-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0047
Package name: apache, cups, foomatic-filters, iptables, squid
Summary: Several security holes
Date: 2004-09-16
Affected versions: Trustix Secure Linux 2.0
Trustix Secure Linux 2.1
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
apache:
Apache is a full featured web server that is freely available, and also
happens to be the most widely used.
cups:
The Common UNIX Printing System provides a portable printing layer for
UNIX operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
foomatic-filters:
Foomatic is a database-driven system for integrating free software printer
drivers with common spoolers under Unix.
iptables:
The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you must install this package.
squid:
Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects.
Problem description:
apache:
(from http://httpd.apache.org)
This version of Apache is principally a bug fix release. Of particular
note is that 2.0.51 addresses five security vulnerabilities:
An input validation issue in IPv6 literal address parsing which can
result in a negative length parameter being passed to memcpy.
[CAN-2004-0786]
A buffer overflow in configuration file parsing could allow a local
user to gain the privileges of a httpd child if the server can be forced
to parse a carefully crafted .htaccess file.
[CAN-2004-0747]
A segfault in mod_ssl which can be triggered by a malicious remote
server, if proxying to SSL servers has been configured.
[CAN-2004-0751]
A potential infinite loop in mod_ssl which could be triggered given
particular timing of a connection abort.
[CAN-2004-0748]
A segfault in mod_dav_fs which can be remotely triggered by an indirect
lock refresh request.
[CAN-2004-0809]
cups:
Alvaro Martinez Echevarria discovered a bug that made it possible to
disable browsing in CUPS by sending an empty UDP datagram to the port
where cupsd is running.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0558 to this issue.
foomatic-filters:
(from http://www.linuxprinting.org/)
It was possible to make foomatic-rip execute arbitrary commands as the
user "lp" (or however the spooler's special user is called) on the
print server.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0801 to this issue.
iptables:
Package cleanup. Init script improvements. Not a security fix.
squid:
Certain malformed NTLMSSP packets could crash the NTLM helpers
provided by Squid.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0832 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.0/> and
<URI:http://www.trustix.org/errata/trustix-2.1/>
or directly at
<URI:http://www.trustix.org/errata/2004/0047/>
MD5sums of the packages:
- --------------------------------------------------------------------------
1090c2bfc503d801f152f44c5866db0f 2.0/rpms/apache-2.0.51-0.1tr.i586.rpm
894d23c0378e85615decaf58c0c14e84 2.0/rpms/apache-devel-2.0.51-0.1tr.i586.rpm
6e7dfaa9452ae178e6a330e4aa10476a 2.0/rpms/apache-manual-2.0.51-0.1tr.i586.rpm
40490ab3be0a596f061ff29f33d995bd 2.0/rpms/cups-1.1.19-7tr.i586.rpm
6f1b8f00e653573ea442479f9b50c931 2.0/rpms/cups-devel-1.1.19-7tr.i586.rpm
5a8290aadf1fb900864170634b18f1cb 2.0/rpms/cups-libs-1.1.19-7tr.i586.rpm
d741a76bf8569bee7dfc3e0dd8113733 2.0/rpms/foomatic-filters-3.0.2-0.1tr.noarch.rpm
1e43f38b4b7ff92b7e0f8d7106bef247 2.0/rpms/iptables-1.2.11-0.2tr.i586.rpm
7c063049656ec69cafd06d71a81d563f 2.0/rpms/iptables-devel-1.2.11-0.2tr.i586.rpm
b373ed51c850bcc1c1604dd7d4b2e1f0 2.0/rpms/iptables-ipv6-1.2.11-0.2tr.i586.rpm
cba8e760ce665036480e5d7c813bac72 2.0/rpms/squid-2.5.STABLE5-0.3tr.i586.rpm
4f3be16f660d885092a8e4f012ea8df3 2.1/rpms/apache-2.0.51-1tr.i586.rpm
be84ecad390814ec23059d21b3bb6efb 2.1/rpms/apache-dbm-2.0.51-1tr.i586.rpm
37217c4dfc6f5ce245531c74d2fbafa7 2.1/rpms/apache-devel-2.0.51-1tr.i586.rpm
9f439771273fd779808cb80fd91d504e 2.1/rpms/apache-manual-2.0.51-1tr.i586.rpm
bce661e1458890bbe1f537375e5d8cad 2.1/rpms/cups-1.1.20-4tr.i586.rpm
085baf96a710ef42dff9f54becd9ae09 2.1/rpms/cups-devel-1.1.20-4tr.i586.rpm
cdc1a6c61975ad5e68a43584416ecb92 2.1/rpms/cups-libs-1.1.20-4tr.i586.rpm
bb39620054926c9f564137d86bb2b891 2.1/rpms/foomatic-filters-3.0.2-1tr.noarch.rpm
f43776fe80c27908e67f778ef5a72707 2.1/rpms/iptables-1.2.11-2tr.i586.rpm
082848d429e7fad00106953fcbd24438 2.1/rpms/iptables-devel-1.2.11-2tr.i586.rpm
1211a7c8d50fe12d459a2d54bc5c597e 2.1/rpms/iptables-ipv6-1.2.11-2tr.i586.rpm
d3c965495287dce3f47fa032f7a39f82 2.1/rpms/squid-2.5.STABLE5-6tr.i586.rpm
eaaadc0f146d5f553f649366b1783d31 e-2/apache-2.0.51-1tr.i586.rpm
e7a9ec298be1456e18940ebe36ab20a4 e-2/apache-dbm-2.0.51-1tr.i586.rpm
795340a4c2852b081c9f1fcc417120e1 e-2/apache-devel-2.0.51-1tr.i586.rpm
3ab2deec91a32e43c4b81b43b288d166 e-2/apache-manual-2.0.51-1tr.i586.rpm
1139146a06519f64112a9ba96e8cd634 e-2/cups-1.1.20-4tr.i586.rpm
5e01229600db621a90450134e9f7f80a e-2/cups-devel-1.1.20-4tr.i586.rpm
f999c4600ece4e216d07ce0892461124 e-2/cups-libs-1.1.20-4tr.i586.rpm
f35774a0165bb1d616e7e7fd5d947422 e-2/foomatic-filters-3.0.2-1tr.noarch.rpm
06df788d6b7448abcd3c7ac8e042abbe e-2/iptables-1.2.11-2tr.i586.rpm
69e264c32a1883415f4be6fce47e0d94 e-2/iptables-devel-1.2.11-2tr.i586.rpm
34f94f1baa0b52b82261ce9cd76420eb e-2/iptables-ipv6-1.2.11-2tr.i586.rpm
cc479e76f3edf44128ce4829d38a08cd e-2/squid-2.5.STABLE5-6tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBSZgqi8CEzsK9IksRAsQYAKCOWrhkdh88447kvm65kZTQ/bYYUQCeOZUI
VVQMSnaHnDV9TYbVH3JsHb0=
=TP50
-----END PGP SIGNATURE-----
