[OpenPKG-SA-2005.017] OpenPKG Security Advisory (modssl)

From: OpenPKG (openpkg_at_openpkg.org)
Date: 09/02/05

  • Next message: Thierry Carrez: "[ GLSA 200509-04 ] phpLDAPadmin: Authentication bypass"
    Date: Fri, 2 Sep 2005 23:29:00 +0200
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-security@openpkg.org openpkg@openpkg.org
    OpenPKG-SA-2005.017 02-Sep-2005
    ________________________________________________________________________

    Package: apache/modssl (apache::with_mod_ssl=yes only)
    Vulnerability: information disclosure
    OpenPKG Specific: no

    Affected Releases: Affected Packages: Corrected Packages:
    OpenPKG CURRENT <= apache-1.3.33-20050713 >= apache-1.3.33-20050902
    OpenPKG 2.4 <= apache-1.3.33-2.4.0 >= apache-1.3.33-2.4.1
    OpenPKG 2.3 <= apache-1.3.33-2.3.3 >= apache-1.3.33-2.3.4

    Dependent Packages: none

    Description:
      An information disclosure vulnerability was discovered in mod_ssl [1],
      the SSL/TLS module of the Apache [2] webserver. When "SSLVerifyClient
      optional" was configured in the global virtual host configuration, an
      "SSLVerifyClient require" in per-location context was not enforced.
      The Common Vulnerabilities and Exposures (CVE) project assigned the id
      CAN-2005-2700 [3] to the problem.

      Please check whether you are affected by running "<prefix>/bin/rpm -q
      apache" and "<prefix>/bin/rpm -qi apache | grep with_mod_ssl". If you
      have the "apache" package with option "with_mod_ssl" installed and its
      version is affected (see above), we recommend that you immediately
      upgrade (see Solution) [4][5].

    Solution:
      Select the updated source RPM appropriate for your OpenPKG release
      [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
      location, verify its integrity [10], build a corresponding binary RPM
      from it [4] and update your OpenPKG installation by applying the binary
      RPM [5]. For the current release OpenPKG 2.4, perform the following
      operations to permanently fix the security problem (for other releases
      adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/2.4/UPD
      ftp> get apache-1.3.33-2.4.1.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm -v --checksig apache-1.3.33-2.4.1.src.rpm
      $ <prefix>/bin/rpm --rebuild apache-1.3.33-2.4.1.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.33-2.4.1.*.rpm
    ________________________________________________________________________

    References:
      [1] http://www.modssl.org/
      [2] http://www.apache.org/
      [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
      [4] http://www.openpkg.org/tutorial.html#regular-source
      [5] http://www.openpkg.org/tutorial.html#regular-binary
      [6] ftp://ftp.openpkg.org/release/2.4/UPD/apache-1.3.33-2.4.1.src.rpm
      [7] ftp://ftp.openpkg.org/release/2.3/UPD/apache-1.3.33-2.3.4.src.rpm
      [8] ftp://ftp.openpkg.org/release/2.4/UPD/
      [9] ftp://ftp.openpkg.org/release/2.3/UPD/
      [10] http://www.openpkg.org/security.html#signature
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with the
    OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
    OpenPKG project which you can retrieve from http://pgp.openpkg.org and
    hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
    for details on how to verify the integrity of this advisory.
    ________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkg@openpkg.org>

    iD8DBQFDGMQIgHWT4GPEy58RAksBAJ9vXcBdhYubDD4jJSh1oYJQmoSiFACdFfu1
    USHwOH+XxJ9S8jZARVvxOJM=
    =zblS
    -----END PGP SIGNATURE-----


  • Next message: Thierry Carrez: "[ GLSA 200509-04 ] phpLDAPadmin: Authentication bypass"

    Relevant Pages

    • [Full-Disclosure] [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
      ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
      (Full-Disclosure)
    • [OpenPKG-SA-2003.043] OpenPKG Security Advisory (proftpd)
      ... According to an ISS X-Force security advisory, a vulnerability ... when transferring files from the FTP server in ASCII mode. ... and a buffer overflow can manifest if ProFTPD parses a specially ... Select the updated source RPM appropriate for your OpenPKG release ...
      (Bugtraq)
    • [Full-Disclosure] [OpenPKG-SA-2003.041] OpenPKG Security Advisory (sendmail)
      ... According to a confirmed security advisory from Michal Zalewski ... a remotely exploitable vulnerability exists in all versions ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ...
      (Full-Disclosure)
    • [OpenPKG-SA-2003.041] OpenPKG Security Advisory (sendmail)
      ... According to a confirmed security advisory from Michal Zalewski ... a remotely exploitable vulnerability exists in all versions ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ...
      (Bugtraq)
    • [OpenPKG-SA-2005.023] OpenPKG Security Advisory (openvpn)
      ... vulnerability exists in the OpenVPN network security application. ... another DoS situation can occur if OpenVPN in TCP server ... Select the updated source RPM appropriate for your OpenPKG release ... $ ftp ftp.openpkg.org ...
      (Bugtraq)