Date: 29 Jun 2004 23:14:27 -0000
From: Mandrake Linux Security Team <[email protected]>
To: [email protected]Subject: MDKSA-2004:065 - Updated apache packages fix buffer overflow vulnerability in mod_proxy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache
Advisory ID: MDKSA-2004:065
Date: June 29th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was found by George Guninski in
Apache's mod_proxy module, which can be exploited by a remote user
to potentially execute arbitrary code with the privileges of an
httpd child process (user apache). This can only be exploited,
however, if mod_proxy is actually in use.
It is recommended that you stop Apache prior to updating and then
restart it again once the update is complete ("service httpd stop"
and "service httpd start" respectively).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492http://www.guninski.com/modproxy1.html
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
3c7630ddf9e8e8a87fb0a4b16717c86d 10.0/RPMS/apache-1.3.29-1.2.100mdk.i586.rpm
d450542efae157588cf02fcfb7ce18bd 10.0/RPMS/apache-devel-1.3.29-1.2.100mdk.i586.rpm
ebec3b55ec6d2b1db7756a5a71b19fd3 10.0/RPMS/apache-modules-1.3.29-1.2.100mdk.i586.rpm
8a718d665b832ca4a79b0fcd8ab911f0 10.0/RPMS/apache-source-1.3.29-1.2.100mdk.i586.rpm
2e659040e210fa92b2ad5458cbd2227f 10.0/SRPMS/apache-1.3.29-1.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
3965ed52ddb399405a96d5ef5c1c9b80 amd64/10.0/RPMS/apache-1.3.29-1.2.100mdk.amd64.rpm
0efc45ba61377eb7ad257d7fed8eccf1 amd64/10.0/RPMS/apache-devel-1.3.29-1.2.100mdk.amd64.rpm
7a7e8c0d0c49825e91419cfc43461099 amd64/10.0/RPMS/apache-modules-1.3.29-1.2.100mdk.amd64.rpm
2455fa5f7a3c9c39575d203cb336b527 amd64/10.0/RPMS/apache-source-1.3.29-1.2.100mdk.amd64.rpm
2e659040e210fa92b2ad5458cbd2227f amd64/10.0/SRPMS/apache-1.3.29-1.2.100mdk.src.rpm
Corporate Server 2.1:
7ee272946f5933718ed052f2a8ea3a5c corporate/2.1/RPMS/apache-1.3.26-7.2.C21mdk.i586.rpm
bd1586af647cc0bd29b474c213d0d1d6 corporate/2.1/RPMS/apache-common-1.3.26-7.2.C21mdk.i586.rpm
84c2fce310207060141864a65d6e18ea corporate/2.1/RPMS/apache-devel-1.3.26-7.2.C21mdk.i586.rpm
ea3badd6c5f97eae2c77497662c3f588 corporate/2.1/RPMS/apache-manual-1.3.26-7.2.C21mdk.i586.rpm
0f7b7fbf3e826250a21e246225e750b9 corporate/2.1/RPMS/apache-modules-1.3.26-7.2.C21mdk.i586.rpm
2e52cbec6e2b6dd60b9792854c1cc323 corporate/2.1/RPMS/apache-source-1.3.26-7.2.C21mdk.i586.rpm
c80aef846628f4a4d7baf59722c3ebea corporate/2.1/SRPMS/apache-1.3.26-7.2.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
e08cece5bbc816e7e0e17297bc6feec9 x86_64/corporate/2.1/RPMS/apache-1.3.26-7.2.C21mdk.x86_64.rpm
e15d6518f1a98094232ee91545031d8c x86_64/corporate/2.1/RPMS/apache-common-1.3.26-7.2.C21mdk.x86_64.rpm
71d81d5fbc9e1e1e7aa1d53c16a427ff x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-7.2.C21mdk.x86_64.rpm
6208b9d0f0858b92108ec7c05e34fa0d x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-7.2.C21mdk.x86_64.rpm
4c18d17a03140eb76c5b7159030ca67d x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-7.2.C21mdk.x86_64.rpm
80bb1c5f6e7a41ccdf77fbc74ec91a9f x86_64/corporate/2.1/RPMS/apache-source-1.3.26-7.2.C21mdk.x86_64.rpm
c80aef846628f4a4d7baf59722c3ebea x86_64/corporate/2.1/SRPMS/apache-1.3.26-7.2.C21mdk.src.rpm
Mandrakelinux 9.1:
0f24006e8ff29fbaa2e9e48d95e9e493 9.1/RPMS/apache-1.3.27-8.3.91mdk.i586.rpm
b8ee1b7b773b4399ae10f57860180b79 9.1/RPMS/apache-devel-1.3.27-8.3.91mdk.i586.rpm
5ef66d25cfc031c10eab53f2907b15dd 9.1/RPMS/apache-modules-1.3.27-8.3.91mdk.i586.rpm
85528359234a3d5a118893c480f20862 9.1/RPMS/apache-source-1.3.27-8.3.91mdk.i586.rpm
5353af41517365b5007cac19508eee37 9.1/SRPMS/apache-1.3.27-8.3.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
38d721f0c30b824e268f54eea437e8a9 ppc/9.1/RPMS/apache-1.3.27-8.3.91mdk.ppc.rpm
fc2349a3a233209c95f85bb9f18da270 ppc/9.1/RPMS/apache-devel-1.3.27-8.3.91mdk.ppc.rpm
9448f73715ffbb2a3a9a0415dfaa2745 ppc/9.1/RPMS/apache-modules-1.3.27-8.3.91mdk.ppc.rpm
2d68de368b93897ba2f2675490ad838e ppc/9.1/RPMS/apache-source-1.3.27-8.3.91mdk.ppc.rpm
5353af41517365b5007cac19508eee37 ppc/9.1/SRPMS/apache-1.3.27-8.3.91mdk.src.rpm
Mandrakelinux 9.2:
9635d7e327fd8bee822a4bbbb3a56da0 9.2/RPMS/apache-1.3.28-3.3.92mdk.i586.rpm
ce3a540397e2c0a77650a47a91c8619a 9.2/RPMS/apache-devel-1.3.28-3.3.92mdk.i586.rpm
5389d198986e1714ebb6a0e687dce0f0 9.2/RPMS/apache-modules-1.3.28-3.3.92mdk.i586.rpm
ce34d1cc91996c84f12189580ae6dafd 9.2/RPMS/apache-source-1.3.28-3.3.92mdk.i586.rpm
908ea9a964fec711bc25fbc7b7e9dc0f 9.2/SRPMS/apache-1.3.28-3.3.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
dee14b276676f203fceb1ca658876d24 amd64/9.2/RPMS/apache-1.3.28-3.3.92mdk.amd64.rpm
4750abf196f44eb4aff051c4113a07a4 amd64/9.2/RPMS/apache-devel-1.3.28-3.3.92mdk.amd64.rpm
c0eb375d43f0bad4ae8e4d4b121c72af amd64/9.2/RPMS/apache-modules-1.3.28-3.3.92mdk.amd64.rpm
75307fd56c0260e77399c46730506bd8 amd64/9.2/RPMS/apache-source-1.3.28-3.3.92mdk.amd64.rpm
908ea9a964fec711bc25fbc7b7e9dc0f amd64/9.2/SRPMS/apache-1.3.28-3.3.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFA4ffTmqjQ0CJFipgRAlhhAKCiL3x4ky36IOmPxdRwn17UI/rrugCfcjOZ
tOR0bKodwHzWnRnb0sP3fBk=
=rAKF
-----END PGP SIGNATURE-----