[RHSA-2004:063-01] Updated mod_python packages fix denial of service vulnerability

bugzilla_at_redhat.com
Date: 02/26/04

  • Next message: bugzilla_at_redhat.com: "[RHSA-2004:091-01] Updated libxml2 packages fix security vulnerability" 
    Date: Thu, 26 Feb 2004 02:45 -0500
To: redhat-watch-list@redhat.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ---------------------------------------------------------------------
                       Red Hat Security Advisory

    Synopsis: Updated mod_python packages fix denial of service vulnerability
    Advisory ID: RHSA-2004:063-01
    Issue date: 2004-02-26
    Updated on: 2004-02-26
    Product: Red Hat Linux
    Keywords: mod_python DoS
    Cross references:
    Obsoletes:
    CVE Names: CAN-2003-0973
    - ---------------------------------------------------------------------

    1. Topic:

    Updated mod_python packages that fix a denial of service vulnerability are
    now available for Red Hat Linux.

    2. Relevant releases/architectures:

    Red Hat Linux 9 - i386

    3. Problem description:

    mod_python embeds the Python language interpreter within the Apache httpd
    server.

    A bug has been found in mod_python versions 3.0.3 and earlier that can
    lead to a denial of service vulnerability. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CAN-2003-0973 to
    this issue.

    Although Red Hat Linux 9 shipped with a version of mod_python
    that contains this bug, our testing was unable to trigger the denial of
    service vulnerability. mod_python users are, however, advised to upgrade
    to these errata packages, which contain a backported patch that corrects
    this bug.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    To update all RPMs for your particular architecture, run:

    rpm -Fvh [filenames]

    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which are
    not installed but included in the list will not be updated. Note that you
    can also use wildcards (*.rpm) if your current directory *only* contains the
    desired RPMs.

    Please note that this update is also available via Red Hat Network. Many
    people find this an easier way to apply updates. To use Red Hat Network,
    launch the Red Hat Update Agent with the following command:

    up2date

    This will start an interactive process that will result in the appropriate
    RPMs being upgraded on your system.

    If up2date fails to connect to Red Hat Network due to SSL
    Certificate Errors, you need to install a version of the
    up2date client with an updated certificate. The latest version of
    up2date is available from the Red Hat FTP site and may also be
    downloaded directly from the RHN website:

    https://rhn.redhat.com/help/latest-up2date.pxt

    5. RPMs required:

    Red Hat Linux 9:

    SRPMS:
    ftp://updates.redhat.com/9/en/os/SRPMS/mod_python-3.0.1-4.src.rpm

    i386:
    ftp://updates.redhat.com/9/en/os/i386/mod_python-3.0.1-4.i386.rpm

    6. Verification:

    MD5 sum Package Name
    - --------------------------------------------------------------------------

    b7b838c6152fa51ccdc376a788fcd799 9/en/os/SRPMS/mod_python-3.0.1-4.src.rpm
    bba40347ca46775a0f4545c08776b149 9/en/os/i386/mod_python-3.0.1-4.i386.rpm

    These packages are GPG signed by Red Hat for security. Our key is
    available from https://www.redhat.com/security/keys.html

    You can verify each package with the following command:
        
        rpm --checksig -v <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the md5sum with the following command:
        
        md5sum <filename>

    7. References:

    http://www.modpython.org/pipermail/mod_python/2003-November/014532.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0973

    8. Contact:

    The Red Hat security contact is <secalert@redhat.com>. More contact
    details at https://www.redhat.com/solutions/security/news/contact.html

    Copyright 2003 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFAPaQVXlSAg2UNWIIRAur6AJ4ks/AXnCZjULq5ByJa9Rn53R2IkwCgrwlo
    Wj2K7VPPd4mtN7/PsW9hRfc=
    =Xv6I
    -----END PGP SIGNATURE-----

  • Next message: bugzilla_at_redhat.com: "[RHSA-2004:091-01] Updated libxml2 packages fix security vulnerability"

    Relevant Pages