7592141 2001-11-28 15:24 -0700 /222 rader/ Linux Mandrake Security Team <security@linux-mandrake.com> Sänt av: joel@lysator.liu.se Importerad: 2001-11-28 23:55 av Brevbäraren Extern mottagare: Linux Mandrake Security Announcements <security-announce@linux-mandrake.com> Extern kopiemottagare: Linux Mandrake Security <mdk-security@lists.freezer-burn.org> Extern kopiemottagare: Bugtraq <bugtraq@securityfocus.com> Extern kopiemottagare: Linux Security List <linsec@lists.seifried.org> Mottagare: Bugtraq (import) <19918> Ärende: MDKSA-2001:077-2 - apache update for Single Network Firewall ------------------------------------------------------------ From: Linux Mandrake Security Team <security@linux-mandrake.com> To: Linux Mandrake Security Announcements <security-announce@linux-mandrake.com> Cc: Linux Mandrake Security <mdk-security@lists.freezer-burn.org>, Bugtraq <bugtraq@securityfocus.com>, Linux Security List <linsec@lists.seifried.org> Message-ID: <20011128152428.A2799@mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: apache Date: November 28th, 2001 Advisory ID: MDKSA-2001:077-2 Affected versions: Single Network Firewall 7.2 ________________________________________________________________________ Problem Description: A problem exists with all Apache servers prior to version 1.3.19. The vulnerablity could allow directory indexing and path discovery on the vulnerable servers with a custom crafted request consisting of a long path name created artificially by using numerous slashes. This can cause modules to misbehave and return a listing of the directory contents by avoiding the error page. Another vulnerability found by Procheckup (www.procheckup.com) was that all directories, by default, were configured as browseable so an attacker could list all files in the targeted directories. As well, Procheckup found that the perl-proxy/management software on port 8200 would supply dangerous information to attackers due to a perl status script that was enabled. We have disabled directory browsing by default and have disabled the perl status scripts. There are a few steps required to update Apache properly for Single Network Firewall 7.2. Please also note that you should not use the automatic update facilities of the web interface to update Apache, but should do this either locally or via ssh. 1) Stop apache (service httpd stop) if running 2) Stop httpd-naat (service httpd-naat stop) 3) Completely backup /etc/httpd/conf/* 4) Backup /var/log/httpd and /var/log/httpd-naat (the uninstall scripts of the previous apache versions may remove the log files) 5) Remove the currently installed apache, mod_perl, mod_ssl, and php packages from the system. You can do this using: urpme apache-common 6) Upgrade mm/mm-devel 7) Install the download upgrade packages of apache components using "rpm -ivh *.rpm" 8) Restore your /var/log/httpd and /var/log/httpd-naat backups 9) Start httpd-naat (service httpd-naat start) 10) Start apache if you were previously using it (service httpd start) ________________________________________________________________________ References: http://www.securityfocus.com/bid/2503 http://bugs.apache.org/index.cgi/full/7848 http://www.apacheweek.com/issues/01-09-28#security http://www.securityfocus.com/bid/3009 http://www.procheckup.com/vulnerabilities/pr0107.html ________________________________________________________________________ Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig package.rpm You can get the GPG public key of the Mandrake Linux Security Team at http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS If you use MandrakeUpdate, the verification of md5 checksum and GPG signature is performed automatically for you. Single Network Firewall 7.2: da7a34158c05680642da97b0a9647705 snf7.2/RPMS/HTML-Embperl-1.3b6-4.1mdk.i586.rpm d06ffe4b205e278f81fdf0f2bcf65257 snf7.2/RPMS/apache-1.3.20-4.1mdk.i586.rpm 61959a5e986c91b8b5fc9b1151a01156 snf7.2/RPMS/apache-common-1.3.20-4.1mdk.i586.rpm e070220acb27f21433801a54bc8a6c52 snf7.2/RPMS/apache-devel-1.3.20-4.1mdk.i586.rpm 9ea8e4dd08d8ea01a7040ef31eab3ed2 snf7.2/RPMS/apache-manual-1.3.20-4.1mdk.i586.rpm 86be2ad11f1b169d8fb99013498a4994 snf7.2/RPMS/apache-mod_perl-1.3.20_1.24-4.1mdk.i586.rpm 1eb7502d1fb78cb56d82c5f23ce4c06b snf7.2/RPMS/apache-mod_perl-devel-1.3.20_1.24-4.1mdk.i586.rpm 1fa327b4bc3615c04cf142410563942c snf7.2/RPMS/apache-suexec-1.3.20-4.1mdk.i586.rpm 9c1e4aa1d6dd17df146c081664d5355a snf7.2/RPMS/httpd-naat-0.5-4.1mdk.noarch.rpm 55e269403950e662d1e7d8678caa2167 snf7.2/RPMS/mm-1.1.3-8.2mdk.i586.rpm 3cc975f6329fd90d4a5ba4b73d02ced5 snf7.2/RPMS/mm-devel-1.1.3-8.2mdk.i586.rpm 35f9a3bea810cc205a099c0ae7052c63 snf7.2/RPMS/mod_auth_external-2.1.2-6.1mdk.i586.rpm d09fca52a502ead8f72661973efd8291 snf7.2/RPMS/mod_php-4.0.4pl1-4.1mdk.i586.rpm 4060647bda4da6ff883d1366d6327361 snf7.2/RPMS/mod_ssl-2.8.4-4.1mdk.i586.rpm 1dd86e83ed52132fa916b8d953f97e77 snf7.2/RPMS/mod_sxnet-1.2.4-4.1mdk.i586.rpm b9904128ec8c5a06075746661ee8f65a snf7.2/RPMS/naat-frontend-www-de-0.5-3.1mdk.noarch.rpm 90f7be4dcbb0b4e16f9588bcdb76fa33 snf7.2/RPMS/naat-frontend-www-doc-0.5-3.1mdk.noarch.rpm 3293505d1c1031cec43d0afa52fed99e snf7.2/RPMS/naat-frontend-www-en-0.5-3.1mdk.noarch.rpm ab6dec4f468a93a38fb0c81bf9eb208d snf7.2/RPMS/naat-frontend-www-fr-0.5-3.1mdk.noarch.rpm f1d1d954ae5545b4550501b2b22ee873 snf7.2/RPMS/php-4.0.4pl1-4.1mdk.i586.rpm 85b1e593713fb86f2096a37bcd3f85fc snf7.2/RPMS/php-gd-4.0.4pl1-4.1mdk.i586.rpm 0451e537cfcd896a95b06e0e3d6cf21c snf7.2/SRPMS/apache-1.3.20-4.1mdk.src.rpm 4c670aee57138e5443d3e76c0edac334 snf7.2/SRPMS/httpd-naat-0.5-4.1mdk.src.rpm 546c1784c586b928cea91e4a09812209 snf7.2/SRPMS/mm-1.1.3-8.2mdk.src.rpm e745c54745b99a202c96b53353df0905 snf7.2/SRPMS/mod_auth_external-2.1.2-6.1mdk.src.rpm b6060dc3f17b54ee85f5da89291a95ad snf7.2/SRPMS/mod_ssl-2.8.4-4.1mdk.src.rpm 17ec81b1e003bb9192af6196db144adb snf7.2/SRPMS/mod_sxnet-1.2.4-4.1mdk.src.rpm 135e9367bd2bc6f759ee929ccbdc0480 snf7.2/SRPMS/naat-frontend-www-0.5-3.1mdk.src.rpm 4de1678409f813c99ab6e5711c585956 snf7.2/SRPMS/php-4.0.4pl1-4.1mdk.src.rpm ________________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________ To upgrade automatically, use MandrakeUpdate. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". You can download the updates directly from one of the mirror sites listed at: http://www.linux-mandrake.com/en/ftp.php3. Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them. Please be aware that sometimes it takes the mirrors a few hours to update. You can view other security advisories for Mandrake Linux at: http://www.linux-mandrake.com/en/security/ If you want to report vulnerabilities, please contact security@linux-mandrake.com ________________________________________________________________________ Mandrake Linux has two security-related mailing list services that anyone can subscribe to: security-announce@linux-mandrake.com Mandrake Linux's security announcements mailing list. Only announcements are sent to this list and it is read-only. security-discuss@linux-mandrake.com Mandrake Linux's security discussion mailing list. This list is open to anyone to discuss Mandrake Linux security specifically and Linux security in general. To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message. To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message. To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message. Optionally, you can use the web interface to subscribe to or unsubscribe from either list: http://www.linux-mandrake.com/en/flists.php3#security ________________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security@linux-mandrake.com> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn 7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77 9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s +A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl 3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX lA== =0ahQ - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8BWLbmqjQ0CJFipgRAoiDAJ40AUu2PiYu91ltsNYvy/C7V0c7NgCgqnxg i1+ox0DWqdF3IyopD+2KExU= =yqBi -----END PGP SIGNATURE----- (7592141) /Linux Mandrake Security Team <security@linux-mandrake.com>/(Ombruten)