NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2001-10

From: secureconectiva.com.br
Date: Thu Oct 18 2001 - 15:58:18 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : apache
SUMMARY : Remote vulnerabilities in Apache < 1.3.22
DATE : 2001-10-18 18:54:00
ID : CLA-2001:430
RELEVANT
RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
Apache is a robust, commercial-grade web server.

Security problems have been found in the Apache packages shipped with
all versions of Conectiva Linux. This update fixes the following
vulnerabilities:

* A intentionally malformed Host: header could allow any file with
a .log extention to be overwritten due to a problem in the
split-logfile script. Conectiva Linux does not ship split-logfile,
but users who may have installed this script manually are thus
advised to check their systems for this vulnerability. [1]

* When Multiviews are used to negotiate the directory index, under
certain conditions a request for the URI /?M=D could return a
directory listing rather than negotiated content. [2] [3]

Additionally, this update solves a problem in mod_bandwidth shipped
with Conectiva Linux 7.0. [4]

REFERENCES

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0730
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731
[3] http://www.securityfocus.com/bid/3009
[4] http://bugzilla.conectiva.com.br/show_bug.cgi?id=4371

SOLUTION
All affected users should upgrade their packages.

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribepapaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribepapaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7z0Jo42jd0JmAcZARAs7eAJ9vxHsjmYoXWm78thi20zUstubztwCgwln7
FmzF3ZqxBoVtNeMT9apw3mY=
=Kc7T
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]