dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


SOT Linux Advisories: mysql, apache

Oct 14, 2003, 02:53 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated mysql package for SOT Linux 2003
Advisory ID: SLSA-2003:45
Date: Monday, October 13, 2003
Product: SOT Linux 2003

1. Problem description

MySQL is a multi-user, multi-threaded SQL database server.

Frank Denis reported a bug in unpatched versions of MySQL prior to version 3.23.58. Passwords for MySQL users are stored in the Password field of the user table. Under this bug, a Password field with a value greater than 16 characters can cause a buffer overflow. It may be possible for an attacker with the ability to modify the user table to exploit this buffer overflow to execute arbitrary code as the MySQL user. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0780 to this issue.

Users of MySQL are advised to upgrade to these erratum packages containing MySQL 3.23.58, which is not vulnerable to this issue.

2. Updated packages

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/mysql-3.23.58-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/mysql-devel-3.23.58-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/mysql-server-3.23.58-1.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/mysql-3.23.58-1.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig

If you wish to verify the integrity of the downloaded package, run "md5sum " and compare the output with data given below.

Package Name MD5 sum


/Server/i386/mysql-3.23.58-1.i386.rpm 6fce6be1bf418baefb675b5272f3daa9
/Server/i386/mysql-devel-3.23.58-1.i386.rpm d701145a2472db417821c66e3cdf5455
/Server/i386/mysql-server-3.23.58-1.i386.rpm aa3cdcc02c0a4ecab202001fe6e6fa38
/Server/SRPMS/mysql-3.23.58-1.src.rpm 8d77905e86fed701907041c2d63c59ed

5. References

http://www.mysql.com/doc/en/News-3.23.58.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0780

Copyright(c) 2001-2003 SOT


SOT Linux Security Advisory

Subject: Updated apache package for SOT Linux 2003
Advisory ID: SLSA-2003:46
Date: Tuesday, October 14, 2003
Product: SOT Linux 2003

1. Problem description

Apache is a powerful, full-featured, efficient and freely-available web server. Apache is also the most popular web server on the Internet.

Some security vulnerabilities were found in previous release of apache for SOT Linux 2003:
- CAN-2003-0460 (cve.mitre.org/): Fix the rotatelogs support program to ignore special control characters received over the pipe. Previously such characters could cause it to quit logging and exit. - VU#379828 : The server could crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. - Eliminated leaks of several file descriptors to child processes, such as CGI scripts.
- certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.

The apache packages for SOT Linux 2003 were updated to the latest 1.3.28 release, with fixed security issues and other bug fixes.

2. Updated packages

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/apache-1.3.28-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-devel-1.3.28-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-manual-1.3.28-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-ssl-1.3.28_1.49-3.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/apache-1.3.28-3.src.rpm
ftp://ftp.sot.com/updates/2003/Server/SRPMS/apache-ssl-1.3.28_1.49-3.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig

If you wish to verify the integrity of the downloaded package, run "md5sum " and compare the output with data given below.

Package Name MD5 sum


/Server/i386/apache-1.3.28-3.i386.rpm 8d84e51ddb7210e6af7652b566d22870
/Server/i386/apache-devel-1.3.28-3.i386.rpm 0f414f44790250dc20f65e0e6de5d77c
/Server/i386/apache-manual-1.3.28-3.i386.rpm d9090116cb27d7c17bc2e7477d46d34d
/Server/i386/apache-ssl-1.3.28_1.49-3.i386.rpm 572bfc751db8e754b140febc8b95e8ee
/Server/SRPMS/apache-1.3.28-3.src.rpm 67953c2a30a38e08543d8b6761dec1d7
/Server/SRPMS/apache-ssl-1.3.28_1.49-3.src.rpm 24539b9d3c69b473276b3086e3f11f49

5. References

http://www.apache.org/dist/httpd/Announcement.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192

Copyright(c) 2001-2003 SOT