SOT Linux/ LBA-Linux Advisories: apache

SOT Linux Security Advisory

Subject: Updated apache package for SOT Linux 2003
Advisory ID: SLSA-2004:20
Date: Wednesday, June 2, 2004
Product: SOT Linux 2003

1. Problem description

A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0488 to the problem.

2. Updated packages

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/apache-1.3.31-2.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-manual-1.3.31-2.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-devel-1.3.31-2.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/apache-1.3.31-2.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum

/Server/i386/apache-1.3.31-2.i386.rpm 1f90a4a865e662c488f11a877e921f8c
/Server/i386/apache-devel-1.3.31-2.i386.rpm 6a28ab714814d31416fdce128f0ca73b
/Server/i386/apache-manual-1.3.31-2.i386.rpm c392a0e8971ddbd7cdc262a9091f2013
/Server/SRPMS/apache-1.3.31-2.src.rpm 47d1b93c775f49ddc56226fa05b549c1

5. References

http://www.securityfocus.com/bid/10355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488

Copyright(c) 2001-2003 SOT

LBA-Linux Security Advisory

Subject: Updated httpd package for LBA-Linux R1
Advisory ID: LBASA-2004:16
Date: Wednesday, June 2, 2004
Product: LBA-Linux R1

Problem description:

A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0488 to the problem.

Updated packages:

LBA-Linux R1:

i386:
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/httpd-2.0.48-16.lba.7.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/httpd-devel-2.0.48-16.lba.7.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/httpd-manual-2.0.48-16.lba.7.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mod_ssl-2.0.48-16.lba.7.i386.rpm

Upgrading your system:

To apply this security update to your LBA-Linux system, run the Updater tool from the LBA-Linux root desktop:

1. Log in to your LBA-Linux desktop as the root user.
2. Click on the penguin icon at the lower left of the display, and select the menu item SYSTEM TOOLS>UPDATER.
3. Click on the item named httpd to highlight it.
4. Click on the PACKAGE menu in the menu bar, and select the UPGRADE action.
5. Confirm the upgrade by clicking the APPLY button in Updater's main toolbar.

References:

http://www.securityfocus.com/bid/10355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488

Copyright(c) 2001-2004 SOT