Date: 4 Nov 2003 00:13:25 -0000
From: Mandrake Linux Security Team <[email protected]>
To: [email protected]Subject: MDKSA-2003:103 - Updated apache packages fix vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrake Linux Security Update Advisory
_______________________________________________________________________
Package name: apache
Advisory ID: MDKSA-2003:103
Date: November 3rd, 2003
Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A buffer overflow in mod_alias and mod_rewrite was discovered in Apache
versions 1.3.19 and earlier as well as Apache 2.0.47 and earlier. This
happens when a regular expression with more than 9 captures is
confined. An attacker would have to create a carefully crafted
configuration file (.htaccess or httpd.conf) in order to exploit these
problems.
As well, another buffer overflow in Apache 2.0.47 and earlier in
mod_cgid's mishandling of CGI redirect paths could result in CGI output
going to the wrong client when a threaded MPM is used.
Apache version 2.0.48 and 1.3.29 were released upstream to correct
these bugs; backported patches have been applied to the provided
packages.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789http://www.apache.org/dist/httpd/Announcement.htmlhttp://www.apache.org/dist/httpd/Announcement2.html
______________________________________________________________________
Updated Packages:
Corporate Server 2.1:
02895e0914bc1a0885000cef805f7759 corporate/2.1/RPMS/apache-1.3.26-6.3.90mdk.i586.rpm
ee997dd297049bc75878a5de8904c965 corporate/2.1/RPMS/apache-common-1.3.26-6.3.90mdk.i586.rpm
63806c79f65ee1a1830caa41b0cf3784 corporate/2.1/RPMS/apache-devel-1.3.26-6.3.90mdk.i586.rpm
68f2aca22d84d56b234aaaa2e348d2aa corporate/2.1/RPMS/apache-manual-1.3.26-6.3.90mdk.i586.rpm
ed0d46c1a861a09dbe36b5ccdb02754d corporate/2.1/RPMS/apache-modules-1.3.26-6.3.90mdk.i586.rpm
8788c3001078f32e975941aa7a556cd1 corporate/2.1/RPMS/apache-source-1.3.26-6.3.90mdk.i586.rpm
ed87d94ec5aeb007d98717e7d1a3d314 corporate/2.1/SRPMS/apache-1.3.26-6.3.90mdk.src.rpm
Corporate Server 2.1/x86_64:
91700397109a221089871e610ee438f3 x86_64/corporate/2.1/RPMS/apache-1.3.26-6.3.90mdk.x86_64.rpm
8e63504cfe91f209653401569c059042 x86_64/corporate/2.1/RPMS/apache-common-1.3.26-6.3.90mdk.x86_64.rpm
c71ee8d0d00d504beaa1bd3259152d28 x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-6.3.90mdk.x86_64.rpm
931135aefb6bc1214ba40621d9172ac1 x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-6.3.90mdk.x86_64.rpm
d46a618a36786f7eec1d5f494e794bda x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-6.3.90mdk.x86_64.rpm
3b08e1dcfc7ef233dbd3ce9c6fff41d1 x86_64/corporate/2.1/RPMS/apache-source-1.3.26-6.3.90mdk.x86_64.rpm
ed87d94ec5aeb007d98717e7d1a3d314 x86_64/corporate/2.1/SRPMS/apache-1.3.26-6.3.90mdk.src.rpm
Mandrake Linux 9.0:
02895e0914bc1a0885000cef805f7759 9.0/RPMS/apache-1.3.26-6.3.90mdk.i586.rpm
ee997dd297049bc75878a5de8904c965 9.0/RPMS/apache-common-1.3.26-6.3.90mdk.i586.rpm
63806c79f65ee1a1830caa41b0cf3784 9.0/RPMS/apache-devel-1.3.26-6.3.90mdk.i586.rpm
68f2aca22d84d56b234aaaa2e348d2aa 9.0/RPMS/apache-manual-1.3.26-6.3.90mdk.i586.rpm
ed0d46c1a861a09dbe36b5ccdb02754d 9.0/RPMS/apache-modules-1.3.26-6.3.90mdk.i586.rpm
8788c3001078f32e975941aa7a556cd1 9.0/RPMS/apache-source-1.3.26-6.3.90mdk.i586.rpm
ed87d94ec5aeb007d98717e7d1a3d314 9.0/SRPMS/apache-1.3.26-6.3.90mdk.src.rpm
Mandrake Linux 9.1:
3a24d35dcd08d4c82ccd6fac204047bc 9.1/RPMS/apache-1.3.27-8.1.91mdk.i586.rpm
61cde3633d0866c6f03e29565ea56360 9.1/RPMS/apache-devel-1.3.27-8.1.91mdk.i586.rpm
e58a9378cff2e24bcbfe6c56d08f2505 9.1/RPMS/apache-modules-1.3.27-8.1.91mdk.i586.rpm
4b47d0bc773d59a17d5a40f627569707 9.1/RPMS/apache-source-1.3.27-8.1.91mdk.i586.rpm
c780a92fd6dbb3cdd0d52049c534778f 9.1/RPMS/apache2-2.0.47-1.6.91mdk.i586.rpm
41e7366c6dfa0331ed48027e3a2dd881 9.1/RPMS/apache2-common-2.0.47-1.6.91mdk.i586.rpm
230d990186ca121121bbc4e1720afb3d 9.1/RPMS/apache2-devel-2.0.47-1.6.91mdk.i586.rpm
36894b37c5eb5dfa628f6a2fe3de5580 9.1/RPMS/apache2-manual-2.0.47-1.6.91mdk.i586.rpm
76e8293d061a84d9413453e1d6c282b6 9.1/RPMS/apache2-mod_dav-2.0.47-1.6.91mdk.i586.rpm
bb106f0ebd893e4547ef3f0a6d1572f9 9.1/RPMS/apache2-mod_ldap-2.0.47-1.6.91mdk.i586.rpm
17003f2c15c2379275caf21fe097c7a9 9.1/RPMS/apache2-mod_ssl-2.0.47-1.6.91mdk.i586.rpm
d595f9e2c94b646869087a15e8138a44 9.1/RPMS/apache2-modules-2.0.47-1.6.91mdk.i586.rpm
b119835d0d18b01613e7977f4daa7a38 9.1/RPMS/apache2-source-2.0.47-1.6.91mdk.i586.rpm
7c3b7fc1bed6ed59b8a328d8ac3b3056 9.1/RPMS/libapr0-2.0.47-1.6.91mdk.i586.rpm
a187d7819937e82deea23da621f38ee5 9.1/SRPMS/apache-1.3.27-8.1.91mdk.src.rpm
31a46639efb035b67ea3b70f91815d9b 9.1/SRPMS/apache2-2.0.47-1.6.91mdk.src.rpm
Mandrake Linux 9.1/PPC:
6cf015976106eaaa8bdbfb46501c5339 ppc/9.1/RPMS/apache-1.3.27-8.1.91mdk.ppc.rpm
41f85b24716c140bdd5f041200d6f68c ppc/9.1/RPMS/apache-devel-1.3.27-8.1.91mdk.ppc.rpm
12ea7768f27c739f433f8cd856e8f3ed ppc/9.1/RPMS/apache-modules-1.3.27-8.1.91mdk.ppc.rpm
8ddfdeb72fe3058ae83076ad00b184c4 ppc/9.1/RPMS/apache-source-1.3.27-8.1.91mdk.ppc.rpm
7ecb812bb84877964bd0244527042b7c ppc/9.1/RPMS/apache2-2.0.47-1.6.91mdk.ppc.rpm
df9dbdcaf995332bc2950f3b64e0b5cd ppc/9.1/RPMS/apache2-common-2.0.47-1.6.91mdk.ppc.rpm
7efb7e7271527bef25ac76c017cf940f ppc/9.1/RPMS/apache2-devel-2.0.47-1.6.91mdk.ppc.rpm
46e0066408b8c9c2f537315b9d7de495 ppc/9.1/RPMS/apache2-manual-2.0.47-1.6.91mdk.ppc.rpm
832793eba23c7f55544ade7478d66971 ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.6.91mdk.ppc.rpm
1338474c76c753216f024f6df189a369 ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.6.91mdk.ppc.rpm
2f1fc4f54067d4ed4e13a24de93ac2b2 ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.6.91mdk.ppc.rpm
c9e89384dced046092fb96e3f4c71cd3 ppc/9.1/RPMS/apache2-modules-2.0.47-1.6.91mdk.ppc.rpm
893a388ffd122c25b021ccaedcaf3bc8 ppc/9.1/RPMS/apache2-source-2.0.47-1.6.91mdk.ppc.rpm
8797a894c157099d8fa59e0ee6a09725 ppc/9.1/RPMS/libapr0-2.0.47-1.6.91mdk.ppc.rpm
a187d7819937e82deea23da621f38ee5 ppc/9.1/SRPMS/apache-1.3.27-8.1.91mdk.src.rpm
31a46639efb035b67ea3b70f91815d9b ppc/9.1/SRPMS/apache2-2.0.47-1.6.91mdk.src.rpm
Mandrake Linux 9.2:
87b439a1ea3c7a53ae6bd65b8de8823d 9.2/RPMS/apache-1.3.28-3.1.92mdk.i586.rpm
a7dd2cfc0f24e74285756df47b8b2560 9.2/RPMS/apache-devel-1.3.28-3.1.92mdk.i586.rpm
e9396a1d140c37ed3c54c9fc8946b075 9.2/RPMS/apache-modules-1.3.28-3.1.92mdk.i586.rpm
59f841c1809a057b7db9809f98902e2a 9.2/RPMS/apache-source-1.3.28-3.1.92mdk.i586.rpm
67ea76c94fd96d4b58902f347e7424a4 9.2/RPMS/apache2-2.0.47-6.3.92mdk.i586.rpm
57972c71c8489d0a3c9a68185031b879 9.2/RPMS/apache2-common-2.0.47-6.3.92mdk.i586.rpm
3f3fb3d57b63cc56df9d6c7318a7cac5 9.2/RPMS/apache2-devel-2.0.47-6.3.92mdk.i586.rpm
cea519816faccd534f542965fbbf9d15 9.2/RPMS/apache2-manual-2.0.47-6.3.92mdk.i586.rpm
8d591555255d4348900fcd1bbc74061e 9.2/RPMS/apache2-mod_cache-2.0.47-6.3.92mdk.i586.rpm
0e1fbe572782f546b44054a0265ea06e 9.2/RPMS/apache2-mod_dav-2.0.47-6.3.92mdk.i586.rpm
3421ea0f95a7d897d9d339bf6e3aae33 9.2/RPMS/apache2-mod_deflate-2.0.47-6.3.92mdk.i586.rpm
46bec7aa9274f16aa9768aa6ffec0cb5 9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.3.92mdk.i586.rpm
d343b2d6a22f52a2ff5dd2844005c0f2 9.2/RPMS/apache2-mod_file_cache-2.0.47-6.3.92mdk.i586.rpm
8f6b81b7933f766fc979254f4ce3b83c 9.2/RPMS/apache2-mod_ldap-2.0.47-6.3.92mdk.i586.rpm
fedeaeb50040b8292f5b4da2cb27fc4e 9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.3.92mdk.i586.rpm
63774164ba26208b71a2a7a5f5136550 9.2/RPMS/apache2-mod_proxy-2.0.47-6.3.92mdk.i586.rpm
0399f23f2c87e07d18bb98617c79f24c 9.2/RPMS/apache2-mod_ssl-2.0.47-6.3.92mdk.i586.rpm
36e47d1f2ba0a23d6c1055fe6f606134 9.2/RPMS/apache2-modules-2.0.47-6.3.92mdk.i586.rpm
1af39eba2fff3635a323dfec02a333fb 9.2/RPMS/apache2-source-2.0.47-6.3.92mdk.i586.rpm
4b7d2788a521162aa67237db2dbc0c3d 9.2/RPMS/libapr0-2.0.47-6.3.92mdk.i586.rpm
e6603582c732931d8c8186547eee702d 9.2/SRPMS/apache-1.3.28-3.1.92mdk.src.rpm
6407cf397b65ebf7b66554d7a1445489 9.2/SRPMS/apache2-2.0.47-6.3.92mdk.src.rpm
Multi Network Firewall 8.2:
4ae3471596b2301da8062c38e7406c38 mnf8.2/RPMS/apache-1.3.23-4.3.M82mdk.i586.rpm
fd001d68be7fc7086ca7493da05db4f0 mnf8.2/RPMS/apache-common-1.3.23-4.3.M82mdk.i586.rpm
b7776aac2533499a79c820d0097187a0 mnf8.2/RPMS/apache-modules-1.3.23-4.3.M82mdk.i586.rpm
98df8da770fe4b3ede43e4af4e9de067 mnf8.2/SRPMS/apache-1.3.23-4.3.M82mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/pu8lmqjQ0CJFipgRAkziAJ9NZx+harn15u3ZByaE6RMMKasl5wCeNRcq
iM5sSfISyCmb1GE8szE+aZM=
=qcI3
-----END PGP SIGNATURE-----