[OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)

From: OpenPKG (openpkg_at_openpkg.org)
Date: 07/16/04

  • Next message: Cesar: "Re: Microsoft Window Utility Manager Local Elevation of Privileges"
    Date: Fri, 16 Jul 2004 20:47:41 +0200
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-security@openpkg.org openpkg@openpkg.org
    OpenPKG-SA-2004.032 16-Jul-2004
    ________________________________________________________________________

    Package: apache [with_mod_ssl=yes]
    Vulnerability: format string vulnerability
    OpenPKG Specific: no

    Affected Releases: Affected Packages: Corrected Packages:
    OpenPKG CURRENT <= apache-1.3.31-20040714 >= apache-1.3.31-20040716
    OpenPKG 2.1 <= apache-1.3.31-2.1.0 >= apache-1.3.31-2.1.1
    OpenPKG 2.0 <= apache-1.3.29-2.0.3 >= apache-1.3.29-2.0.4
    OpenPKG 1.3 <= apache-1.3.28-1.3.5 >= apache-1.3.28-1.3.6

    Dependent Packages: none

    Description:
      Triggered by a report to Packet Storm [1] from Virulent, a format
      string vulnerability was found in mod_ssl [2], the Apache SSL/TLS
      interface to OpenSSL, version (up to and including) 2.8.18 for Apache
      1.3. The mod_ssl in Apache 2.x is not affected. The vulnerability
      could be exploitable if Apache is used as a proxy for HTTPS URLs and
      the attacker established a own specially prepared DNS and origin
      server environment.
      
      Please check whether you are affected by running "<prefix>/bin/rpm -q
      apache" and "<prefix>/bin/rpm -qi apache | grep with_mod_ssl". If you
      have the "apache" package with option "with_mod_ssl" installed and its
      version is affected (see above), we recommend that you immediately
      upgrade (see Solution) [3][4].

    Solution:
      Select the updated source RPM appropriate for your OpenPKG release
      [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
      location, verify its integrity [9], build a corresponding binary RPM
      from it [3] and update your OpenPKG installation by applying the
      binary RPM [4]. For the most recent release OpenPKG 2.0, perform the
      following operations to permanently fix the security problem (for
      other releases adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/2.0/UPD
      ftp> get apache-1.3.29-2.0.4.src.rpm
      ftp> bye
      $ <prefix>/bin/openpkg rpm -v --checksig apache-1.3.29-2.0.4.src.rpm
      $ <prefix>/bin/openpkg rpm --rebuild --with mod_ssl apache-1.3.29-2.0.4.src.rpm
      $ su -
      # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/apache-1.3.29-2.0.4.*.rpm
    ________________________________________________________________________

    References:
      [1] http://packetstormsecurity.org/
      [2] http://www.modssl.org/
      [3] http://www.openpkg.org/tutorial.html#regular-source
      [4] http://www.openpkg.org/tutorial.html#regular-binary
      [5] ftp://ftp.openpkg.org/release/1.3/UPD/apache-1.3.28-1.3.6.src.rpm
      [6] ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.4.src.rpm
      [7] ftp://ftp.openpkg.org/release/1.3/UPD/
      [8] ftp://ftp.openpkg.org/release/2.0/UPD/
      [9] http://www.openpkg.org/security.html#signature
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with the
    OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
    OpenPKG project which you can retrieve from http://pgp.openpkg.org and
    hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
    for details on how to verify the integrity of this advisory.
    ________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkg@openpkg.org>

    iD8DBQFA+CKjgHWT4GPEy58RAg8QAKCT6T+qmU7ho784mS6SKxGJr/QeVgCeNzuK
    Z+jhcuoQT+jRZx9j57TXd4c=
    =XGfa
    -----END PGP SIGNATURE-----


  • Next message: Cesar: "Re: Microsoft Window Utility Manager Local Elevation of Privileges"

    Relevant Pages

    • [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
      ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
      (Bugtraq)
    • [Full-Disclosure] [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
      ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
      (Full-Disclosure)
    • [Full-Disclosure] [OpenPKG-SA-2003.041] OpenPKG Security Advisory (sendmail)
      ... According to a confirmed security advisory from Michal Zalewski ... a remotely exploitable vulnerability exists in all versions ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ...
      (Full-Disclosure)
    • [OpenPKG-SA-2003.041] OpenPKG Security Advisory (sendmail)
      ... According to a confirmed security advisory from Michal Zalewski ... a remotely exploitable vulnerability exists in all versions ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ...
      (Bugtraq)
    • [OpenPKG-SA-2005.023] OpenPKG Security Advisory (openvpn)
      ... vulnerability exists in the OpenVPN network security application. ... another DoS situation can occur if OpenVPN in TCP server ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ...
      (Bugtraq)