8388127 2002-05-03 17:37 -0300 /92 rader/ <secure@conectiva.com.br> Sänt av: joel@lysator.liu.se Importerad: 2002-05-03 23:09 av Brevbäraren Extern mottagare: conectiva-updates@papaleguas.conectiva.com.br Extern mottagare: lwn@lwn.net Extern mottagare: bugtraq@securityfocus.com Extern mottagare: security-alerts@linuxsecurity.com Mottagare: Bugtraq (import) <22169> Ärende: [CLA-2002:477] Conectiva Linux Security Announcement - mod_python ------------------------------------------------------------ From: secure@conectiva.com.br To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net, bugtraq@securityfocus.com, security-alerts@linuxsecurity.com Message-ID: <200205032037.RAA21127@frajuto.distro.conectiva> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : mod_python SUMMARY : Remote vulnerability DATE : 2002-05-03 17:35:00 ID : CLA-2002:477 RELEVANT RELEASES : 7.0, 8 - ------------------------------------------------------------------------- DESCRIPTION Mod_python is an Apache module that embeds the Python interpreter within the server. As stated[1] by Allan Saddi in the mailing list of mod_python, there was a vulnerability which would allow a publisher to access an indirectly imported module, thus allowing a remote attacker to call functions from that module (which is an unexpected and potentially dangerous behavior). SOLUTION All mod_python users should do the upgrade. Notice that after the installation you have to restart the httpd service manually in order to load the new module. To achieve this you can execute the following command (as root): # service httpd restart REFERENCES: 1.http://www.modpython.org/pipermail/mod_python/2002-April/001991.html DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mod_python-2.7.8-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mod_python-2.7.8-1U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/mod_python-2.7.8-1U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/mod_python-2.7.8-1U8_1cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE80vT242jd0JmAcZARAlo+AJ0Xi/BKHJ556v4A1uOSyEVMD1pVKgCgkKDO Ak2JwqgiKhJEXGmMOj2w0Hg= =z2C9 -----END PGP SIGNATURE----- (8388127) / <secure@conectiva.com.br>/----(Ombruten)