GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03
PACKAGE | : | net-www/apache |
SUMMARY | : | buffer overflow |
DATE | : | Tue Oct 28 16:43:46 UTC 2003 |
EXPLOIT | : | local |
VERSIONS AFFECTED | : | <apache-1.3.29 |
FIXED VERSION | : | >=apache-1.3.29 |
CVE | : | CAN-2003-0542 (under review at time of GLSA) |
Quote from <http://httpd.apache.org/dev/dist/Announcement>;:
This version of Apache is principally a bug and security fix
release. A partial summary of the bug fixes is given at the end of
this document. A full listing of changes can be found in the
CHANGES file. Of particular note is that 1.3.29 addresses and fixes
1 potential security issue:
- CAN-2003-0542 (cve.mitre.org/) Fix buffer overflows in
mod_alias and mod_rewrite which occurred if one configured a
regular expression with more than 9 captures.
We consider Apache 1.3.29 to be the best version of Apache 1.3
available and we strongly recommend that users of older versions,
especially of the 1.1.x and 1.2.x family, upgrade as soon as
possible. No further releases will be made in the 1.2.x family.
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-misc/apache 1.x upgrade:
emerge sync
emerge -pv apache
emerge ‘>=net-www/apache-1.3.29’
emerge clean
/etc/init.d/apache restart
// end
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01
GLSA | : | 200311-01 |
package | : | kde-base/kdebase |
summary | : | KDM vulnerabilities |
severity | : | normal |
Gentoo bug | : | 29406 |
date | : | 2003-11-15 |
CVE | : | CAN-2003-0690 CAN-2003-0692 |
exploit | : | local / remote |
affected | : | <=3.1.3 |
fixed: | : | >=3.1.4 |
DESCRIPTION:
Firstly, versions of KDM <= 3.1.3 are vulnerable to a
privilege escalation bug with a specific configuration of PAM
modules. Users who do not use PAM with KDM and users who use PAM
with regular Unix crypt/MD5 based authentication methods are not
affected.
Secondly, KDM uses a weak cookie generation algorithm. It is
advised that users upgrade to KDE 3.1.4, which uses /dev/urandom as
a non-predictable source of entropy to improve security.
Please look at http://www.kde.org/info/security/advisory-20030916-1.txt
for the KDE Security Advisory and source patch locations for older
versions of KDE.
SOLUTION:
Users are encouraged to perform an ’emerge –sync’ and upgrade
the package to the latest available version. KDE 3.1.4 is
recommended and should be marked stable for most architectures.
Specific steps to upgrade:
emerge –sync
emerge ‘>=kde-base/kde-3.1.4’
emerge clean