-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Mandrake Linux Security Update Advisory
________________________________________________________________________
Package name: apache
Date: November 28th, 2001
Advisory ID: MDKSA-2001:077-2
Affected versions: Single Network Firewall 7.2
________________________________________________________________________
Problem Description:
A problem exists with all Apache servers prior to version 1.3.19. The
vulnerablity could allow directory indexing and path discovery on the
vulnerable servers with a custom crafted request consisting of a long
path name created artificially by using numerous slashes. This can
cause modules to misbehave and return a listing of the directory
contents by avoiding the error page.
Another vulnerability found by Procheckup (www.procheckup.com) was
that all directories, by default, were configured as browseable so
an attacker could list all files in the targeted directories. As
well, Procheckup found that the perl-proxy/management software on
port 8200 would supply dangerous information to attackers due to
a perl status script that was enabled. We have disabled directory
browsing by default and have disabled the perl status scripts.
There are a few steps required to update Apache properly for Single
Network Firewall 7.2. Please also note that you should not use the
automatic update facilities of the web interface to update Apache,
but should do this either locally or via ssh.
1) Stop apache (service httpd stop) if running
2) Stop httpd-naat (service httpd-naat stop)
3) Completely backup /etc/httpd/conf/*
4) Backup /var/log/httpd and /var/log/httpd-naat (the uninstall
scripts of the previous apache versions may remove the log files)
5) Remove the currently installed apache, mod_perl, mod_ssl, and php
packages from the system. You can do this using:
urpme apache-common
6) Upgrade mm/mm-devel
7) Install the download upgrade packages of apache components using
"rpm -ivh *.rpm"
8) Restore your /var/log/httpd and /var/log/httpd-naat backups
9) Start httpd-naat (service httpd-naat start)
10) Start apache if you were previously using it (service httpd start)
________________________________________________________________________
References:
http://www.securityfocus.com/bid/2503
http://bugs.apache.org/index.cgi/full/7848
http://www.apacheweek.com/issues/01-09-28#security
http://www.securityfocus.com/bid/3009
http://www.procheckup.com/vulnerabilities/pr0107.html
________________________________________________________________________
Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at
http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.
Single Network Firewall 7.2:
da7a34158c05680642da97b0a9647705 snf7.2/RPMS/HTML-Embperl-1.3b6-4.1mdk.i586.rpm
d06ffe4b205e278f81fdf0f2bcf65257 snf7.2/RPMS/apache-1.3.20-4.1mdk.i586.rpm
61959a5e986c91b8b5fc9b1151a01156 snf7.2/RPMS/apache-common-1.3.20-4.1mdk.i586.rpm
e070220acb27f21433801a54bc8a6c52 snf7.2/RPMS/apache-devel-1.3.20-4.1mdk.i586.rpm
9ea8e4dd08d8ea01a7040ef31eab3ed2 snf7.2/RPMS/apache-manual-1.3.20-4.1mdk.i586.rpm
86be2ad11f1b169d8fb99013498a4994 snf7.2/RPMS/apache-mod_perl-1.3.20_1.24-4.1mdk.i586.rpm
1eb7502d1fb78cb56d82c5f23ce4c06b snf7.2/RPMS/apache-mod_perl-devel-1.3.20_1.24-4.1mdk.i586.rpm
1fa327b4bc3615c04cf142410563942c snf7.2/RPMS/apache-suexec-1.3.20-4.1mdk.i586.rpm
9c1e4aa1d6dd17df146c081664d5355a snf7.2/RPMS/httpd-naat-0.5-4.1mdk.noarch.rpm
55e269403950e662d1e7d8678caa2167 snf7.2/RPMS/mm-1.1.3-8.2mdk.i586.rpm
3cc975f6329fd90d4a5ba4b73d02ced5 snf7.2/RPMS/mm-devel-1.1.3-8.2mdk.i586.rpm
35f9a3bea810cc205a099c0ae7052c63 snf7.2/RPMS/mod_auth_external-2.1.2-6.1mdk.i586.rpm
d09fca52a502ead8f72661973efd8291 snf7.2/RPMS/mod_php-4.0.4pl1-4.1mdk.i586.rpm
4060647bda4da6ff883d1366d6327361 snf7.2/RPMS/mod_ssl-2.8.4-4.1mdk.i586.rpm
1dd86e83ed52132fa916b8d953f97e77 snf7.2/RPMS/mod_sxnet-1.2.4-4.1mdk.i586.rpm
b9904128ec8c5a06075746661ee8f65a snf7.2/RPMS/naat-frontend-www-de-0.5-3.1mdk.noarch.rpm
90f7be4dcbb0b4e16f9588bcdb76fa33 snf7.2/RPMS/naat-frontend-www-doc-0.5-3.1mdk.noarch.rpm
3293505d1c1031cec43d0afa52fed99e snf7.2/RPMS/naat-frontend-www-en-0.5-3.1mdk.noarch.rpm
ab6dec4f468a93a38fb0c81bf9eb208d snf7.2/RPMS/naat-frontend-www-fr-0.5-3.1mdk.noarch.rpm
f1d1d954ae5545b4550501b2b22ee873 snf7.2/RPMS/php-4.0.4pl1-4.1mdk.i586.rpm
85b1e593713fb86f2096a37bcd3f85fc snf7.2/RPMS/php-gd-4.0.4pl1-4.1mdk.i586.rpm
0451e537cfcd896a95b06e0e3d6cf21c snf7.2/SRPMS/apache-1.3.20-4.1mdk.src.rpm
4c670aee57138e5443d3e76c0edac334 snf7.2/SRPMS/httpd-naat-0.5-4.1mdk.src.rpm
546c1784c586b928cea91e4a09812209 snf7.2/SRPMS/mm-1.1.3-8.2mdk.src.rpm
e745c54745b99a202c96b53353df0905 snf7.2/SRPMS/mod_auth_external-2.1.2-6.1mdk.src.rpm
b6060dc3f17b54ee85f5da89291a95ad snf7.2/SRPMS/mod_ssl-2.8.4-4.1mdk.src.rpm
17ec81b1e003bb9192af6196db144adb snf7.2/SRPMS/mod_sxnet-1.2.4-4.1mdk.src.rpm
135e9367bd2bc6f759ee929ccbdc0480 snf7.2/SRPMS/naat-frontend-www-0.5-3.1mdk.src.rpm
4de1678409f813c99ab6e5711c585956 snf7.2/SRPMS/php-4.0.4pl1-4.1mdk.src.rpm
________________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________
To upgrade automatically, use MandrakeUpdate.
If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".
You can download the updates directly from one of the mirror sites
listed at:
http://www.linux-mandrake.com/en/ftp.php3.
Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source
RPMs are available as well, but you generally do not need to download
them.
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other security advisories for Mandrake Linux at:
http://www.linux-mandrake.com/en/security/
If you want to report vulnerabilities, please contact
security@linux-mandrake.com
________________________________________________________________________
Mandrake Linux has two security-related mailing list services that
anyone can subscribe to:
security-announce@linux-mandrake.com
Mandrake Linux's security announcements mailing list. Only
announcements are sent to this list and it is read-only.
security-discuss@linux-mandrake.com
Mandrake Linux's security discussion mailing list. This list is open
to anyone to discuss Mandrake Linux security specifically and Linux
security in general.
To subscribe to either list, send a message to
sympa@linux-mandrake.com
with "subscribe [listname]" in the body of the message.
To remove yourself from either list, send a message to
sympa@linux-mandrake.com
with "unsubscribe [listname]" in the body of the message.
To get more information on either list, send a message to
sympa@linux-mandrake.com
with "info [listname]" in the body of the message.
Optionally, you can use the web interface to subscribe to or unsubscribe
from either list:
http://www.linux-mandrake.com/en/flists.php3#security
________________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security@linux-mandrake.com>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8BWLbmqjQ0CJFipgRAoiDAJ40AUu2PiYu91ltsNYvy/C7V0c7NgCgqnxg
i1+ox0DWqdF3IyopD+2KExU=
=yqBi
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sun Dec 02 2001 - 20:55:10 PST