From xsecurity@mandriva.com Sat Jan 7 13:34:25 2006 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Fri, 06 Jan 2006 19:28:00 -0700 Subject: [Full-disclosure] MDKSA-2006:009 - Updated apache2-mod_auth_pgsql packages fix several vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:009 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apache2-mod_auth_pgsql Date : January 6, 2006 Affected: 10.1, 10.2, 2006.0 _______________________________________________________________________ Problem Description: iDefense discovered several format string vulnerabilities in the way that mod_auth_pgsql logs information which could potentially be used by a remote attacker to execute arbitrary code as the apache user if mod_auth_pgsql is used for user authentication. The provided packages have been patched to prevent this problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3656 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.1: 5fd1e2329146f2c03845fe516acaa123 10.1/RPMS/apache2-mod_auth_pgsql-2.0.50_2.0.2b1-3.1.101mdk.i586.rpm c7cfefd7de46d13ee74f25e35f2fd76a 10.1/SRPMS/apache2-mod_auth_pgsql-2.0.50_2.0.2b1-3.1.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 631ed3b26fddd6f5198d4a33aa31326c x86_64/10.1/RPMS/apache2-mod_auth_pgsql-2.0.50_2.0.2b1-3.1.101mdk.x86_64.rpm c7cfefd7de46d13ee74f25e35f2fd76a x86_64/10.1/SRPMS/apache2-mod_auth_pgsql-2.0.50_2.0.2b1-3.1.101mdk.src.rpm Mandriva Linux 10.2: 477fd516e48926f13a66cc0a92366598 10.2/RPMS/apache2-mod_auth_pgsql-2.0.53_2.0.2b1-6.1.102mdk.i586.rpm 12baf2fcd6739141f29c4f6000f83e28 10.2/SRPMS/apache2-mod_auth_pgsql-2.0.53_2.0.2b1-6.1.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 7d5ba837da8f1681587c431fe219f9fa x86_64/10.2/RPMS/apache2-mod_auth_pgsql-2.0.53_2.0.2b1-6.1.102mdk.x86_64.rpm 12baf2fcd6739141f29c4f6000f83e28 x86_64/10.2/SRPMS/apache2-mod_auth_pgsql-2.0.53_2.0.2b1-6.1.102mdk.src.rpm Mandriva Linux 2006.0: abe116d3afce2e1dd6c29a4a922ecf0a 2006.0/RPMS/apache-mod_auth_pgsql-2.0.54_2.0.2b1-3.1.20060mdk.i586.rpm c6755d865f6de4cf51a9f6918798aafc 2006.0/SRPMS/apache-mod_auth_pgsql-2.0.54_2.0.2b1-3.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: a8e95a35a1eda50cc392193496c15721 x86_64/2006.0/RPMS/apache-mod_auth_pgsql-2.0.54_2.0.2b1-3.1.20060mdk.x86_64.rpm c6755d865f6de4cf51a9f6918798aafc x86_64/2006.0/SRPMS/apache-mod_auth_pgsql-2.0.54_2.0.2b1-3.1.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDvvqymqjQ0CJFipgRAl5jAJwInb6yP+dO/9iXRdSeJxETV3Li+wCg7glF tYByE5LQ2FHucxwe8fXvt2A= =DB3Z -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/