TSSA-2004-008 - apache

From: tinysofa Security Team (security_at_tinysofa.org)
Date: 06/02/04

  • Next message: tinysofa Security Team: "TSSA-2004-009 - kerberos5"
    Date: Wed, 2 Jun 2004 21:43:00 +1000
    To: tinysofa-announce@tinysofa.org
    
    
    

     ===========================================================================
                                                 _
                             |_ . _ _ _ (_ _
                             |_ | | ) \/ _) (_) | (_|
                                      /

                           Security Advisory #2004-008

     Package names: apache
     Summary: Boundary Condition Error
     Advisory ID: TSSA-2004-008
     Date: 2004-06-02
     Affected versions: tinysofa enterprise server 1.0
                        tinysofa enterprise server 1.0-U1

     ===========================================================================

     Security Fixes
     ==============

     Description
     -----------

      apache:
      * Georgi Guninski discovered [1] a stack-based buffer overflow in
        the "SSLOptions +FakeBasicAuth" implementation of Apache's SSL/TLS
        extension module mod_ssl [0]. The overflow can occur if the Subject-DN
        in the client certificate exceeds 6KB in length and mod_ssl is
        configured to trust the issuing CA. The Common Vulnerabilities and
        Exposures (CVE) project assigned the id CAN-2004-0488 [2] to the
        problem.

     References
     ----------
      [0] http://www.modssl.org/
      [1] http://lists.netsys.com/pipermail/full-disclosure/2004-May/021610.html
      [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488

     Recommended Action
     ==================

      We recommend that all systems with these packages installed be upgraded.
      Please note that if you do not need the functionality provided by this
      package, you may want to remove it from your system.

     Location
     ========

      All tinysofa updates are available from
      <URI:http://http.tinysofa.org/pub/tinysofa/updates/>
      <URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/>

     Automatic Updates
     =================

      Users of the SWUP tool can enjoy having updates automatically
      installed using 'swup --upgrade'.

     Questions?
     ==========

      Check out our mailing lists:
      <URI:http://www.tinysofa.org/support/>

     Verification
     ============

      This advisory is signed with the tinysofa security sign key.
      This key is available from:
      <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAEDCBB4B>

      All tinysofa packages are signed with the tinysofa stable sign key.
      This key is available from:
      <URI:http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0F1240A2>

      The advisory is available from the tinysofa errata database at
      <URI:http://www.tinysofa.org/support/errata/>
      or directly at
      <URI:http://www.tinysofa.org/support/errata/2004/008.html>

     MD5sums Of The Packages
     =======================

      b3ba8a04271c9b998527088b795fefdc apache-2.0.49-9ts.i586.rpm
      2503a219d5bab57badd24df4c65c8647 apache-dbm-2.0.49-9ts.i586.rpm
      8186ab1bdea195361f728e7a2251328a apache-devel-2.0.49-9ts.i586.rpm
      3386f280b2ee1589eb1010d7a0d2ec35 apache-manual-2.0.49-9ts.i586.rpm
      3e9e97b467af635997066bffc4fbbec8 apr-0.9.5-9ts.i586.rpm
      7175e597215b0708ebd79c34e656d5c7 apr-devel-0.9.5-9ts.i586.rpm
      c553f65ab1b16124171ea0f0c800102a apr-util-0.9.5-9ts.i586.rpm
      742f59fc0f3cc5f05cc3414c1b20db97 apr-util-devel-0.9.5-9ts.i586.rpm

     --
     tinysofa Security Team <security at tinysofa dot org>

    
    



  • Next message: tinysofa Security Team: "TSSA-2004-009 - kerberos5"

    Relevant Pages

    • TSSA-2004-014 - samba
      ... Affected versions: tinysofa enterprise server 1.0 ... We recommend that all systems with these packages installed be upgraded. ... This advisory is signed with the tinysofa security sign key. ...
      (Bugtraq)
    • TSSA-2004-009 - kerberos5
      ... Affected versions: tinysofa enterprise server 1.0 ... We recommend that all systems with these packages installed be upgraded. ... This advisory is signed with the tinysofa security sign key. ...
      (Bugtraq)
    • TSSA-2004-011 - kernel
      ... Affected versions: tinysofa enterprise server 1.0 ... We recommend that all systems with these packages installed be upgraded. ... This advisory is signed with the tinysofa security sign key. ...
      (Bugtraq)
    • TSSA-2004-013 - php
      ... Package name: php ... Affected versions: tinysofa enterprise server 1.0 ... We recommend that all systems with these packages installed be upgraded. ... This advisory is signed with the tinysofa security sign key. ...
      (Bugtraq)
    • TSSA-2004-010 - squid
      ... Affected versions: tinysofa enterprise server 1.0 ... Squid Web Proxy Cache supports Basic, ... We recommend that all systems with these packages installed be upgraded. ... This advisory is signed with the tinysofa security sign key. ...
      (Bugtraq)