[Full-Disclosure] MDKSA-2004:075 - Updated mod_ssl packages fix potential vulnerabilities

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 07/28/04

  • Next message: mattmurphy_at_kc.rr.com: "[Full-Disclosure] Pavuk Digest Authentication Buffer Overflow"
    To: full-disclosure@lists.netsys.com
    Date: 28 Jul 2004 01:26:08 -0000
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: mod_ssl
     Advisory ID: MDKSA-2004:075
     Date: July 27th, 2004

     Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
                             Multi Network Firewall 8.2
     ______________________________________________________________________

     Problem Description:

     Ralf S. Engelschall found a remaining risky call to ssl_log while
     reviewing code for another issue reported by Virulent. The updated
     packages are patched to correct the problem.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0700
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     67b5f2830144f4f23252c6e790024913 10.0/RPMS/mod_ssl-2.8.16-1.2.100mdk.i586.rpm
     bc3d01ea44136b134f465f9477f4907c 10.0/SRPMS/mod_ssl-2.8.16-1.2.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     0e20fd551d0db86fb01bf1cac1fc0d00 amd64/10.0/RPMS/mod_ssl-2.8.16-1.2.100mdk.amd64.rpm
     bc3d01ea44136b134f465f9477f4907c amd64/10.0/SRPMS/mod_ssl-2.8.16-1.2.100mdk.src.rpm

     Corporate Server 2.1:
     ced0b61893293095a5f229728e4cbdb2 corporate/2.1/RPMS/mod_ssl-2.8.10-5.4.C21mdk.i586.rpm
     543976686dac61408092c2d90faf45be corporate/2.1/SRPMS/mod_ssl-2.8.10-5.4.C21mdk.src.rpm

     Corporate Server 2.1/x86_64:
     200c8254e7bbd46c8f9d5288803d33a1 x86_64/corporate/2.1/RPMS/mod_ssl-2.8.10-5.4.C21mdk.x86_64.rpm
     543976686dac61408092c2d90faf45be x86_64/corporate/2.1/SRPMS/mod_ssl-2.8.10-5.4.C21mdk.src.rpm

     Mandrakelinux 9.1:
     e58304a3bbc0581e643e5609e95b8230 9.1/RPMS/mod_ssl-2.8.12-8.2.91mdk.i586.rpm
     c752c0ae8d6d034eb61c1a967e0e50f0 9.1/SRPMS/mod_ssl-2.8.12-8.2.91mdk.src.rpm

     Mandrakelinux 9.1/PPC:
     c3ad8be79ca34e4a08d9d50d8c0e2178 ppc/9.1/RPMS/mod_ssl-2.8.12-8.2.91mdk.ppc.rpm
     c752c0ae8d6d034eb61c1a967e0e50f0 ppc/9.1/SRPMS/mod_ssl-2.8.12-8.2.91mdk.src.rpm

     Mandrakelinux 9.2:
     51a525a5e2da3af2812d6f502dcb55ea 9.2/RPMS/mod_ssl-2.8.15-1.2.92mdk.i586.rpm
     faf4f30d6757b581b407e6dc645e17c0 9.2/SRPMS/mod_ssl-2.8.15-1.2.92mdk.src.rpm

     Mandrakelinux 9.2/AMD64:
     daf5b6b738aa5010619fc2cdf8817112 amd64/9.2/RPMS/mod_ssl-2.8.15-1.2.92mdk.amd64.rpm
     faf4f30d6757b581b407e6dc645e17c0 amd64/9.2/SRPMS/mod_ssl-2.8.15-1.2.92mdk.src.rpm

     Multi Network Firewall 8.2:
     03dd0105896ff42ed4cd1fe48d3f62d7 mnf8.2/RPMS/mod_ssl-2.8.7-3.4.M82mdk.i586.rpm
     7c306e82940c73410ccf8e9bb635adea mnf8.2/SRPMS/mod_ssl-2.8.7-3.4.M82mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFBBwCwmqjQ0CJFipgRAvsqAJ4uzwldl0Yf+paawKs3W1wFZF/uQQCfT2pL
    yKWNwpXW9uoHgKYcFbnoho0=
    =itL+
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: mattmurphy_at_kc.rr.com: "[Full-Disclosure] Pavuk Digest Authentication Buffer Overflow"