Date: Mon, 26 Jul 2004 17:20:37 +0200
From: Trustix Security Advisor <[email protected]>
To: [email protected]Subject: TSL-2004-0039 - multi
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0039
Package name: apache, mod_php4, samba
Summary: Several security vulnerabilities patched
Date: 2004-01-05
Affected versions: Trustix Secure Linux 1.5
Trustix Secure Linux 2.0
Trustix Secure Linux 2.1
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
apache:
Apache is a full featured web server that is freely available, and also
happens to be the most widely used.
mod_php4:
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP
also offers built-in database integration for several commercial
and non-commercial database management systems, so writing a
database-enabled web page with PHP is fairly simple. The most
common use of PHP coding is probably as a replacement for CGI
scripts. The mod_php module enables the Apache web server to
understand and process the embedded PHP language in web pages.
samba:
Samba provides an SMB server which can be used to provide network
services to SMB (sometimes called "Lan Manager") clients, including
various versions of MS Windows, OS/2, and other Linux machines. Samba
uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI
(Microsoft Raw NetBIOS frame) protocol.
Problem description:
apache:
Recent Apache 2.0 releases place no limit on the amount of folding of
input headers, or in the total length after folding. With an input
stream with infinite headers to be folded, the server will allocate as
much memory as the system will allow leading to a Denial of Service.
This issue was already fixed by a patch in our most recent apache 2.0.49
package. However, we have chosen to upgrade to 2.0.50 to avoid confusion.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0493 to this issue.
mod_php4:
The php project recomments that older versions of php be updated 4.3.8,
as it fixes several issues. Among these is CAN-2004-0594, also known as
the "memory_limit" bug.
samba:
Two security issues were discovered in samba.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2004-0600 and CAN-2004-0686 to these issues.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Public testing:
Most updates for Trustix Secure Linux are made available for public
testing some time before release.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:http://tsldev.trustix.org/horizon/>
You may also use swup for public testing of updates:
site {
class = 0
location = "http://tsldev.trustix.org/horizon/rdfs/latest.rdf"
regexp = ".*"
}
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-1.5/>,
<URI:http://www.trustix.org/errata/trustix-2.0/> and
<URI:http://www.trustix.org/errata/trustix-2.1/>
or directly at
<URI:http://www.trustix.org/errata/2004/xxxx>
MD5sums of the packages:
- --------------------------------------------------------------------------
c71604677f2f08530fd93dfa25b95998 2.1/rpms/apache-2.0.50-2tr.i586.rpm
cc9c1aadb050e0d097f7919b023312d4 2.1/rpms/apache-dbm-2.0.50-2tr.i586.rpm
2b217ba1503265a6e9e964bab36900d4 2.1/rpms/apache-devel-2.0.50-2tr.i586.rpm
75de971d9a08c9b80609cc80a03574d4 2.1/rpms/apache-manual-2.0.50-2tr.i586.rpm
4b3e17be7e608248b7d77fb2fbac04ac 2.1/rpms/mod_php4-4.3.8-2tr.i586.rpm
f8d51f060d9629eef1c79d6ec036a702 2.1/rpms/mod_php4-cli-4.3.8-2tr.i586.rpm
14e54adf43888b458590fc994c5cf9b7 2.1/rpms/mod_php4-devel-4.3.8-2tr.i586.rpm
6e94c2915ab4b1ea413d5cd86fb28ac6 2.1/rpms/mod_php4-domxml-4.3.8-2tr.i586.rpm
fb7b533d87e33a43b27d3d6ab4634101 2.1/rpms/mod_php4-exif-4.3.8-2tr.i586.rpm
ee79b4c6db9a6da3d2ea52295aab77d0 2.1/rpms/mod_php4-gd-4.3.8-2tr.i586.rpm
61b1b61c43c074a977e90a3336b5c3b0 2.1/rpms/mod_php4-imap-4.3.8-2tr.i586.rpm
206b9258348ed6540e8d8687837e61a2 2.1/rpms/mod_php4-ldap-4.3.8-2tr.i586.rpm
8d9555000504f77e80584f6b12ca7502 2.1/rpms/mod_php4-mysql-4.3.8-2tr.i586.rpm
a6a36abddb042315132fbf9186e85600 2.1/rpms/mod_php4-pgsql-4.3.8-2tr.i586.rpm
5bb1ee6a85b7c712221cfa7b8617f60e 2.1/rpms/mod_php4-test-4.3.8-2tr.i586.rpm
dd2a761b4f461b8da4d69277658859b7 2.1/rpms/samba-3.0.5-1tr.i586.rpm
a4081f08b767ef58729436c58acd61c9 2.1/rpms/samba-client-3.0.5-1tr.i586.rpm
e1f36fd097ae8f40ce1a7b5b89f21f46 2.1/rpms/samba-common-3.0.5-1tr.i586.rpm
3418f8968a9806de046889f72e39e29d 2.1/rpms/samba-mysql-3.0.5-1tr.i586.rpm
8ff55a1bd428bbc4850813f2788c20f9 2.0/rpms/apache-2.0.50-1tr.i586.rpm
ebb2d08cf1b4c851c6ca8bbd568d045c 2.0/rpms/apache-devel-2.0.50-1tr.i586.rpm
e3c999fed7505f32428e6f2681f293f9 2.0/rpms/apache-manual-2.0.50-1tr.i586.rpm
14366fb29927c508dd5f6e562b05abae 2.0/rpms/mod_php4-4.3.8-1tr.i586.rpm
60a57ea63e3c06aa91d5c50ff17c548e 2.0/rpms/mod_php4-cli-4.3.8-1tr.i586.rpm
4f38a5e4607096e7f920f1dd38fb82db 2.0/rpms/mod_php4-devel-4.3.8-1tr.i586.rpm
38b9666cb1a7136b9df64ec763ed64a5 2.0/rpms/mod_php4-domxml-4.3.8-1tr.i586.rpm
d2680cc8d82b62c3babe153d5561d71a 2.0/rpms/mod_php4-exif-4.3.8-1tr.i586.rpm
493e2de0cd7b8116ef23aabaed163203 2.0/rpms/mod_php4-gd-4.3.8-1tr.i586.rpm
07b06056fa5e799c0bf2b02d7c7dadbb 2.0/rpms/mod_php4-imap-4.3.8-1tr.i586.rpm
a7c790a912068b173e04e838b9995ff3 2.0/rpms/mod_php4-ldap-4.3.8-1tr.i586.rpm
2f1a1c4f212f765f2954acadd2ab96df 2.0/rpms/mod_php4-mysql-4.3.8-1tr.i586.rpm
7294ce4ec0808c9af5efe399c1c2d676 2.0/rpms/mod_php4-pgsql-4.3.8-1tr.i586.rpm
08eee3f456b33dfc9f7c96feca4cd7a2 2.0/rpms/mod_php4-test-4.3.8-1tr.i586.rpm
a38fffc2682fd34b3dffad3f491aa2e3 2.0/rpms/samba-2.2.10-1tr.i586.rpm
0ebde9d4a77928c7d72ad2d2f7e81be1 2.0/rpms/samba-client-2.2.10-1tr.i586.rpm
20ec540253b58e67bb44251b3048972e 2.0/rpms/samba-common-2.2.10-1tr.i586.rpm
1a7606260bd71422ed540146864ce176 e2/apache-2.0.50-2tr.i586.rpm
1a92ed8c36f1b198a9c9e71f229712c5 e2/apache-dbm-2.0.50-2tr.i586.rpm
73aeec169206bd87fcf528c618ab7ee4 e2/apache-devel-2.0.50-2tr.i586.rpm
58b7aba11a34c7d101a787a059bb19c0 e2/apache-manual-2.0.50-2tr.i586.rpm
812975726e45b18415ff6713246d0953 e2/mod_php4-4.3.8-2tr.i586.rpm
64babe5f70b3e73d8fff30f04123714a e2/mod_php4-cli-4.3.8-2tr.i586.rpm
52134a1a3b8899774703489181301e81 e2/mod_php4-devel-4.3.8-2tr.i586.rpm
06e613755b0343e2d69b372da92de704 e2/mod_php4-domxml-4.3.8-2tr.i586.rpm
2aa324343b778af132cfe0e61415f3ee e2/mod_php4-exif-4.3.8-2tr.i586.rpm
fa6396977985e5a9d4ea26fa5261dc0f e2/mod_php4-gd-4.3.8-2tr.i586.rpm
9fbd30d724d356b5e17763f995cc69f0 e2/mod_php4-imap-4.3.8-2tr.i586.rpm
aa3dda6cb64050029d75c1d9d264437e e2/mod_php4-ldap-4.3.8-2tr.i586.rpm
5d4aadbc2ac7dbb95679abf34ceb0e7c e2/mod_php4-mysql-4.3.8-2tr.i586.rpm
4537f038482e25bbc88bdb1030f55b4a e2/mod_php4-pgsql-4.3.8-2tr.i586.rpm
dac192fd51bdff0bd892a1e0083e233c e2/mod_php4-test-4.3.8-2tr.i586.rpm
7385348d8cdb5f030250961a8753b76a e2/samba-3.0.5-1tr.i586.rpm
b8d948b82a0acaf53b9f2477b3eb1599 e2/samba-client-3.0.5-1tr.i586.rpm
be0cc8095bff94815d85d65c6673e247 e2/samba-common-3.0.5-1tr.i586.rpm
151fb4d5cc565890c6c9dbe8d2b2df40 e2/samba-mysql-3.0.5-1tr.i586.rpm
1f12c5f983225ae3c78eb41be550cc87 1.5/samba-2.2.10-0.1tr.i586.rpm
a5888537d3c4dc0bfc75b41f6bccf7c4 1.5/samba-client-2.2.10-0.1tr.i586.rpm
793804b0da45db0fda738f17b711eb50 1.5/samba-common-2.2.10-0.1tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBBSC9i8CEzsK9IksRAkAuAJ0fJWu0cAwbAICvgcz0UUSv8UpX3QCdHLAj
TjMMOex9C17qI+CCs/N6boo=
=sPYM
-----END PGP SIGNATURE-----