OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: OpenPKG (openpkgopenpkg.org)
Date: Wed Jun 19 2002 - 11:02:21 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-securityopenpkg.org openpkgopenpkg.org
    OpenPKG-SA-2002.004 19-Jun-2002
    ________________________________________________________________________

    Package: apache
    Vulnerability: remote DoS / exploit
    OpenPKG Specific: no

    Affected Releases: OpenPKG 1.0
    Affected Packages: <= apache-1.3.22-1.0.1
    Corrected Packages: >= apache-1.3.22-1.0.2
    Dependent Packages: -

    Description:
      According to a Security Bulletin from the Apache Software Foundation
      [5] and a corresponding CERT Security Advisory [6], there is a
      remotely exploitable vulnerability in the way that the Apache web
      server handles data encoded in chunks. This bug can be triggered
      remotely by sending a carefully crafted invalid request. This
      functionality is enabled by default.

      Please check whether you are affected by running "<prefix>/bin/rpm -qa
      apache". If you have the "apache" package installed and its version
      is affected (see above), we recommend that you immediately upgrade it
      (see Solution).

    Solution:
      Select the updated source RPM appropriate for your OpenPKG release
      [4], fetch it from the OpenPKG FTP service [3] or a mirror
      location, verify its integrity [1], build a corresponding binary RPM
      from it and update your OpenPKG installation by applying the binary
      RPM [2]. For the latest OpenPKG 1.0 release, perform the following
      operations to permanently fix the security problem (for other releases
      adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/1.0/UPD
      ftp> get apache-1.3.22-1.0.2.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm --checksig apache-1.3.22-1.0.2.src.rpm
      $ <prefix>/bin/rpm --rebuild apache-1.3.22-1.0.2.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.22-1.0.2.*.rpm
      # <prefix>/etc/rc apache stop start
    ________________________________________________________________________

    References:
      [1] http://www.openpkg.org/security.html#signature
      [2] http://www.openpkg.org/tutorial.html#regular-source
      [3] ftp://ftp.openpkg.org/release/1.0/UPD/
      [4] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.2.src.rpm
      [5] http://httpd.apache.org/info/security_bulletin_20020617.txt
      [6] http://www.cert.org/advisories/CA-2002-17.html
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with
    the OpenPGP public key "OpenPKG <openpkgopenpkg.org>" (ID 63C4CB9F)
    of the OpenPKG project which you can find under the official URL
    http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
    check the integrity of this advisory, verify its digital signature by
    using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
    the command "gpg --verify --keyserver keyserver.pgp.com".
    ________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkgopenpkg.org>

    iEYEARECAAYFAj0QqR8ACgkQgHWT4GPEy5/43wCfW/ZSOmr2Fnha/7Uhj2+/Bgv0
    rcQAn2/8Lyl0Bd5hJKuQbPT8e5Dnp6vb
    =fFlQ
    -----END PGP SIGNATURE-----