[CLA-2005:926] Conectiva Security Announcement - mod_python

From: Conectiva Updates (secure_at_conectiva.com.br)
Date: 03/02/05

  • Next message: Mark Litchfield: "RealOne Player / Real .WAV Heap Overflow File Format Vulnerability"
    Date: Wed, 2 Mar 2005 12:16:28 -0300
    To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com, linsec@lists.seifried.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --------------------------------------------------------------------------
    CONECTIVA LINUX SECURITY ANNOUNCEMENT
    - --------------------------------------------------------------------------

    PACKAGE : mod_python
    SUMMARY : Fix for mod_python vulnerability
    DATE : 2005-03-02 12:14:00
    ID : CLA-2005:926
    RELEVANT
    RELEASES : 9, 10

    - -------------------------------------------------------------------------

    DESCRIPTION
     The package mod_python[1] provides an Apache module that embeds the
     Python interpreter within the server.
     
     This annoucement fixes an information leak vulnerability[2] in
     mod_python which could allow a remote attacker to obtain access to
     restricted objects via a specially crafted URL.

    SOLUTION
     All mod_python users should do the upgrade. Notice that after the
     installation you have to restart the httpd service manually in order
     to load the new module. To achieve this you may execute the following
     command (as root):
     
     # service httpd restart
     
     
     REFERENCES
     1.http://www.modpython.org/
     2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0088

    UPDATED PACKAGES
    ftp://atualizacoes.conectiva.com.br/10/SRPMS/mod_python-3.1.3-51944U10_1cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/mod_python-3.1.3-51944U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/10/RPMS/mod_python-doc-3.1.3-51944U10_1cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/SRPMS/mod_python-3.0.4-28605U90_2cl.src.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_python-3.0.4-28605U90_2cl.i386.rpm
    ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_python-doc-3.0.4-28605U90_2cl.i386.rpm

    ADDITIONAL INSTRUCTIONS
     The apt tool can be used to perform RPM packages upgrades:

     - run: apt-get update
     - after that, execute: apt-get upgrade

     Detailed instructions regarding the use of apt and upgrade examples
     can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

    - -------------------------------------------------------------------------
    All packages are signed with Conectiva's GPG key. The key and instructions
    on how to import it can be found at
    http://distro.conectiva.com.br/seguranca/chave/?idioma=en
    Instructions on how to check the signatures of the RPM packages can be
    found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

    - -------------------------------------------------------------------------
    All our advisories and generic update instructions can be viewed at
    http://distro.conectiva.com.br/atualizacoes/?idioma=en

    - -------------------------------------------------------------------------
    Copyright (c) 2004 Conectiva Inc.
    http://www.conectiva.com

    - -------------------------------------------------------------------------
    subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
    unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFCJdjL42jd0JmAcZARAmk6AJ46/K7F7yrxC4QiuFpdYoinU4MnQQCg7QkH
    cGnLbaDI+GJ+uSVOffv65G4=
    =vFii
    -----END PGP SIGNATURE-----


  • Next message: Mark Litchfield: "RealOne Player / Real .WAV Heap Overflow File Format Vulnerability"

    Relevant Pages