Date: 26 Sep 2003 23:03:12 -0000
From: Mandrake Linux Security Team <[email protected]>
To: [email protected]Subject: MDKSA-2003:096 - Updated apache2 packages fix CGI scripting deadlock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: apache2
Advisory ID: MDKSA-2003:096
Date: September 26th, 2003
Affected versions: 9.1
________________________________________________________________________
Problem Description:
A problem was discovered in Apache2 where CGI scripts that output more
than 4k of output to STDERR will hang the script's execution which can
cause a Denial of Service on the httpd process because it is waiting
for more input from the CGI that is not forthcoming due to the locked
write() call in mod_cgi.
On systems that use scripts that output more than 4k to STDERR, this
could cause httpd processes to hang and once the maximum connection
limit is reached, Apache will no longer respond to requests.
The updated packages provided use the latest mod_cgi.c from the Apache
2.1 CVS version.
Users may have to restart apache by hand after the upgrade by issuing
a "service httpd restart".
________________________________________________________________________
References:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
________________________________________________________________________
Updated Packages:
Mandrake Linux 9.1:
bcd0c73afb901bced97ee201aeb24f1a 9.1/RPMS/apache2-2.0.47-1.3.91mdk.i586.rpm
38379cd70d8e452f6b582b9e4ff59be4 9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.i586.rpm
b44270899ca67a657c870a57baba3e2e 9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.i586.rpm
21e9c7f6d4649a1f2c60e2213e3d9d87 9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.i586.rpm
cbcb9f567273fe80ad754ba5338825a6 9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.i586.rpm
1940d731a5bde39f3a8c1609b5623330 9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.i586.rpm
5508b5bef150a88e80535d9230113735 9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.i586.rpm
56267cf09af350b8a383abc2b9ebedbc 9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.i586.rpm
f7ff9796a95d63dc5691ea434fb0efa3 9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.i586.rpm
859c7126af782efa3dcebbda669d7f5d 9.1/RPMS/libapr0-2.0.47-1.3.91mdk.i586.rpm
60261a3a810ceee306cd6bdd1baf3af1 9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm
Mandrake Linux 9.1/PPC:
81fa02d2441b1ad2a59073fae3618923 ppc/9.1/RPMS/apache2-2.0.47-1.3.91mdk.ppc.rpm
d903f0a0e9d6d2aa90bc14bb2452dc1b ppc/9.1/RPMS/apache2-common-2.0.47-1.3.91mdk.ppc.rpm
0ecc1e79b817d1efe346211dda9090de ppc/9.1/RPMS/apache2-devel-2.0.47-1.3.91mdk.ppc.rpm
398c1db00d0fb47fb57d0a217d1a63f4 ppc/9.1/RPMS/apache2-manual-2.0.47-1.3.91mdk.ppc.rpm
7adfa25d0d80e968c95306a70e60cfdb ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.3.91mdk.ppc.rpm
e524f04403d6634d970261bae094b545 ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.3.91mdk.ppc.rpm
c76c5664ff6594c2857e32b3ea62e280 ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.3.91mdk.ppc.rpm
dce9ebbf7059a0194285467615d52b94 ppc/9.1/RPMS/apache2-modules-2.0.47-1.3.91mdk.ppc.rpm
9a7d2c7b8b3eeb8a566fa713a629d20f ppc/9.1/RPMS/apache2-source-2.0.47-1.3.91mdk.ppc.rpm
9e98058a1154352d3e8bbe5f74536c1e ppc/9.1/RPMS/libapr0-2.0.47-1.3.91mdk.ppc.rpm
60261a3a810ceee306cd6bdd1baf3af1 ppc/9.1/SRPMS/apache2-2.0.47-1.3.91mdk.src.rpm
________________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________
To upgrade automatically, use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/dMWvmqjQ0CJFipgRAg7mAKCKnd0X7NWGXzqIQ3iJCVJgmKZJJACgrSqR
SFlz34CEPL/8FG3WzrHTOaI=
=TH/h
-----END PGP SIGNATURE-----