Mandrake Linux Advisories: proftpd, apache2

Mandrake Linux Security Update Advisory

Problem Description:

A vulnerability was discovered by X-Force Research at ISS in ProFTPD's handling of ASCII translation. An attacker, by downloading a carefully crafted file, can remotely exploit this bug to create a root shell.

The ProFTPD team encourages all users to upgrade to version 1.2.7 or higher. The problematic code first appeared in ProFTPD 1.2.7rc1, and the provided packages are all patched by the ProFTPD team to protect against this vulnerability.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0831 http://xforce.iss.net/xforce/alerts/id/154

Updated Packages:

Mandrake Linux 9.1:
b00bae0743aec3e1decccaf73a356b84 9.1/RPMS/proftpd-1.2.8-1.1.91mdk.i586.rpm
6a85248750d88db30b658ee51fdebcf1 9.1/RPMS/proftpd-anonymous-1.2.8-1.1.91mdk.i586.rpm
c04242b94a7451164e42e96bbf648e5d 9.1/SRPMS/proftpd-1.2.8-1.1.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
a053b5f2fa6e57ee884465385937041f ppc/9.1/RPMS/proftpd-1.2.8-1.1.91mdk.ppc.rpm
55d22b28017dfaab6f2da238d5d8311c ppc/9.1/RPMS/proftpd-anonymous-1.2.8-1.1.91mdk.ppc.rpm
c04242b94a7451164e42e96bbf648e5d ppc/9.1/SRPMS/proftpd-1.2.8-1.1.91mdk.src.rpm

Mandrake Linux 9.2:
1d9b21bcb2a18fa43158c0c0aa25d13d 9.2/RPMS/proftpd-1.2.8-5.1.92mdk.i586.rpm
80c5b73c6e33444e2dd91659c2b897bd 9.2/RPMS/proftpd-anonymous-1.2.8-5.1.92mdk.i586.rpm
ea89351b37a5572fac3f45b27a80b0f3 9.2/SRPMS/proftpd-1.2.8-5.1.92mdk.src.rpm

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Mandrake Linux Security Update Advisory

Problem Description:

A problem was discovered in Apache2 where CGI scripts that output more than 4k of output to STDERR will hang the script's execution which can cause a Denial of Service on the httpd process because it is waiting for more input from the CGI that is not forthcoming due to the locked write() call in mod_cgi.

On systems that use scripts that output more than 4k to STDERR, this could cause httpd processes to hang and once the maximum connection limit is reached, Apache will no longer respond to requests.

The updated packages provided use the latest mod_cgi.c from the Apache 2.1 CVS version.

Users may have to restart apache by hand after the upgrade by issuing a "service httpd restart".

References:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030

Updated Packages:

Mandrake Linux 9.1:
bcd0c73afb901bced97ee201aeb24f1a 9.1/RPMS/apache2-2.0.47-1.3.91mdk.i586.rpm
38379cd70d8e452f6b582b9e4ff59be4 9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.i586.rpm
b44270899ca67a657c870a57baba3e2e 9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.i586.rpm
21e9c7f6d4649a1f2c60e2213e3d9d87 9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.i586.rpm
cbcb9f567273fe80ad754ba5338825a6 9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.i586.rpm
1940d731a5bde39f3a8c1609b5623330 9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.i586.rpm
5508b5bef150a88e80535d9230113735 9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.i586.rpm
56267cf09af350b8a383abc2b9ebedbc 9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.i586.rpm
f7ff9796a95d63dc5691ea434fb0efa3 9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.i586.rpm
859c7126af782efa3dcebbda669d7f5d 9.1/RPMS/libapr0-2.0.47-1.3.91mdk.i586.rpm
60261a3a810ceee306cd6bdd1baf3af1 9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
81fa02d2441b1ad2a59073fae3618923 ppc/9.1/RPMS/apache2-2.0.47-1.3.91mdk.ppc.rpm
d903f0a0e9d6d2aa90bc14bb2452dc1b ppc/9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.ppc.rpm
0ecc1e79b817d1efe346211dda9090de ppc/9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.ppc.rpm
398c1db00d0fb47fb57d0a217d1a63f4 ppc/9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.ppc.rpm
7adfa25d0d80e968c95306a70e60cfdb ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.ppc.rpm
e524f04403d6634d970261bae094b545 ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.ppc.rpm
c76c5664ff6594c2857e32b3ea62e280 ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.ppc.rpm
dce9ebbf7059a0194285467615d52b94 ppc/9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.ppc.rpm
9a7d2c7b8b3eeb8a566fa713a629d20f ppc/9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.ppc.rpm
9e98058a1154352d3e8bbe5f74536c1e ppc/9.1/RPMS/libapr0-2.0.47-1.3.91mdk.ppc.rpm
60261a3a810ceee306cd6bdd1baf3af1 ppc/9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com