9fef386b10908300  10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.i586.rpm
 8769f679dd2ff3fbc61a8d53bf7e1e95  10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.i586.rpm
 22cdca5e2d82338cd0cf9fb2494f93e5  10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.i586.rpm
 6110769acb534f25eb2eca0240dc59c0  10.0/RPMS/libapr0-2.0.48-6.6.100mdk.i586.rpm
 a95799fa3e80c91b9c213e6938894004  10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 6147e89235b66d584b49aa29b1bdd48f  amd64/10.0/RPMS/apache2-2.0.48-6.6.100mdk.amd64.rpm
 43227a23672e9e794ab9c2fdbfdc29af  amd64/10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.amd64.rpm
 0f4a26910cb8d3cef4f0c6990e2dd89a  amd64/10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.amd64.rpm
 939b4a808c3d4d4aeec7353873fe70d2  amd64/10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.amd64.rpm
 636cb8f74e0fd9955924de1b8c9bcd33  amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.amd64.rpm
 84440eadc0ca8e45caf80cc1c5a110ec  amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.amd64.rpm
 bb8fc55c43ed023f41b2c9134b22112b  amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.amd64.rpm
 059c1ded4088a77ca1379b37bf488d8a  amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.amd64.rpm
 21e5578866e52cafb66a8810b80bb8ee  amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.amd64.rpm
 b772fc49e45ba69cf54befd0c43b0478  amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.amd64.rpm
 8ab329afc0a8114022c2989f0da114e5  amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.amd64.rpm
 3dd9a74509e65083895a38a40b5737e8  amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.amd64.rpm
 dd8c9c7a029a409f1a9c0498e9bdb0d4  amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.amd64.rpm
 9823808a0fd99a4285a742bc843f2a7f  amd64/10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.amd64.rpm
 6a801d9aa2cd2b4b2702541a29b21adc  amd64/10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.amd64.rpm
 c5b670cc38bfe405e581a4d82bfbc49d  amd64/10.0/RPMS/lib64apr0-2.0.48-6.6.100mdk.amd64.rpm
 a95799fa3e80c91b9c213e6938894004  amd64/10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm

 Mandrakelinux 9.2:
 a5022c41292c79824da685f40a84088f  9.2/RPMS/apache2-2.0.47-6.9.92mdk.i586.rpm
 f7bb47cfbaaed2b59cb75c1fd19334ba  9.2/RPMS/apache2-common-2.0.47-6.9.92mdk.i586.rpm
 1f71d90ac568f5e8f6ab1dfaa98cf4c3  9.2/RPMS/apache2-devel-2.0.47-6.9.92mdk.i586.rpm
 5494d0648be5a27178b810980cb7f3e8  9.2/RPMS/apache2-manual-2.0.47-6.9.92mdk.i586.rpm
 42f46e37fe2242947dceda9e0455bdfc  9.2/RPMS/apache2-mod_cache-2.0.47-6.9.92mdk.i586.rpm
 70b913fa54ddcfa696c1bd4251a79945  9.2/RPMS/apache2-mod_dav-2.0.47-6.9.92mdk.i586.rpm
 5000116dac10fd53b04153b7380528a9  9.2/RPMS/apache2-mod_deflate-2.0.47-6.9.92mdk.i586.rpm
 102a388f55bc59ad824e94913893bb97  9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.9.92mdk.i586.rpm
 4e80f75066f180226812ab89256ed651  9.2/RPMS/apache2-mod_file_cache-2.0.47-6.9.92mdk.i586.rpm
 67c4d53ee756149485ee98fb4a0a3f98  9.2/RPMS/apache2-mod_ldap-2.0.47-6.9.92mdk.i586.rpm
 5d33dc3247dee2d598534564245534e7  9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.9.92mdk.i586.rpm
 82d6c628240e4529555f5234f61ae465  9.2/RPMS/apache2-mod_proxy-2.0.47-6.9.92mdk.i586.rpm
 162af1842efde8e25cee655c9a6074d8  9.2/RPMS/apache2-mod_ssl-2.0.47-6.9.92mdk.i586.rpm
 57cfc8ec7a4f0748df2512a8cab871c1  9.2/RPMS/apache2-modules-2.0.47-6.9.92mdk.i586.rpm
 d2b611bd99ed5f0de8a211058ea5c9b3  9.2/RPMS/apache2-source-2.0.47-6.9.92mdk.i586.rpm
 732529e90ba322a1af3e8cc52ed3b35d  9.2/RPMS/libapr0-2.0.47-6.9.92mdk.i586.rpm
 0a407de570da4a4fa87f0ff01209e6cb  9.2/SRPMS/apache2-2.0.47-6.9.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 d38ea5529d580f08fd41e5d60e0e27f3  amd64/9.2/RPMS/apache2-2.0.47-6.9.92mdk.amd64.rpm
 71b971bfa2ee3c9892c474b52d25d013  amd64/9.2/RPMS/apache2-common-2.0.47-6.9.92mdk.amd64.rpm
 271807bfedd2e488fe8612c1eeac884c  amd64/9.2/RPMS/apache2-devel-2.0.47-6.9.92mdk.amd64.rpm
 956499b5a87b862eba2a6cad34acbe73  amd64/9.2/RPMS/apache2-manual-2.0.47-6.9.92mdk.amd64.rpm
 385ba3c32e876db596afddc5e6115904  amd64/9.2/RPMS/apache2-mod_cache-2.0.47-6.9.92mdk.amd64.rpm
 7ae05ee04cb1a28e028fd6bae59ba2e8  amd64/9.2/RPMS/apache2-mod_dav-2.0.47-6.9.92mdk.amd64.rpm
 7c2a5dce49f994d8535344e284342a84  amd64/9.2/RPMS/apache2-mod_deflate-2.0.47-6.9.92mdk.amd64.rpm
 43540961c80877d932bbb71a21be2e96  amd64/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.9.92mdk.amd64.rpm
 1a0333f97501803238053c8bf0d1a536  amd64/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.9.92mdk.amd64.rpm
 df9db8eda897070aa85b9c39552ec353  amd64/9.2/RPMS/apache2-mod_ldap-2.0.47-6.9.92mdk.amd64.rpm
 bda589312c97917e3febd6315d403533  amd64/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.9.92mdk.amd64.rpm
 93c3f05ab21020651aa2f3ec8dee77eb  amd64/9.2/RPMS/apache2-mod_proxy-2.0.47-6.9.92mdk.amd64.rpm
 0184016e442847ca432a78ee488c14da  amd64/9.2/RPMS/apache2-mod_ssl-2.0.47-6.9.92mdk.amd64.rpm
 2e73a720242ea4010cc783afd8eb30d8  amd64/9.2/RPMS/apache2-modules-2.0.47-6.9.92mdk.amd64.rpm
 e33488dc979fc75ff33e82b4749ac87e  amd64/9.2/RPMS/apache2-source-2.0.47-6.9.92mdk.amd64.rpm
 cc7bc30bd8cc09da849d981701a96f6c  amd64/9.2/RPMS/lib64apr0-2.0.47-6.9.92mdk.amd64.rpm
 0a407de570da4a4fa87f0ff01209e6cb  amd64/9.2/SRPMS/apache2-2.0.47-6.9.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBSI5pmqjQ0CJFipgRAlxGAKCpPrt7/HB5YroIdx5J84y6E5opeQCg49dn
NHBQlfivIH+fWpgnCv9/jVY=
=ui8Y
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ