5790858 2000-11-27 14:51 -0500 /287 rader/ <bugzilla@redhat.com> Sänt av: mail@mail.nation.liu.se Importerad: 2000-11-28 19:13 av Brevbäraren (som är implementerad i) Python Extern mottagare: redhat-watch-list@redhat.com Extern kopiemottagare: security-alert@linuxsecurity.com Extern kopiemottagare: bugtraq@securityfocus.com Extern kopiemottagare: linux-security@redhat.com Mottagare: Root (@) Nationernas Hus <13682> Mottagare: Red Hat Announce (import) <1691> Sänt: 2000-11-28 19:13 Ärende: [RHSA-2000:088-05] Updated apache, php, mod_perl, and auth_ldap packages available. ------------------------------------------------------------ From: bugzilla@redhat.com To: redhat-watch-list@redhat.com Cc: security-alert@linuxsecurity.com, bugtraq@securityfocus.com, linux-security@redhat.com Message-ID: <200011271951.eARJpgu05685@porkchop.redhat.com> --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Updated apache, php, mod_perl, and auth_ldap packages available. Advisory ID: RHSA-2000:088-05 Issue date: 2000-10-18 Updated on: 2000-11-27 Product: Red Hat Linux Keywords: apache mod_rewrite format string virtual host Cross references: N/A --------------------------------------------------------------------- 1. Topic: Updated apache, php, mod_perl, and auth_ldap packages are now available for Red Hat Linux 5.2, 6.0, 6.1, 6.2, and 7. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha 2. Relevant releases/architectures: Red Hat Linux 5.2 - i386, alpha, sparc Red Hat Linux 6.0 - i386, alpha, sparc Red Hat Linux 6.1 - i386, alpha, sparc Red Hat Linux 6.2 - i386, alpha, sparc Red Hat Linux 7.0 - i386, alpha 3. Problem description: A vulnerability in the mod_rewrite module and vulnerabilities in the virtual hosting facility in versions of Apache prior to 1.3.14 may allow attackers to view files on the server which are meant to be inaccessible. Format string vulnerabilities have been found in PHP versions 3 and 4. Because upgrading to Apache 1.3.14 creates binary incompatibilities with web server modules built against older versions of Apache, the remaining RPMs listed here must be upgraded as well. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. Users of Red Hat Linux 6.0 and 6.1 will need to manually install the apache-manual-1.3.14-1.6.2 package by running: rpm -Uvh [filename] No vendor fixes are available for any vulnerabilities which may be present in the phpfi package included with Red Hat Linux 5.2 and 6.x. Users are urged to uninstall the package by running: rpm -e phpfi 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 18881 - mod_rewrite bug allows access despite deny/allow filters 18965 - PHP remote format string vulnerabilities 19203 - New mysql packages breaks php with apache 6. RPMs required: Red Hat Linux 5.2: alpha: ftp://updates.redhat.com/5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm ftp://updates.redhat.com/5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm ftp://updates.redhat.com/5.2/alpha/mod_perl-1.19-2.alpha.rpm ftp://updates.redhat.com/5.2/alpha/php-3.0.17-1.5.x.alpha.rpm ftp://updates.redhat.com/5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm ftp://updates.redhat.com/5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm sparc: ftp://updates.redhat.com/5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm ftp://updates.redhat.com/5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm ftp://updates.redhat.com/5.2/sparc/mod_perl-1.19-2.sparc.rpm ftp://updates.redhat.com/5.2/sparc/php-3.0.17-1.5.x.sparc.rpm ftp://updates.redhat.com/5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm ftp://updates.redhat.com/5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm i386: ftp://updates.redhat.com/5.2/i386/apache-1.3.14-2.5.x.i386.rpm ftp://updates.redhat.com/5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm ftp://updates.redhat.com/5.2/i386/mod_perl-1.19-2.i386.rpm ftp://updates.redhat.com/5.2/i386/php-3.0.17-1.5.x.i386.rpm ftp://updates.redhat.com/5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm ftp://updates.redhat.com/5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm sources: ftp://updates.redhat.com/5.2/SRPMS/apache-1.3.14-2.5.x.src.rpm ftp://updates.redhat.com/5.2/SRPMS/mod_perl-1.19-2.src.rpm ftp://updates.redhat.com/5.2/SRPMS/php-3.0.17-1.5.x.src.rpm Red Hat Linux 6.2: alpha: ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm ftp://updates.redhat.com/6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm sparc: ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm ftp://updates.redhat.com/6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm i386: ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm ftp://updates.redhat.com/6.2/i386/auth_ldap-1.4.0-3.i386.rpm ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm sources: ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm ftp://updates.redhat.com/6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/apache-1.3.14-3.alpha.rpm ftp://updates.redhat.com/7.0/alpha/apache-devel-1.3.14-3.alpha.rpm ftp://updates.redhat.com/7.0/alpha/apache-manual-1.3.14-3.alpha.rpm ftp://updates.redhat.com/7.0/alpha/mod_ssl-2.7.1-3.alpha.rpm ftp://updates.redhat.com/7.0/alpha/mod_php-4.0.3pl1-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/php-4.0.3pl1-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/php-imap-4.0.3pl1-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/php-ldap-4.0.3pl1-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/php-manual-4.0.3pl1-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/php-mysql-4.0.3pl1-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/php-pgsql-4.0.3pl1-1.alpha.rpm i386: ftp://updates.redhat.com/7.0/i386/apache-1.3.14-3.i386.rpm ftp://updates.redhat.com/7.0/i386/apache-devel-1.3.14-3.i386.rpm ftp://updates.redhat.com/7.0/i386/apache-manual-1.3.14-3.i386.rpm ftp://updates.redhat.com/7.0/i386/mod_ssl-2.7.1-3.i386.rpm ftp://updates.redhat.com/7.0/i386/mod_php-4.0.3pl1-1.i386.rpm ftp://updates.redhat.com/7.0/i386/php-4.0.3pl1-1.i386.rpm ftp://updates.redhat.com/7.0/i386/php-imap-4.0.3pl1-1.i386.rpm ftp://updates.redhat.com/7.0/i386/php-ldap-4.0.3pl1-1.i386.rpm ftp://updates.redhat.com/7.0/i386/php-manual-4.0.3pl1-1.i386.rpm ftp://updates.redhat.com/7.0/i386/php-mysql-4.0.3pl1-1.i386.rpm ftp://updates.redhat.com/7.0/i386/php-pgsql-4.0.3pl1-1.i386.rpm sources: ftp://updates.redhat.com/7.0/SRPMS/apache-1.3.14-3.src.rpm ftp://updates.redhat.com/7.0/SRPMS/php-4.0.3pl1-1.src.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- df41190a206067dcb897cf08adc87b0d 5.2/SRPMS/apache-1.3.14-2.5.x.src.rpm e4f9d3a172651de8bf51e82d0899a4f5 5.2/SRPMS/mod_perl-1.19-2.src.rpm 13e2403401812f5b4eec8ac8b7f866ff 5.2/SRPMS/php-3.0.17-1.5.x.src.rpm 517170fbf13f1f096e68da9d1e0cc4f4 5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm d402ae6a56609910c7940f3b836451df 5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm 68fd20e06f04131e1387314d102bae92 5.2/alpha/mod_perl-1.19-2.alpha.rpm 54bc62a008a60df77ce77f5e0cda873b 5.2/alpha/php-3.0.17-1.5.x.alpha.rpm 4cccb9bb1a76114670400401bf374a86 5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm 3c2fdd01baa590739b1d5e71b6d02675 5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm 36f489a538e44e7d2bc305807ed08405 5.2/i386/apache-1.3.14-2.5.x.i386.rpm b83959d1952baa3bfc6b9ba07114c433 5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm 1aa083e13c19f0fae9bbd07fadae5ea5 5.2/i386/mod_perl-1.19-2.i386.rpm ba0866d9cfd0abad21639ec969633c4c 5.2/i386/php-3.0.17-1.5.x.i386.rpm 807782b7bac638533b562f95eb0de247 5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm fedf34da25d898a31a24d25ade384650 5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm d77722cee125faf00fc0b82da5a4a90b 5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm 7920d5a2fd684d7e3fa0bc1b2f0a7cfd 5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm a8fc90d73b51006f641a355d864b361c 5.2/sparc/mod_perl-1.19-2.sparc.rpm 690d2cc9499437923a1ada5df70a0b33 5.2/sparc/php-3.0.17-1.5.x.sparc.rpm 405b9044b23c9f619f7ed8feec86efd0 5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm 9d3097d4af4d526c716456ffdb731413 5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm a5effcd6e850154541b38e64b9ee5e4e 6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm 48c4f91c4c40342a51ef378c5f64f864 6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm 54b94ee28f0b82a73f689e1c13b0784c 6.2/SRPMS/mod_perl-1.23-3.src.rpm d9afb78c66171faca081f2fdcbea261a 6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm 45b1d2625571c3a566545cc4f1a863b0 6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm 16dc43f3fb474e60a43668ccc78c099e 6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm 733d9648c3a7a832f3bac28a18153594 6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm 8c2419a3fd55318fb9a62edab5a91e9b 6.2/alpha/mod_perl-1.23-3.alpha.rpm 1f968d559a5ce71e429859c8b81ffdb5 6.2/i386/apache-1.3.14-2.6.2.i386.rpm bb3c78ab90942ed4259fe6fe11bd4101 6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm 5c4b8793cf47175a54d2d51ac1ac1508 6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm 551b45464efc5c8f471993f8360040a5 6.2/i386/auth_ldap-1.4.0-3.i386.rpm d4ba84c07ce740e8e185866dc5cee5dd 6.2/i386/mod_perl-1.23-3.i386.rpm 597bbaa612e5b07e248a2f9a62eab0a1 6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm 7a1c02fbee1451b8fd73d8629f3c25a3 6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm 70bbeed9f84a6a730a907f26a90878a2 6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm 7deccfc223e8081306f99bb64ed087c3 6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm 0476d641548a2369635aabb7c093b177 6.2/sparc/mod_perl-1.23-3.sparc.rpm 1066b83f9753a657222e8b962f9c4bde 7.0/SRPMS/apache-1.3.14-3.src.rpm ea87dea6a65416332fe990ac81b6b201 7.0/SRPMS/php-4.0.3pl1-1.src.rpm aec2c14482779fe75d1e50bbd90cd9f4 7.0/alpha/apache-1.3.14-3.alpha.rpm 180ae715371746e3b297ee874d81b51a 7.0/alpha/apache-devel-1.3.14-3.alpha.rpm 2d75a75dd886a8eed0e24a93e4ce5461 7.0/alpha/apache-manual-1.3.14-3.alpha.rpm a6ab4c8fba2cf8d65a4a79d78a48127a 7.0/alpha/mod_php-4.0.3pl1-1.alpha.rpm d13f857ee164be0e971c3246e4afb623 7.0/alpha/mod_ssl-2.7.1-3.alpha.rpm c119952c9d98d126f4cf8b5d2c709736 7.0/alpha/php-4.0.3pl1-1.alpha.rpm 1b546a6f8526a494cc8bb49b51133539 7.0/alpha/php-imap-4.0.3pl1-1.alpha.rpm ed0329c9827a4e454249564d452101e7 7.0/alpha/php-ldap-4.0.3pl1-1.alpha.rpm 0aa9d2933f961269a28ada491b300a72 7.0/alpha/php-manual-4.0.3pl1-1.alpha.rpm 8dc0f5b84c6df6fb57d1d9394a7b7ca6 7.0/alpha/php-mysql-4.0.3pl1-1.alpha.rpm db28f5c7ea3217ec21452e330facaa97 7.0/alpha/php-pgsql-4.0.3pl1-1.alpha.rpm 683e6b5719b2b2b08e415be4cd0fcd77 7.0/i386/apache-1.3.14-3.i386.rpm 80707bdf583dafaf489df27a50abc34d 7.0/i386/apache-devel-1.3.14-3.i386.rpm 24aea071ebbdc20e5261c90be1920f86 7.0/i386/apache-manual-1.3.14-3.i386.rpm 01e7bc2e663ed4321f682f78ab6583b5 7.0/i386/mod_php-4.0.3pl1-1.i386.rpm ef677d9bb9fde13420facd69bfa682a6 7.0/i386/mod_ssl-2.7.1-3.i386.rpm 4af5925b890178d02aa56fc739fdbf88 7.0/i386/php-4.0.3pl1-1.i386.rpm 29576298d7a54a98386a767dccb4f2df 7.0/i386/php-imap-4.0.3pl1-1.i386.rpm 68995fab457f0256852bd68e522c484c 7.0/i386/php-ldap-4.0.3pl1-1.i386.rpm 03a1cfe5665bae3f994fc08b62fe7e1b 7.0/i386/php-manual-4.0.3pl1-1.i386.rpm 1e63695b8f3b87ed72a04d1f94c3eced 7.0/i386/php-mysql-4.0.3pl1-1.i386.rpm cd0c40cac3bdb68fae1ca596cd31f819 7.0/i386/php-pgsql-4.0.3pl1-1.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 8. References: http://www.securityfocus.com/vdb/bottom.html?vid=1728 http://www.securityfocus.com/vdb/bottom.html?vid=1786 Copyright(c) 2000 Red Hat, Inc. _______________________________________________ Redhat-watch-list mailing list To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list _______________________________________________ Redhat-announce-list mailing list Redhat-announce-list@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-announce-list (5790858) --------------------------------(Ombruten)