From secure@conectiva.com.br Thu Nov 6 14:16:46 2003 From: Conectiva Updates To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org Date: Wed, 5 Nov 2003 19:18:56 -0200 Subject: [CLA-2003:775] Conectiva Security Announcement - apache -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : apache SUMMARY : Fix for some vulnerabilities DATE : 2003-11-05 19:18:00 ID : CLA-2003:775 RELEVANT RELEASES : 7.0, 8, 9 - ------------------------------------------------------------------------- DESCRIPTION Apache[1] is the most popular webserver in use today. New versions of the Apache web server have been made available[2][3] with the following security fixes: 1. Buffer overflow in mod_alias and mod_rewrite (CAN-2003-0542) [4] A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. Users who can create or modify configuration files (httpd.conf or .htaccess, for example) could trigger this. This vulnerability affects Apache 1.3.x and Apache 2.0.x. 2. mod_cgid mishandling of CGI redirect paths (CAN-2003-0789) [5] mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. The packages provided with Conectiva Linux 9 are not vulnerable to this issue because they are not compiled with that MPM, but the fix has been included because new packages for Conectiva Linux 9 were already being built for the suexec problem (see below). In addition to the above security fixes, "suexec" has been correctly built in the Conectiva Linux 9 packages, fixing[6] the problem where CGI scripts could not be run from the user's home directory. SOLUTION It is recommended that all Apache users upgrade their packages. IMPORTANT: it is necessary to manually restart the httpd server after upgrading the packages. In order to do this, execute the following as root: service httpd stop (wait a few seconds and check with "pidof httpd" if there are any httpd processes running. On a busy webserver this could take a little longer) service httpd start REFERENCES 1. http://apache.httpd.org/ 2. http://www.apache.org/dist/httpd/Announcement2.html 3. http://www.apache.org/dist/httpd/Announcement.html 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789 6. http://bugzilla.conectiva.com.br/show_bug.cgi?id=8754 (pt_BR only) UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/apache-1.3.28-1U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.28-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.28-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.28-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/apache-1.3.28-1U80_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.28-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.28-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.28-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_5cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_5cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/qWk/42jd0JmAcZARAkF2AJsGfA3n7v7l8f4A8ik+Ao6uqB9NYACfZnQ4 qf3SjmMxGkqRYyXuBBragEE= =zsxK -----END PGP SIGNATURE-----