-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.010 23-Oct-2002 ________________________________________________________________________ Package: apache Vulnerability: cross side scripting OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= apache-1.3.22-1.0.5 >= apache-1.3.22-1.0.6 OpenPKG 1.1 <= apache-1.3.26-1.1.1 >= apache-1.3.26-1.1.2 OpenPKG CURRENT <= apache-1.3.27-20021009 >= apache-1.3.27-20021023 Description: Joe Orton <jorton@redhat.com> discovered a cross site scripting (XSS) bug [3] in mod_ssl [1], the SSL/TLS component for the Apache webserver [2]. Like the other recent Apache XSS bugs, this only affects servers using a combination of "UseCanonicalName off" (_not_ the default in OpenPKG package of Apache) and a wildcard A record of the server in the DNS. Although this combination for HTTPS servers is even less common than with plain HTTP servers, this nevertheless could allow remote attackers to execute client-side script code as other web page visitors via the HTTP "Host" header. Please check whether you are affected by running "<prefix>/bin/rpm -q apache". If you have an affected version of the "apache" package (see above), upgrade it according to the solution below. Remember to also rebuild and reinstall any dependent OpenPKG packages. [4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6][7], fetch it from the OpenPKG FTP service or a mirror location, verify its integrity [8], build a corresponding binary RPM from it and update your OpenPKG installation by finally installing the binary RPM [4]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.1/UPD ftp> get apache-1.3.26-1.1.2.src.rpm ftp> bye $ <prefix>/bin/rpm --checksig apache-1.3.26-1.1.2.src.rpm $ <prefix>/bin/rpm --rebuild apache-1.3.26-1.1.2.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.26-1.1.2.*.rpm # <prefix>/etc/rc apache stop start ________________________________________________________________________ References: [1] http://www.modssl.org/ [2] http://httpd.apache.org/ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840 [4] http://www.openpkg.org/tutorial.html#regular-source [5] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.6.src.rpm [6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.2.src.rpm [7] ftp://ftp.openpkg.org/current/SRC/apache-1.3.27-20021023.src.rpm [8] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iEYEARECAAYFAj22lVEACgkQgHWT4GPEy595bwCg2zHHb8+/azQ7ojk/LBOzprf4 o9IAmgO4UPUntvqTd0dnlDEfKG6a3LeT =KgyW -----END PGP SIGNATURE-----