dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Gentoo Linux Advisories: net-www/apache, kde-base/kdebase

Nov 20, 2003, 21:59 (0 Talkback[s])

GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03
PACKAGE : net-www/apache
SUMMARY : buffer overflow
DATE : Tue Oct 28 16:43:46 UTC 2003
EXPLOIT : local
VERSIONS AFFECTED : <apache-1.3.29
FIXED VERSION : >=apache-1.3.29
CVE : CAN-2003-0542 (under review at time of GLSA)

Quote from <http://httpd.apache.org/dev/dist/Announcement>;:

This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.29 addresses and fixes 1 potential security issue:

  • CAN-2003-0542 (cve.mitre.org/) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures.

We consider Apache 1.3.29 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family.

SOLUTION

It is recommended that all Gentoo Linux users who are running net-misc/apache 1.x upgrade:

emerge sync
emerge -pv apache
emerge '>=net-www/apache-1.3.29'
emerge clean
/etc/init.d/apache restart

// end


GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01
GLSA : 200311-01
package : kde-base/kdebase
summary : KDM vulnerabilities
severity : normal
Gentoo bug : 29406
date : 2003-11-15
CVE : CAN-2003-0690 CAN-2003-0692
exploit : local / remote
affected : <=3.1.3
fixed: : >=3.1.4

DESCRIPTION:

Firstly, versions of KDM <= 3.1.3 are vulnerable to a privilege escalation bug with a specific configuration of PAM modules. Users who do not use PAM with KDM and users who use PAM with regular Unix crypt/MD5 based authentication methods are not affected.

Secondly, KDM uses a weak cookie generation algorithm. It is advised that users upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable source of entropy to improve security.

Please look at http://www.kde.org/info/security/advisory-20030916-1.txt for the KDE Security Advisory and source patch locations for older versions of KDE.

SOLUTION:

Users are encouraged to perform an 'emerge --sync' and upgrade the package to the latest available version. KDE 3.1.4 is recommended and should be marked stable for most architectures. Specific steps to upgrade:

emerge --sync
emerge '>=kde-base/kde-3.1.4'
emerge clean