aru Posted May 17, 2004 Report Share Posted May 17, 2004 MandrakeSoft Security Advisory MDKSA-2004:046 : apache May 17th, 2004 Updated apache packages fix a number ofvulnerabilities Four security vulnerabilities were fixed with the 1.3.31 release of Apache. All of these issues have been backported and applied to the provided packages. Thanks to Ralf Engelschall of OpenPKG for providing the patches. Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CAN-2003-0020). mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum (CAN-2004-0987). mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow a remote attacker to bypass intended access restrictions (CAN-2003-0993). Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CAN-2004-0174). While this particular vulnerability does not affect Linux, we felt it prudent to include the fix. The released versions of Mandrake GNU/Linux affected are: 9.1 9.2 9.2/AMD64 Multi Network Firewall 8.2 Corporate Server 2.1 10.0 Full information about this advisory, including the updated packages, is available at: www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:046 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0020 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0987 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0993 http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2004-0174 Posted automatically by aru (mdksec2mub v0.0.8) Link to comment Share on other sites More sharing options...
Recommended Posts