|
|
| Top White Papers
Current Newswire:
SOT Linux/LBA-Linux Advisories: apache, mod_perl, subversion, neonMay 25, 2004, 21:14 (0 Talkback[s])SOT Linux Security Advisory Subject: Updated apache, mod_perl package for SOT Linux 2003 1. Problem description Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CAN-2003-0020). mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum (CAN-2004-0987). mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow a remote attacker to bypass intended access restrictions (CAN-2003-0993). Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CAN-2004-0174). While this particular vulnerability does not affect Linux, we felt it prudent to include the fix. Users of apache should upgrade to these updated packages, which contain a version of apache and mod_perl that are not vulnerable to these issues. 2. Updated packages SOT Linux 2003 Server: i386: SRPMS: 3. Upgrading package Before applying this update, make sure all previously released errata relevant to your system have been applied. Use up2date to automatically upgrade the fixed packages. If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux Update the package with the following command: rpm -Uvh <filename> 4. Verification All packages are PGP signed by SOT for security. You can verify each package with the following command: rpm --checksig <filename> If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below. Package Name MD5 sum /Server/i386/apache-1.3.31-1.i386.rpm
ea49a9b7df28ae4a1e9d63529634b339 5. References
Copyright(c) 2001-2003 SOT You can view other update advisories for SOT Linux 2003 at: http://sotlinux.org/en/sotlinux/sa/index.php To unsubscribe, visit your account at https://www.sot.com/ LBA-Linux Security Advisory Subject: Updated subversion package for LBA-Linux R1 Problem description: There is a vulnerability in the Subversion date parsing code which may lead to denial of service attacks, or execution of arbitrary code. Both the client and server are vulnerable. Updated packages: LBA-Linux R1: i386: Upgrading your system: To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:
References:
Copyright(c) 2001-2004 SOT To view previous security advisories for LBA-Linux R1, or to unsubscribe from this email notification service, visit: http://www.sotlinux.org/en/lbalinux/sa/ LBA-Linux Security Advisory Subject: Updated neon package for LBA-Linux R1 Problem description: Stefan Esser discovered a problem in neon, an HTTP and WebDAV client library. User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable. Updated packages: LBA-Linux R1: i386: Upgrading your system: To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:
References:
Copyright(c) 2001-2004 SOT
0 Talkback[s]
(click to add your comment)
|
