Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2005.0182 -- Debian Security Advisory DSA 689-1 New mod_python packages fix information leak 24 February 2005 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libapache-mod-python Publisher: Debian Operating System: Debian GNU/Linux 3.0 Linux variants UNIX variants Windows Impact: Read-only Data Access Access: Remote/Unauthenticated CVE Names: CAN-2005-0088 Ref: ESB-2005.0135 Original Bulletin: http://www.debian.org/security/2005/dsa-689 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 689-1 security@debian.org http://www.debian.org/security/ Martin Schulze February 23rd, 2005 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : libapache-mod-python Vulnerability : missing input sanisiting Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0088 Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation's mod_python. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extra information that should not be visible (information leak). For the stable distribution (woody) this problem has been fixed in version 2.7.8-0.0woody5. For the unstable distribution (sid) this problem has been fixed in version 2.7.10-4 of libapache-mod-python and in version 3.1.3-3 of libapache2-mod-python. We recommend that you upgrade your libapache-mod-python package. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5.dsc Size/MD5 checksum: 715 b0716ef2fca40600c41d77c45bcc4167 http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5.diff.gz Size/MD5 checksum: 8261 69110f0e179d5b6f93542233ca6014c4 http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8.orig.tar.gz Size/MD5 checksum: 176639 4d5bee8317bfb45a3bb09f02b435e917 Alpha architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_alpha.deb Size/MD5 checksum: 120410 64e141ce045b242ce8372b0a2b4be1d7 ARM architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_arm.deb Size/MD5 checksum: 118242 d5738e2ae1a50394ad6964c6fc698652 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_i386.deb Size/MD5 checksum: 117626 acc4d8975aff9f0df543ba7015781ac3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_ia64.deb Size/MD5 checksum: 131522 d7ad903ce69e71242e62ad37b7faa91a HP Precision architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_hppa.deb Size/MD5 checksum: 120182 6bce263b5cb8b4f4812c56483aa50e37 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_m68k.deb Size/MD5 checksum: 118688 3bf883aeee5ad3918b8dc303269f4475 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_mips.deb Size/MD5 checksum: 117644 5221344e02f32234c1e889d6d66f6f5d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_mipsel.deb Size/MD5 checksum: 117386 e3acec959d1bfbdfcc10a6faff7c83cf PowerPC architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_powerpc.deb Size/MD5 checksum: 118564 574476da068dc51a89d434506059483b IBM S/390 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_s390.deb Size/MD5 checksum: 119368 a5bf1d308b8fd847af7c22a657316834 Sun Sparc architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_sparc.deb Size/MD5 checksum: 118498 841af8c2e626a24c182cee27d7e71a24 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCHIWkW5ql+IAeqTIRAg8uAKCuJruouCw8j3HDLRBQBJOB9w+snACdE1ir vCtwa1Lz/XU9O54Ck7L7ScU= =dSOn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQh0cWih9+71yA2DNAQJ4IgP8CPwFDHuTO+VvFSHrJ4SYglJoN9Bj5Y4j nctuUxfogG3W2XPeKQ064jxGQ1q/EITaJgFhNAq0M+1oldk2zNlJeL30e5O/vGGx GWsYvNHmqyJCokUnZ5rOhf+sqiC9Nz4MkHOBFT6+wiJPJbRPNaHs44Eb244sIUej tLh6ifRgn+Y= =Jqm4 -----END PGP SIGNATURE-----