Linux Advisory Watch - July 5th 2002

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  July  5th, 2002                          Volume 3, Number 27a |
+----------------------------------------------------------------+
 
  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com
 
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for openssh, apache, mod_ssl, and
squid. The vendors include Conectiva, Debian, EnGarde, Mandrake, SuSE, and
Trustix.

*# Developing with open standards? Demanding High Performance? #* 

Catch the Oracle9i JDeveloper wave now and check out how built-in
profilers and CodeCoach make your Java code tighter and faster than ever
before. Download your FREE copy of Oracle9i JDeveloper Today.

http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle1

  
 * Guardian Digital offers new Secure Linux server OS *
Setting up a secure server isn't necessarily for the faint of heart.  To
make it easier for IT administrators, Guardian Digital Inc. has released
EnGarde Secure Linux Version 1.2, offering a secure server operating
system for mail, Web and other servers without the hassle of an intricate
customization.
 
http://www.linuxsecurity.com/articles/vendors_products_article-5153.html
 
 
Find technical and managerial positions available worldwide.  Visit the
LinuxSecurity.com Career Center: http://careers.linuxsecurity.com


+---------------------------------+
|  openssh                        | ----------------------------//
+---------------------------------+  

There has been discovered a couple of bugs in serveral versions of OpenSSH
including version 3.1p1 which is shipped with TSL.  As later versions of
OpenSSH introduces rather large changes in functionality and our public
testing revealed a few issues not yet solved, we chose to apply the
patches supplied by the OpenSSH project rather than upgrade to the latest
version.

 EnGarde: 
 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ 
  
 i386/openssh-3.4p1-1.0.22.i386.rpm 
 MD5 Sum: 8eb4a1d6c34f6754e5857eecd82fd5cb 
 i386/openssh-clients-3.4p1-1.0.22.i386.rpm 
 MD5 Sum: 9110b0b12a6345959da021b75f3eb1d9 

 i386/openssh-server-3.4p1-1.0.22.i386.rpm 
 MD5 Sum: 7790b373ca78f2870b2d55f1bda6735e 

 EnGarde Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2177.html 
  
 Trustix: 
 http://www.trustix.net/pub/Trustix/updates/ 

 ./1.5/RPMS/openssh-server-3.1.0p1-4tr.i586.rpm 
 2a75912515a7751b06ee767f6691a3b7 

 ./1.5/RPMS/openssh-clients-3.1.0p1-4tr.i586.rpm 
 b3a08640bf14499d41ce77eb18bfdc17 

 ./1.5/RPMS/openssh-3.1.0p1-4tr.i586.rpm 
 f39806e0d245e16c8b5e7cb26720d68c 

 Trustix Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2174.html 

 Conectiva: 
 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 openssh-3.4p1-1U8_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 openssh-askpass-3.4p1- 1U8_1cl.i386.rpm  

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 openssh-askpass-gnome-3.4p1-1U8_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 openssh-clients-3.4p1-1U8_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 openssh-server-3.4p1-1U8_1cl.i386.rpm 

 Conectiva Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2176.html 
  

 Mandrake: 
 PLEASE SEE VENDOR ADVISORY FOR UPDATE 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2184.html


  

+---------------------------------+
|  apache                         | ----------------------------//
+---------------------------------+  

The mod_ssl team have upgraded their code due to a off-by-one buffer
overflow bug in the compatibility functionality (mapping of old directives
to new ones)  We don't have any indication that this issue is in any way
exploitable, but since the upstream vendor has released a new version, we
want to upgrade the package.

 Trustix: 
 http://www.trustix.net/pub/Trustix/updates/ 
 ./1.5/RPMS/apache-devel-1.3.26-2tr.i586.rpm 
 706a30c5c6790f7543a68b374be84e42 

 ./1.5/RPMS/apache-1.3.26-2tr.i586.rpm 
 9530d767981081c524e0f30dc58cc9aa 

 Trustix Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2175.html 

 Conectiva: 
 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 apache-1.3.26-1U8_2cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 apache-devel-1.3.26-1U8_2cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 apache-doc-1.3.26-1U8_2cl.i386.rpm 

 Conectiva Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2183.html


  

+---------------------------------+
|  mod_ssl                        | ----------------------------//
+---------------------------------+  

Frank Denis (j@pureftpd.org) discovered an off-by-one error in mod_ssl's
handling of older configuration directives (the rewrite_command hook). As
such a malicious user, using a specially-crafted .htaccess file, may be
able to DoS the child (Apache) processes or execute arbitrary commands as
the webd user.

 EnGarde: 
 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ 
  
 i386/apache-1.3.26-1.0.31.i386.rpm 
 MD5 Sum: f0f56d536c6133c25291cc11dec602a9 
  
 EnGarde Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2178.html 
  
 Debian: i386 architecture (Intel ia32) 
 http://security.debian.org/pool/updates/main/liba/ 
 libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_i386.deb 
 MD5 checksum: a1fd7d6a7ef3506ee0f94e56735d3d08 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2179.html 
  

 SuSE i386 Intel Platform: SuSE-8.0 
 ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/ 
 openssh-3.4p1-4.i386.patch.rpm 
 94c4a554b59902816347a090cd0f6868 
  
 SuSE Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/suse_advisory-2182.html


  

+---------------------------------+
|  squid                          | ----------------------------//
+---------------------------------+  

squid-2.4.STABLE7 has been released to address a number of security issues
in Squid and related software. All users of the Squid HTTP Proxy are
strongly encouraged to upgrade.

 squid Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2185.html

 Conectiva Vendor Advisory:
 http://www.linuxsecurity.com/advisories/other_advisory-2189.html

 Red Hat Vendor Advisory:
 http://www.linuxsecurity.com/advisories/redhat_advisory-2186.html



------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux