SOT Linux Security Advisory
| Subject: | Updated mysql package for SOT Linux 2003 |
| Advisory ID: | SLSA-2003:45 |
| Date: | Monday, October 13, 2003 |
| Product: | SOT Linux 2003 |
1. Problem description
MySQL is a multi-user, multi-threaded SQL database server.
Frank Denis reported a bug in unpatched versions of MySQL prior
to version 3.23.58. Passwords for MySQL users are stored in the
Password field of the user table. Under this bug, a Password field
with a value greater than 16 characters can cause a buffer
overflow. It may be possible for an attacker with the ability to
modify the user table to exploit this buffer overflow to execute
arbitrary code as the MySQL user. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2003-0780 to this issue.
Users of MySQL are advised to upgrade to these erratum packages
containing MySQL 3.23.58, which is not vulnerable to this
issue.
2. Updated packages
SOT Linux 2003 Server:
i386:
ftp://ftp.sot.com/updates/2003/Server/i386/mysql-3.23.58-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/mysql-devel-3.23.58-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/mysql-server-3.23.58-1.i386.rpm
SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/mysql-3.23.58-1.src.rpm
3. Upgrading package
Before applying this update, make sure all previously released
errata relevant to your system have been applied.
Use up2date to automatically upgrade the fixed packages.
If you want to upgrade manually, download the updated package
from the SOT Linux FTP site (use the links above) or from one of
our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux
Update the package with the following command: rpm -Uvh
4. Verification
All packages are PGP signed by SOT for security.
You can verify each package with the following command: rpm
–checksig
If you wish to verify the integrity of the downloaded package,
run “md5sum ” and compare the output with data given below.
Package Name MD5 sum
/Server/i386/mysql-3.23.58-1.i386.rpm
6fce6be1bf418baefb675b5272f3daa9
/Server/i386/mysql-devel-3.23.58-1.i386.rpm
d701145a2472db417821c66e3cdf5455
/Server/i386/mysql-server-3.23.58-1.i386.rpm
aa3cdcc02c0a4ecab202001fe6e6fa38
/Server/SRPMS/mysql-3.23.58-1.src.rpm
8d77905e86fed701907041c2d63c59ed
5. References
http://www.mysql.com/doc/en/News-3.23.58.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0780
Copyright(c) 2001-2003 SOT
SOT Linux Security Advisory
| Subject: | Updated apache package for SOT Linux 2003 |
| Advisory ID: | SLSA-2003:46 |
| Date: | Tuesday, October 14, 2003 |
| Product: | SOT Linux 2003 |
1. Problem description
Apache is a powerful, full-featured, efficient and
freely-available web server. Apache is also the most popular web
server on the Internet.
Some security vulnerabilities were found in previous release of
apache for SOT Linux 2003:
– CAN-2003-0460 (cve.mitre.org/): Fix the rotatelogs
support program to ignore special control characters received over
the pipe. Previously such characters could cause it to quit logging
and exit. – VU#379828 : The server could crash when going into an
infinite loop due to too many subsequent internal redirects and
nested subrequests. – Eliminated leaks of several file descriptors
to child processes, such as CGI scripts.
– certain versions of mod_ssl for Apache 1.3, do not properly
handle “certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak
ciphersuite to a strong one,” which could cause Apache to use the
weak ciphersuite.
The apache packages for SOT Linux 2003 were updated to the
latest 1.3.28 release, with fixed security issues and other bug
fixes.
2. Updated packages
SOT Linux 2003 Server:
i386:
ftp://ftp.sot.com/updates/2003/Server/i386/apache-1.3.28-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-devel-1.3.28-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-manual-1.3.28-3.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/apache-ssl-1.3.28_1.49-3.i386.rpm
SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/apache-1.3.28-3.src.rpm
ftp://ftp.sot.com/updates/2003/Server/SRPMS/apache-ssl-1.3.28_1.49-3.src.rpm
3. Upgrading package
Before applying this update, make sure all previously released
errata relevant to your system have been applied.
Use up2date to automatically upgrade the fixed packages.
If you want to upgrade manually, download the updated package
from the SOT Linux FTP site (use the links above) or from one of
our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux
Update the package with the following command: rpm -Uvh
4. Verification
All packages are PGP signed by SOT for security.
You can verify each package with the following command: rpm
–checksig
If you wish to verify the integrity of the downloaded package,
run “md5sum ” and compare the output with data given below.
Package Name MD5 sum
/Server/i386/apache-1.3.28-3.i386.rpm
8d84e51ddb7210e6af7652b566d22870
/Server/i386/apache-devel-1.3.28-3.i386.rpm
0f414f44790250dc20f65e0e6de5d77c
/Server/i386/apache-manual-1.3.28-3.i386.rpm
d9090116cb27d7c17bc2e7477d46d34d
/Server/i386/apache-ssl-1.3.28_1.49-3.i386.rpm
572bfc751db8e754b140febc8b95e8ee
/Server/SRPMS/apache-1.3.28-3.src.rpm
67953c2a30a38e08543d8b6761dec1d7
/Server/SRPMS/apache-ssl-1.3.28_1.49-3.src.rpm
24539b9d3c69b473276b3086e3f11f49
5. References
http://www.apache.org/dist/httpd/Announcement.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192
Copyright(c) 2001-2003 SOT