Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


SOT Linux/LBA-Linux Advisories: apache, mod_perl, subversion, neon

May 25, 2004, 21:14 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated apache, mod_perl package for SOT Linux 2003
Advisory ID: SLSA-2004:19
Date: Tuesday, May 25, 2004
Product: SOT Linux 2003


1. Problem description

Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CAN-2003-0020).

mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum (CAN-2004-0987).

mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow a remote attacker to bypass intended access restrictions (CAN-2003-0993).

Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CAN-2004-0174). While this particular vulnerability does not affect Linux, we felt it prudent to include the fix.

Users of apache should upgrade to these updated packages, which contain a version of apache and mod_perl that are not vulnerable to these issues.

2. Updated packages

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/apache-1.3.31-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-devel-1.3.31-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-manual-1.3.31-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/mod_perl-1.29-1.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/apache-1.3.31-1.src.rpm
ftp://ftp.sot.com/updates/2003/Server/SRPMS/mod_perl-1.29-1.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Server/i386/apache-1.3.31-1.i386.rpm ea49a9b7df28ae4a1e9d63529634b339
/Server/i386/apache-devel-1.3.31-1.i386.rpm 8196e777cd07f519807ff1a107c113b4
/Server/i386/apache-manual-1.3.31-1.i386.rpm dfacaffcfed8bbfac54ecaf5006f2e27
/Server/i386/mod_perl-1.29-1.i386.rpm 84247adb741af36172d6bb636089bf1a
/Server/SRPMS/apache-1.3.31-1.src.rpm 10c45315fdcb557932ed9a56c7605cea
/Server/SRPMS/mod_perl-1.29-1.src.rpm b1b742c89a1f2fd3390d882b5ad6e2e0

5. References


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174

Copyright(c) 2001-2003 SOT


You can view other update advisories for SOT Linux 2003 at:
http://sotlinux.org/en/sotlinux/sa/index.php To unsubscribe, visit your account at https://www.sot.com/

LBA-Linux Security Advisory

Subject: Updated subversion package for LBA-Linux R1
Advisory ID: LBASA-2004:15
Date: Monday, May 24, 2004
Product: LBA-Linux R1


Problem description:

There is a vulnerability in the Subversion date parsing code which may lead to denial of service attacks, or execution of arbitrary code. Both the client and server are vulnerable.

Updated packages:

LBA-Linux R1:

i386:
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/subversion-1.0.0-1.lba.5.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/subversion-devel-1.0.0-1.lba.5.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named subversion to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0397
http://security.e-matters.de/advisories/082004.html
http://subversion.tigris.org/

Copyright(c) 2001-2004 SOT


To view previous security advisories for LBA-Linux R1, or to unsubscribe from this email notification service, visit:
http://www.sotlinux.org/en/lbalinux/sa/

LBA-Linux Security Advisory

Subject: Updated neon package for LBA-Linux R1
Advisory ID: LBASA-2004:14
Date: Monday, May 24, 2004
Product: LBA-Linux R1


Problem description:

Stefan Esser discovered a problem in neon, an HTTP and WebDAV client library. User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable.

Updated packages:

LBA-Linux R1:

i386:
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/neon-0.24.5-2.lba.2.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/neon-devel-0.24.5-2.lba.2.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

  1. Log in to your LBA-Linux desktop as the root user.
  2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
  3. Click on the item named neon to highlight it.
  4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
  5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398
http://security.e-matters.de/advisories/062004.html
http://www.webdav.org/neon/

Copyright(c) 2001-2004 SOT