[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040915184809.2107.qmail@updates.mandrakesoft.com>
Date: 15 Sep 2004 18:48:09 -0000
From: Mandrake Linux Security Team <security@...ux-mandrake.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2004:096 - Updated apache2 packages fix multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache2
Advisory ID: MDKSA-2004:096
Date: September 15th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
Two Denial of Service conditions were discovered in the input filter
of mod_ssl, the module that enables apache to handle HTTPS requests.
Another vulnerability was discovered by the ASF security team using
the Codenomicon HTTP Test Tool. This vulnerability, in the apr-util
library, can possibly lead to arbitray code execution if certain
non-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK
define).
As well, the SITIC have discovered a buffer overflow when Apache
expands environment variables in configuration files such as .htaccess
and httpd.conf, which can lead to possible privilege escalation. This
can only be done, however, if an attacker is able to place malicious
configuration files on the server.
Finally, a crash condition was discovered in the mod_dav module by
Julian Reschke, where sending a LOCK refresh request to an indirectly
locked resource could crash the server.
The updated packages have been patched to protect against these
vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786
http://www.uniras.gov.uk/vuls/2004/403518/index.htm
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
577abf316e5d985744e3a55c00ba1ed3 10.0/RPMS/apache2-2.0.48-6.6.100mdk.i586.rpm
0f57531ce5bfd8034f1d485d55a8dc36 10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.i586.rpm
8931749f97b852f34500348a4d1f3ae0 10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.i586.rpm
abd6661337d00c261462d9dc4a7e7a27 10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.i586.rpm
d4ece1caa7d12cdcad37fc179a3a507a 10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.i586.rpm
b33b960cc734861a8b12f157c2754d37 10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.i586.rpm
c49321208ca8c4e3f867acf481b56aea 10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.i586.rpm
f03a0281374080c36351c6994ca83fef 10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.i586.rpm
e6d2e946c1a4006d7da12e0d4970efdf 10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.i586.rpm
4b121a7f3ac76c4d6d47b3b2dd303afc 10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.i586.rpm
fabdc95624a9d4863ce6a0773ba41769 10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.i586.rpm
386f4203719e4dbed7ec22c2b2416a6f 10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.i586.rpm
39fb6ee3fb9a25fe9fef386b10908300 10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.i586.rpm
8769f679dd2ff3fbc61a8d53bf7e1e95 10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.i586.rpm
22cdca5e2d82338cd0cf9fb2494f93e5 10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.i586.rpm
6110769acb534f25eb2eca0240dc59c0 10.0/RPMS/libapr0-2.0.48-6.6.100mdk.i586.rpm
a95799fa3e80c91b9c213e6938894004 10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
6147e89235b66d584b49aa29b1bdd48f amd64/10.0/RPMS/apache2-2.0.48-6.6.100mdk.amd64.rpm
43227a23672e9e794ab9c2fdbfdc29af amd64/10.0/RPMS/apache2-common-2.0.48-6.6.100mdk.amd64.rpm
0f4a26910cb8d3cef4f0c6990e2dd89a amd64/10.0/RPMS/apache2-devel-2.0.48-6.6.100mdk.amd64.rpm
939b4a808c3d4d4aeec7353873fe70d2 amd64/10.0/RPMS/apache2-manual-2.0.48-6.6.100mdk.amd64.rpm
636cb8f74e0fd9955924de1b8c9bcd33 amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.6.100mdk.amd64.rpm
84440eadc0ca8e45caf80cc1c5a110ec amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.6.100mdk.amd64.rpm
bb8fc55c43ed023f41b2c9134b22112b amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.6.100mdk.amd64.rpm
059c1ded4088a77ca1379b37bf488d8a amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.6.100mdk.amd64.rpm
21e5578866e52cafb66a8810b80bb8ee amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.6.100mdk.amd64.rpm
b772fc49e45ba69cf54befd0c43b0478 amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.6.100mdk.amd64.rpm
8ab329afc0a8114022c2989f0da114e5 amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.6.100mdk.amd64.rpm
3dd9a74509e65083895a38a40b5737e8 amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.6.100mdk.amd64.rpm
dd8c9c7a029a409f1a9c0498e9bdb0d4 amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.6.100mdk.amd64.rpm
9823808a0fd99a4285a742bc843f2a7f amd64/10.0/RPMS/apache2-modules-2.0.48-6.6.100mdk.amd64.rpm
6a801d9aa2cd2b4b2702541a29b21adc amd64/10.0/RPMS/apache2-source-2.0.48-6.6.100mdk.amd64.rpm
c5b670cc38bfe405e581a4d82bfbc49d amd64/10.0/RPMS/lib64apr0-2.0.48-6.6.100mdk.amd64.rpm
a95799fa3e80c91b9c213e6938894004 amd64/10.0/SRPMS/apache2-2.0.48-6.6.100mdk.src.rpm
Mandrakelinux 9.2:
a5022c41292c79824da685f40a84088f 9.2/RPMS/apache2-2.0.47-6.9.92mdk.i586.rpm
f7bb47cfbaaed2b59cb75c1fd19334ba 9.2/RPMS/apache2-common-2.0.47-6.9.92mdk.i586.rpm
1f71d90ac568f5e8f6ab1dfaa98cf4c3 9.2/RPMS/apache2-devel-2.0.47-6.9.92mdk.i586.rpm
5494d0648be5a27178b810980cb7f3e8 9.2/RPMS/apache2-manual-2.0.47-6.9.92mdk.i586.rpm
42f46e37fe2242947dceda9e0455bdfc 9.2/RPMS/apache2-mod_cache-2.0.47-6.9.92mdk.i586.rpm
70b913fa54ddcfa696c1bd4251a79945 9.2/RPMS/apache2-mod_dav-2.0.47-6.9.92mdk.i586.rpm
5000116dac10fd53b04153b7380528a9 9.2/RPMS/apache2-mod_deflate-2.0.47-6.9.92mdk.i586.rpm
102a388f55bc59ad824e94913893bb97 9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.9.92mdk.i586.rpm
4e80f75066f180226812ab89256ed651 9.2/RPMS/apache2-mod_file_cache-2.0.47-6.9.92mdk.i586.rpm
67c4d53ee756149485ee98fb4a0a3f98 9.2/RPMS/apache2-mod_ldap-2.0.47-6.9.92mdk.i586.rpm
5d33dc3247dee2d598534564245534e7 9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.9.92mdk.i586.rpm
82d6c628240e4529555f5234f61ae465 9.2/RPMS/apache2-mod_proxy-2.0.47-6.9.92mdk.i586.rpm
162af1842efde8e25cee655c9a6074d8 9.2/RPMS/apache2-mod_ssl-2.0.47-6.9.92mdk.i586.rpm
57cfc8ec7a4f0748df2512a8cab871c1 9.2/RPMS/apache2-modules-2.0.47-6.9.92mdk.i586.rpm
d2b611bd99ed5f0de8a211058ea5c9b3 9.2/RPMS/apache2-source-2.0.47-6.9.92mdk.i586.rpm
732529e90ba322a1af3e8cc52ed3b35d 9.2/RPMS/libapr0-2.0.47-6.9.92mdk.i586.rpm
0a407de570da4a4fa87f0ff01209e6cb 9.2/SRPMS/apache2-2.0.47-6.9.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
d38ea5529d580f08fd41e5d60e0e27f3 amd64/9.2/RPMS/apache2-2.0.47-6.9.92mdk.amd64.rpm
71b971bfa2ee3c9892c474b52d25d013 amd64/9.2/RPMS/apache2-common-2.0.47-6.9.92mdk.amd64.rpm
271807bfedd2e488fe8612c1eeac884c amd64/9.2/RPMS/apache2-devel-2.0.47-6.9.92mdk.amd64.rpm
956499b5a87b862eba2a6cad34acbe73 amd64/9.2/RPMS/apache2-manual-2.0.47-6.9.92mdk.amd64.rpm
385ba3c32e876db596afddc5e6115904 amd64/9.2/RPMS/apache2-mod_cache-2.0.47-6.9.92mdk.amd64.rpm
7ae05ee04cb1a28e028fd6bae59ba2e8 amd64/9.2/RPMS/apache2-mod_dav-2.0.47-6.9.92mdk.amd64.rpm
7c2a5dce49f994d8535344e284342a84 amd64/9.2/RPMS/apache2-mod_deflate-2.0.47-6.9.92mdk.amd64.rpm
43540961c80877d932bbb71a21be2e96 amd64/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.9.92mdk.amd64.rpm
1a0333f97501803238053c8bf0d1a536 amd64/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.9.92mdk.amd64.rpm
df9db8eda897070aa85b9c39552ec353 amd64/9.2/RPMS/apache2-mod_ldap-2.0.47-6.9.92mdk.amd64.rpm
bda589312c97917e3febd6315d403533 amd64/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.9.92mdk.amd64.rpm
93c3f05ab21020651aa2f3ec8dee77eb amd64/9.2/RPMS/apache2-mod_proxy-2.0.47-6.9.92mdk.amd64.rpm
0184016e442847ca432a78ee488c14da amd64/9.2/RPMS/apache2-mod_ssl-2.0.47-6.9.92mdk.amd64.rpm
2e73a720242ea4010cc783afd8eb30d8 amd64/9.2/RPMS/apache2-modules-2.0.47-6.9.92mdk.amd64.rpm
e33488dc979fc75ff33e82b4749ac87e amd64/9.2/RPMS/apache2-source-2.0.47-6.9.92mdk.amd64.rpm
cc7bc30bd8cc09da849d981701a96f6c amd64/9.2/RPMS/lib64apr0-2.0.47-6.9.92mdk.amd64.rpm
0a407de570da4a4fa87f0ff01209e6cb amd64/9.2/SRPMS/apache2-2.0.47-6.9.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFBSI5pmqjQ0CJFipgRAlxGAKCpPrt7/HB5YroIdx5J84y6E5opeQCg49dn
NHBQlfivIH+fWpgnCv9/jVY=
=ui8Y
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists