Security Advisories (MDKSA-2004:046-1): apache-mod_perl

aru · May 23, 2004

Mandrakesoft Security Advisories MDKSA-2004:046-1 : apache-mod_perl

apache-mod_perl packages are now available

May 20th, 2004

Four security vulnerabilities were fixed with the 1.3.31 release of Apache.All of these issues have been backported and applied to the provided packages.Thanks to Ralf Engelschall of OpenPKG for providing the patches.

Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs.This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CAN-2003-0020).

mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret.Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum (CAN-2003-0987).

mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask.This could allow a remote attacker to bypass intended access restrictions (CAN-2003-0993).

Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CAN-2004-0174).While this particular vulnerability does not affect Linux, we felt it prudent to include the fix.

Update:

Due to the changes in mod_digest.so, mod_perl needed to be rebuilt against the patched Apache packages in order for httpd-perl to properly load the module.The appropriate mod_perl packages have been rebuilt and are now available.

The released versions of Mandrake GNU/Linux affected are: