-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-securityat_private openpkgat_private OpenPKG-SA-2002.004 19-Jun-2002 ________________________________________________________________________ Package: apache Vulnerability: remote DoS / exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 Affected Packages: <= apache-1.3.22-1.0.1 Corrected Packages: >= apache-1.3.22-1.0.2 Dependent Packages: - Description: According to a Security Bulletin from the Apache Software Foundation [5] and a corresponding CERT Security Advisory [6], there is a remotely exploitable vulnerability in the way that the Apache web server handles data encoded in chunks. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. Please check whether you are affected by running "<prefix>/bin/rpm -qa apache". If you have the "apache" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get apache-1.3.22-1.0.2.src.rpm ftp> bye $ <prefix>/bin/rpm --checksig apache-1.3.22-1.0.2.src.rpm $ <prefix>/bin/rpm --rebuild apache-1.3.22-1.0.2.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.22-1.0.2.*.rpm # <prefix>/etc/rc apache stop start ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.2.src.rpm [5] http://httpd.apache.org/info/security_bulletin_20020617.txt [6] http://www.cert.org/advisories/CA-2002-17.html ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkgat_private>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkgat_private> iEYEARECAAYFAj0QqR8ACgkQgHWT4GPEy5/43wCfW/ZSOmr2Fnha/7Uhj2+/Bgv0 rcQAn2/8Lyl0Bd5hJKuQbPT8e5Dnp6vb =fFlQ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 15:24:48 PDT