Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Mandrake Linux Advisories: gkrellm, apache2

Aug 29, 2003, 15:59 (0 Talkback[s])

Mandrake Linux Security Update Advisory


Package name: gkrellm
Advisory ID: MDKSA-2003:087
Date: August 28th, 2003
Affected versions: 9.1

Problem Description:

A buffer overflow was discovered in gkrellmd, the server component of the gkrellm monitor package, in versions of gkrellm 2.1.x prior to 2.1.14. This buffer overflow occurs while reading data from connected gkrellm clients and can lead to possible arbitrary code execution as the user running the gkrellmd server.

Updated packages are available for Mandrake Linux 9.1 which correct the problem.


References:


Updated Packages:

Mandrake Linux 9.1:
c02f29d80835be10c7474f7ecd1437ef 9.1/RPMS/gkrellm-2.1.7a-2.2mdk.i586.rpm
293591b66fa463f69a554ac2efcb1940 9.1/RPMS/gkrellm-devel-2.1.7a-2.2mdk.i586.rpm
a7b3793b971fef4865ba83d93b055b82 9.1/RPMS/gkrellm-server-2.1.7a-2.2mdk.i586.rpm
a3d8c546650754a5d69569a88d35782b 9.1/SRPMS/gkrellm-2.1.7a-2.2mdk.src.rpm

Mandrake Linux 9.1/PPC:
411b6128256554b16c3beeb53bbae224 ppc/9.1/RPMS/gkrellm-2.1.7a-2.2mdk.ppc.rpm
257691a20effd147d53d1dd9d93a12dd ppc/9.1/RPMS/gkrellm-devel-2.1.7a-2.2mdk.ppc.rpm
073b0b1f3d5b1b91776b7769bee8550c ppc/9.1/RPMS/gkrellm-server-2.1.7a-2.2mdk.ppc.rpm
a3d8c546650754a5d69569a88d35782b ppc/9.1/SRPMS/gkrellm-2.1.7a-2.2mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>

Mandrake Linux Security Update Advisory


Package name: apache2
Advisory ID: MDKSA-2003:075-1
Date: August 28th, 2003
Original Advisory Date: July 21st, 2003
Affected versions: 9.1

Problem Description:

Several vulnerabilities were discovered in Apache 2.x versions prior to 2.0.47. From the Apache 2.0.47 release notes:

Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the new one (CAN-2003-0192).

Certain errors returned by accept() on rarely accessed ports could cause temporary Denial of Service due to a bug in the prefork MPM (CAN-2003-0253).

Denial of Service was caused when target host is IPv6 but FTP proxy server can't create IPv6 socket (CAN-2003-0254).

The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests (VU#379828).

The Apache Software Foundation thanks Saheed Akhtar and Yoshioka Tsuneo for responsibly reporting these issues.

To upgrade these apache packages, first stop Apache by issuing, as root:

service httpd stop

After the upgrade, restart Apache with:

service httpd start

Update:

The previously released packages had a manpage conflict between apache2-common and apache-1.3 that prevented both packages from being installed at the same time. This update provides a fixed apache2-common package.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254
http://www.kb.cert.org/vuls/id/379828 http://marc.theaimsgroup.com/?l=bugtraq&m=105259038503175


Updated Packages:

Mandrake Linux 9.1:
3102c711e9c801009e54cb3b1ea89c11 9.1/RPMS/apache2-common-2.0.47-1.2mdk.i586.rpm
121bf6143709f1e6261bc041230e1b85 9.1/SRPMS/apache2-2.0.47-1.2mdk.src.rpm

Mandrake Linux 9.1/PPC:
dc55704a8c82e088d95958ef31b38925 ppc/9.1/RPMS/apache2-common-2.0.47-1.2mdk.ppc.rpm
121bf6143709f1e6261bc041230e1b85 ppc/9.1/SRPMS/apache2-2.0.47-1.2mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>