Updated apache-mod_perl packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache-mod_perl
Advisory ID: MDKSA-2004:046-1
Date: May 20th, 2004
Original Advisory Date: May 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Four security vulnerabilities were fixed with the 1.3.31 release of Apache. All of these issues have been backported and applied to the provided packages. Thanks to Ralf Engelschall of OpenPKG for providing the patches.
Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CAN-2003-0020).
mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum (CAN-2003-0987).
mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow a remote attacker to bypass intended access restrictions (CAN-2003-0993).
Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CAN-2004-0174). While this particular vulnerability does not affect Linux, we felt it prudent to include the fix.
Update:
Due to the changes in mod_digest.so, mod_perl needed to be rebuilt against the patched Apache packages in order for httpd-perl to properly load the module. The appropriate mod_perl packages have been rebuilt and are now available.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
63acd52155d098a1f7f366f9022e22d2 10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.i586.rpm
965ea6d33ad296e8ebf2e3ff493510a7 10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.i586.rpm
d9677587622c98969032258d28fab962 10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.i586.rpm
5fc0a04b29dc963a8198ba43231b5062 10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.i586.rpm
705caa117fd889d8f47b8672a63f7b0a 10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
8684baaf82445ae2aa10c688241f7d22 amd64/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.amd64.rpm
d8ed6249524aa168bd2de1175b60ab0e amd64/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.amd64.rpm
7cd33d82e9143c229f6f7545c73a89ce amd64/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.amd64.rpm
33c10b3b423dc9496c785437f1f46e13 amd64/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.amd64.rpm
705caa117fd889d8f47b8672a63f7b0a amd64/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm
Corporate Server 2.1:
eccb615f3e80136147a846a7827ee086 corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.i586.rpm
417f2e3022591b2c32fb3da2eea493f6 corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.i586.rpm
06f9ba2f38c157eea76f16d54da3520e corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.i586.rpm
5f27ce00d7d11bd201873840f5ee1337 corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.i586.rpm
2d5741904c5a87b53eaef9351dfbe16d corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
ccfaf2869f3b93b58bb82985522d6a6a x86_64/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.x86_64.rpm
ec45dfb7d782e164c3eb200a417839db x86_64/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
dede6137003aa366b8f57007f0769c50 x86_64/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
2cab584c8d30778cdeb54521b3fe9537 x86_64/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
2d5741904c5a87b53eaef9351dfbe16d x86_64/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm
Mandrakelinux 9.1:
3e12f0d068d6e7979edc6c70a9e57fc0 9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.i586.rpm
7d893f2d67c0b0146cc9b7307ebb4d8a 9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.i586.rpm
920082a37fb424a9df9e0f942393a0b2 9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.i586.rpm
69172f9d1315939c6e4d05c3395ce212 9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.i586.rpm
043f2c9c57767318b7dd3c33fa90899f 9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
1c9a84b031aab153bc8dea7610b0eedc ppc/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.ppc.rpm
ca8aa7f53e5b6dd6ba852b3e12fe9ea8 ppc/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.ppc.rpm
844ca50fb72aad0225e99c9268577f2a ppc/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.ppc.rpm
eaa68e38912c3be140f6379d59296c08 ppc/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.ppc.rpm
043f2c9c57767318b7dd3c33fa90899f ppc/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm
Mandrakelinux 9.2:
1d88e2ef611d80ba3f0c9602e81f77d9 9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.i586.rpm
7ccb9d87d744755f57536684fef6d820 9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.i586.rpm
c7167fb4d1e1416e7f8ffef7979a3906 9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.i586.rpm
2b2004d1e4514d720a80f7ecec22b1d2 9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.i586.rpm
4bf5804d6155bf7d06705e5c4e46cf3e 9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
fe4885d9af3da5107101fbfac0a7f25f amd64/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.amd64.rpm
b15da8abc8d7914528b90c612b6a558b amd64/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.amd64.rpm
cd878dc7e721615e9b0ffdb8a8849f93 amd64/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.amd64.rpm
75109c17f579d2d108a4258ef1e12ba4 amd64/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.amd64.rpm
4bf5804d6155bf7d06705e5c4e46cf3e amd64/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache-mod_perl
Advisory ID: MDKSA-2004:046-1
Date: May 20th, 2004
Original Advisory Date: May 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Four security vulnerabilities were fixed with the 1.3.31 release of Apache. All of these issues have been backported and applied to the provided packages. Thanks to Ralf Engelschall of OpenPKG for providing the patches.
Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CAN-2003-0020).
mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum (CAN-2003-0987).
mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow a remote attacker to bypass intended access restrictions (CAN-2003-0993).
Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CAN-2004-0174). While this particular vulnerability does not affect Linux, we felt it prudent to include the fix.
Update:
Due to the changes in mod_digest.so, mod_perl needed to be rebuilt against the patched Apache packages in order for httpd-perl to properly load the module. The appropriate mod_perl packages have been rebuilt and are now available.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
63acd52155d098a1f7f366f9022e22d2 10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.i586.rpm
965ea6d33ad296e8ebf2e3ff493510a7 10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.i586.rpm
d9677587622c98969032258d28fab962 10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.i586.rpm
5fc0a04b29dc963a8198ba43231b5062 10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.i586.rpm
705caa117fd889d8f47b8672a63f7b0a 10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
8684baaf82445ae2aa10c688241f7d22 amd64/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.amd64.rpm
d8ed6249524aa168bd2de1175b60ab0e amd64/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.amd64.rpm
7cd33d82e9143c229f6f7545c73a89ce amd64/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.amd64.rpm
33c10b3b423dc9496c785437f1f46e13 amd64/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.amd64.rpm
705caa117fd889d8f47b8672a63f7b0a amd64/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm
Corporate Server 2.1:
eccb615f3e80136147a846a7827ee086 corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.i586.rpm
417f2e3022591b2c32fb3da2eea493f6 corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.i586.rpm
06f9ba2f38c157eea76f16d54da3520e corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.i586.rpm
5f27ce00d7d11bd201873840f5ee1337 corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.i586.rpm
2d5741904c5a87b53eaef9351dfbe16d corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
ccfaf2869f3b93b58bb82985522d6a6a x86_64/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.x86_64.rpm
ec45dfb7d782e164c3eb200a417839db x86_64/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
dede6137003aa366b8f57007f0769c50 x86_64/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
2cab584c8d30778cdeb54521b3fe9537 x86_64/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
2d5741904c5a87b53eaef9351dfbe16d x86_64/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm
Mandrakelinux 9.1:
3e12f0d068d6e7979edc6c70a9e57fc0 9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.i586.rpm
7d893f2d67c0b0146cc9b7307ebb4d8a 9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.i586.rpm
920082a37fb424a9df9e0f942393a0b2 9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.i586.rpm
69172f9d1315939c6e4d05c3395ce212 9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.i586.rpm
043f2c9c57767318b7dd3c33fa90899f 9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
1c9a84b031aab153bc8dea7610b0eedc ppc/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.ppc.rpm
ca8aa7f53e5b6dd6ba852b3e12fe9ea8 ppc/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.ppc.rpm
844ca50fb72aad0225e99c9268577f2a ppc/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.ppc.rpm
eaa68e38912c3be140f6379d59296c08 ppc/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.ppc.rpm
043f2c9c57767318b7dd3c33fa90899f ppc/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm
Mandrakelinux 9.2:
1d88e2ef611d80ba3f0c9602e81f77d9 9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.i586.rpm
7ccb9d87d744755f57536684fef6d820 9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.i586.rpm
c7167fb4d1e1416e7f8ffef7979a3906 9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.i586.rpm
2b2004d1e4514d720a80f7ecec22b1d2 9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.i586.rpm
4bf5804d6155bf7d06705e5c4e46cf3e 9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
fe4885d9af3da5107101fbfac0a7f25f amd64/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.amd64.rpm
b15da8abc8d7914528b90c612b6a558b amd64/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.amd64.rpm
cd878dc7e721615e9b0ffdb8a8849f93 amd64/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.amd64.rpm
75109c17f579d2d108a4258ef1e12ba4 amd64/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.amd64.rpm
4bf5804d6155bf7d06705e5c4e46cf3e amd64/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesoft.com/security/advisories
If you want to report vulnerabilities, please contact
security_linux-mandrake.com