[CLA-2001:421] Conectiva Linux Security Announcement - mod_auth_mysql
Date: Thu, 6 Sep 2001 14:22:33 -0300
From: [email protected]
To: [email protected], [email protected],
Subject: [CLA-2001:421] Conectiva Linux Security Announcement - mod_auth_mysql
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : mod_auth_mysql
SUMMARY : Remote vulnerability in the mod_auth_mysql authentication module
DATE : 2001-09-06 14:18:00
ID : CLA-2001:421
RELEVANT
RELEASES : 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0
- -------------------------------------------------------------------------
DESCRIPTION
"mod_auth_mysql" is an authentication module for apache which
authenticates users against a MySQL database.
RUS-CERT[3] discovered a vulnerability[1][2] in several Apache
authentication modules which use SQL databases to retrieve user
information. This vulnerability allows a remote attacker to change
the query that the module sends to the SQL server and potentially
circumvent the authentication process.
The mysql_query() function, used by this module, does not allow
multiple commands do be sent to the server, that is, the ";"
character is not allowed. This restricts this vulnerability somewhat,
since the attacker can no longer issue other commands besides the
SELECT one the module is already doing, but he/she can still mangle
this query and this should not be underestimated.
Additionally, this update also fixes a problem with this package
which wasn't linked against the MySQL libraries in previous releases.
SOLUTION
All mod_auth_mysql users should upgrade.
IMPORTANT: it is necessary to restart the apache server after
applying the update.
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/mod_auth_mysql-1.11-1U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_auth_mysql-1.11-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/mod_auth_mysql-1.11-1U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_auth_mysql-1.11-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/mod_auth_mysql-1.11-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_auth_mysql-1.11-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/mod_auth_mysql-1.11-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_auth_mysql-1.11-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/mod_auth_mysql-1.11-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mod_auth_mysql-1.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mod_auth_mysql-1.11-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mod_auth_mysql-1.11-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/mod_auth_mysql-1.11-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mod_auth_mysql-1.11-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/mod_auth_mysql-1.11-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mod_auth_mysql-1.11-1U50_1cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7l7DY42jd0JmAcZARAqfFAKDD8J5w+TNnRej5UvZsKCkW81mvGACaAjIh
NZG+Ynxoq8IOqEGOdzmkBrQ=
=JraI
-----END PGP SIGNATURE-----