[Full-Disclosure] MDKSA-2004:046-1 - apache-mod_perl packages are now available

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 05/20/04

  • Next message: Nico Golde: "Re: [Full-Disclosure] Is there any open source project support virtual machines"
    To: full-disclosure@lists.netsys.com
    Date: 20 May 2004 06:51:49 -0000
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: apache-mod_perl
     Advisory ID: MDKSA-2004:046-1
     Date: May 20th, 2004
     Original Advisory Date: May 17th, 2004
     Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
     ______________________________________________________________________

     Problem Description:

     Four security vulnerabilities were fixed with the 1.3.31 release of
     Apache. All of these issues have been backported and applied to the
     provided packages. Thanks to Ralf Engelschall of OpenPKG for providing
     the patches.
     
     Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences
     from its error logs. This could make it easier for attackers to insert
     those sequences into the terminal emulators of administrators viewing
     the error logs that contain vulnerabilities related to escape sequence
     handling (CAN-2003-0020).
     
     mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the
     nonce of a client response by using an AuthNonce secret. Apache now
     verifies the nonce returned in the client response to check whether it
     was issued by itself by means of a "AuthDigestRealmSeed" secret exposed
     as an MD5 checksum (CAN-2003-0987).
     
     mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian
     64-bit platforms, did not properly parse Allow/Deny rules using IP
     addresses without a netmask. This could allow a remote attacker to
     bypass intended access restrictions (CAN-2003-0993).
     
     Apache 1.3 prior to 1.3.30, when using multiple listening sockets on
     certain platforms, allows a remote attacker to cause a DoS by blocking
     new connections via a short-lived connection on a rarely-accessed
     listening socket (CAN-2004-0174). While this particular vulnerability
     does not affect Linux, we felt it prudent to include the fix.
      
    Update:

     Due to the changes in mod_digest.so, mod_perl needed to be rebuilt
     against the patched Apache packages in order for httpd-perl to
     properly load the module. The appropriate mod_perl packages have
     been rebuilt and are now available.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     63acd52155d098a1f7f366f9022e22d2 10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.i586.rpm
     965ea6d33ad296e8ebf2e3ff493510a7 10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.i586.rpm
     d9677587622c98969032258d28fab962 10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.i586.rpm
     5fc0a04b29dc963a8198ba43231b5062 10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.i586.rpm
     705caa117fd889d8f47b8672a63f7b0a 10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     8684baaf82445ae2aa10c688241f7d22 amd64/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.amd64.rpm
     d8ed6249524aa168bd2de1175b60ab0e amd64/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.amd64.rpm
     7cd33d82e9143c229f6f7545c73a89ce amd64/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.amd64.rpm
     33c10b3b423dc9496c785437f1f46e13 amd64/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.amd64.rpm
     705caa117fd889d8f47b8672a63f7b0a amd64/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

     Corporate Server 2.1:
     eccb615f3e80136147a846a7827ee086 corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.i586.rpm
     417f2e3022591b2c32fb3da2eea493f6 corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.i586.rpm
     06f9ba2f38c157eea76f16d54da3520e corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.i586.rpm
     5f27ce00d7d11bd201873840f5ee1337 corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.i586.rpm
     2d5741904c5a87b53eaef9351dfbe16d corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

     Corporate Server 2.1/x86_64:
     ccfaf2869f3b93b58bb82985522d6a6a x86_64/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.x86_64.rpm
     ec45dfb7d782e164c3eb200a417839db x86_64/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
     dede6137003aa366b8f57007f0769c50 x86_64/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
     2cab584c8d30778cdeb54521b3fe9537 x86_64/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
     2d5741904c5a87b53eaef9351dfbe16d x86_64/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

     Mandrakelinux 9.1:
     3e12f0d068d6e7979edc6c70a9e57fc0 9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.i586.rpm
     7d893f2d67c0b0146cc9b7307ebb4d8a 9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.i586.rpm
     920082a37fb424a9df9e0f942393a0b2 9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.i586.rpm
     69172f9d1315939c6e4d05c3395ce212 9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.i586.rpm
     043f2c9c57767318b7dd3c33fa90899f 9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

     Mandrakelinux 9.1/PPC:
     1c9a84b031aab153bc8dea7610b0eedc ppc/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.ppc.rpm
     ca8aa7f53e5b6dd6ba852b3e12fe9ea8 ppc/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.ppc.rpm
     844ca50fb72aad0225e99c9268577f2a ppc/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.ppc.rpm
     eaa68e38912c3be140f6379d59296c08 ppc/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.ppc.rpm
     043f2c9c57767318b7dd3c33fa90899f ppc/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

     Mandrakelinux 9.2:
     1d88e2ef611d80ba3f0c9602e81f77d9 9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.i586.rpm
     7ccb9d87d744755f57536684fef6d820 9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.i586.rpm
     c7167fb4d1e1416e7f8ffef7979a3906 9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.i586.rpm
     2b2004d1e4514d720a80f7ecec22b1d2 9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.i586.rpm
     4bf5804d6155bf7d06705e5c4e46cf3e 9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm

     Mandrakelinux 9.2/AMD64:
     fe4885d9af3da5107101fbfac0a7f25f amd64/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.amd64.rpm
     b15da8abc8d7914528b90c612b6a558b amd64/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.amd64.rpm
     cd878dc7e721615e9b0ffdb8a8849f93 amd64/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.amd64.rpm
     75109c17f579d2d108a4258ef1e12ba4 amd64/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.amd64.rpm
     4bf5804d6155bf7d06705e5c4e46cf3e amd64/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFArFWFmqjQ0CJFipgRAsS6AKDSG3UNuC76NTZBpDnKVUwP0kI6xwCgqIfp
    AxrWu1bC+83ssGHLt2UknFc=
    =kQPR
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Nico Golde: "Re: [Full-Disclosure] Is there any open source project support virtual machines"

    Relevant Pages