linux, säkerhet

10912322 2003-10-31 03:41 -0500 /69 rader/ Rajiv Aaron Manglani <rajiv@gentoo.org>
Importerad: 2003-10-31 18:19 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <29704>
Ärende: GLSA:  apache (200310-04)
------------------------------------------------------------
From: Rajiv Aaron Manglani <rajiv@gentoo.org>
To: bugtraq@securityfocus.com
Message-ID: <a0521060bbbc7d08cb7fa@[10.96.0.12]>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-04
- ---------------------------------------------------------------------------

          PACKAGE : net-www/apache
          SUMMARY : buffer overflow
             DATE : Fri Oct 31 07:59:00 UTC 2003
          EXPLOIT : local
VERSIONS AFFECTED : <apache-2.0.48
    FIXED VERSION : >=apache-2.0.48
       GENTOO BUG : http://bugs.gentoo.org/show_bug.cgi?id=32271
              CVE : CAN-2003-0789 CAN-2003-0542

- ---------------------------------------------------------------------------

Quote from <http://www.apache.org/dist/httpd/Announcement2.html>:

    This version of Apache is principally a bug fix release. A
    summary of the bug fixes is given at the end of this document. Of
    particular note is that 2.0.48 addresses two security
    vulnerabilities:

    mod_cgid mishandling of CGI redirect paths could result in CGI
    output going to the wrong client when a threaded MPM is used.
    [CAN-2003-0789]
    
    A buffer overflow could occur in mod_alias and mod_rewrite when a
    regular expression with more than 9 captures is configured.
    [CAN-2003-0542]
    
    This release is compatible with modules compiled for 2.0.42 and
    later versions. We consider this release to be the best version
    of Apache available and encourage users of all prior versions to
    upgrade.


SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/apache 2.x upgrade:

emerge sync
emerge '>=net-www/apache-2.0.48'
emerge clean

Please remember to update your config files in /etc/apache2
as --datadir has been changed to /var/www/localhost.

Note that a forthcoming GLSA-200310-03 will address similar issues
in Apache 1.x.


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/ohjbnt0v0zAqOHYRAlmaAJ0cLO512mWAXfUP5I/2HZGx0FI3dgCgmPlv
KSJYnPXDC4WjlleSR+mo2Go=
=oy6h
-----END PGP SIGNATURE-----
(10912322) /Rajiv Aaron Manglani <rajiv@gentoo.org>/(Ombruten)