Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.324 -- Debian Security Advisory DSA-135-1 Buffer Overflow / DoS in libapache-mod-ssl 3 July 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libapache-mod-ssl Vendor: Debian Operating System: Debian GNU/Linux 2.2 Platform: Alpha ARM i386 IA-64 Motorola 680x0 PowerPC SPARC Impact: Execute Arbitrary Code/Commands Denial of Service Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ Debian Security Advisory DSA-135-1 security@debian.org http://www.debian.org/security/ Robert van der Meulen July 2, 2002 - - ------------------------------------------------------------------------ Package : libapache-mod-ssl Problem type : buffer overflow / DoS Debian-specific: no The libapache-mod-ssl package provides SSL capability to the apache webserver. Recently, a problem has been found in the handling of .htaccess files, allowing arbitrary code execution as the web server user (regardless of ExecCGI / suexec settings), DoS attacks (killing off apache children), and allowing someone to take control of apache child processes - all trough specially crafted .htaccess files. More information about this vulnerability can be found at http://online.securityfocus.com/bid/5084 This has been fixed in the libapache-mod-ssl_2.4.10-1.3.9-1potato2 package (for potato), and the libapache-mod-ssl_2.8.9-2 package (for woody) . We recommend you upgrade as soon as possible. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.2 alias potato - - --------------------------------- Potato was released for alpha, arm, i386, m68k, powerpc and sparc. Packages for m68k are not available at this moment. Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2.dsc MD5 checksum: 5b2cb207ba8214f52ffbc28836dd8dc4 http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2.diff.gz MD5 checksum: 29eef2b3307f00d92eb425ac669dabec http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gz MD5 checksum: cb0f2e07065438396f0d5df403dd2c16 Architecture independent packages: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato2_all.deb MD5 checksum: ebd8154f614e646b3a12980c8db606b6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_alpha.deb MD5 checksum: a3d73598e692b9c0bb945a52a00a363c arm architecture (ARM) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_arm.deb MD5 checksum: 11e1085504430cacadd0255a0743b80a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_i386.deb MD5 checksum: a1fd7d6a7ef3506ee0f94e56735d3d08 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_powerpc.deb MD5 checksum: 0f01742c2a77f2728baea4e1e9ad7ff0 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_sparc.deb MD5 checksum: 4982a209adc93acbf50a650a3569d217 These packages will be moved into the stable distribution on its next revision. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Packages for ia64 and hppa are not available for the moment. Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.dsc MD5 checksum: 7cce5c97bd3cf35c8782d54a25138165 http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.diff.gz MD5 checksum: fc9f20e6d3bece6f0d3bad067c61d56a Architecture independent packages: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.9-2_all.deb MD5 checksum: 541257e99c523141625f5fc43fb3dec4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_alpha.deb MD5 checksum: 712e406d8be713047f3e46bbf58269a5 arm architecture (ARM) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_arm.deb MD5 checksum: 8ce3d4d45f45423a6c6b7d795c319d33 i386 architecture (intel ia32) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_i386.deb MD5 checksum: 06733dc49c228230e5713f34eae7f8b0 m68k architecture http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_m68k.deb MD5 checksum: e5a8518aac6d08bb5e9cc50195d336e3 mips architecture http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_mips.deb MD5 checksum: dde883d6ee72f3b29fc324d9cb497670 mipsel architecture http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_mipsel.deb MD5 checksum: a80756857248358c7973a5b0fb9372e2 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_powerpc.deb MD5 checksum: 715876a54ddddf1e17e4c2ec9d2f5eea s390 architecture (S390) http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_s390.deb MD5 checksum: 1a31f564ceba0ca82d9892d023caffd0 - - -- - - ---------------------------------------------------------------------------- apt-get: deb http://security.debian.org/ stable/updates main dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9IZiKFLJHZigagQ4RAsfeAJ4ko09I2jr/7Y0R8T1rW90llJnm5wCeL5Lg NQ6UxAmRGA788LB0wuuYi98= =TwJP - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPSLXayh9+71yA2DNAQG3hAQAlBE34MWqoFXHUp7r5VVZvhQ1HbznhyQ1 3u2CcKkTWL8/Ixlqm6x4Ot/iu2cJ5oDC9cbpCQdBXib3WwVAYQqCYL/YtAQBuowR A/6ZFmG/cDGiX//cqMWkc6rzZfpcN2ktJzx5e+QQG/BwERovv3zbZTPYeGTGVvX3 frLVRPBAFTg= =nS92 -----END PGP SIGNATURE-----