Yellow Dog Linux Security Announcement: YDU-20020626-1

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
26 Jun 2002 14:09:20 -0600 

(note: not all mirrors have this update yet, and the ones that do are
extremely congested. They are temporarily available for manual download
at: ftp://ftp.terraplex.com/updates)


Yellow Dog Linux Security Announcement
-------------------------------------- 
Package:	apache	
Issue Date: 	June 26, 2002	
Priority:	high		
Advisory ID: 	YDU-20020626-1


1. 	Topic:

	Updated apache packages are available.


2. 	Problem:


	"Versions of the Apache Web server up to and including 1.3.24 contain a bug
	in the routines which deal with requests encoded using "chunked" encoding.
	A carefully crafted invalid request can cause an Apache child process to
	call the memcpy() function in a way that will write past the end of its
	buffer, corrupting the stack.

	The Common Vulnerabilities and Exposures project (cve.mitre.org) has
	assigned the name CAN-2002-0392 to this issue.

	We have backported the security fix from the official Apache 1.3.26
	release. This should help minimize the impact of upgrading to our errata
	packages.

	All users of Apache should update to these errata packages to correct this
	security issue."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install apache

   	b) Updating manually...
	Download the updates below for your version of Yellow Dog Linux
	and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]

		Yellow Dog Linux 2.3
		  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/apache-1.3.22-6.2.3a.ppc.rpm
			ppc/apache-devel-1.3.22-6.2.3a.ppc.rpm
			ppc/apache-manual-1.3.22-6.2.3a.ppc.rpm

		Yellow Dog Linux 2.2
		  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
			ppc/apache-1.3.22-6.2.2a.ppc.rpm
			ppc/apache-devel-1.3.22-6.2.2a.ppc.rpm
			ppc/apache-manual-1.3.22-6.2.2a.ppc.rpm


		

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 2.3]
1d78dc187a6eb53d065313317ebd1f78  SRPMS/apache-1.3.22-6.2.3a.src.rpm
203816970f4b91b24f2b2f0f261b4fbf  ppc/apache-1.3.22-6.2.3a.ppc.rpm
24ccb581b5f4f6541ac643520c4ab05d  ppc/apache-devel-1.3.22-6.2.3a.ppc.rpm
82006094165512139bd01a40ab78c4a4  ppc/apache-manual-1.3.22-6.2.3a.ppc.rpm

[Yellow Dog Linux 2.2]
39c453c3daec443b983d86c78405a976  SRPMS/apache-1.3.22-6.2.2a.src.rpm
d76a68755fafe67af0bb277eb6a5d396  ppc/apache-1.3.22-6.2.2a.ppc.rpm
84b7fb98be044c557f7b2cd70ec59c8e  ppc/apache-devel-1.3.22-6.2.2a.ppc.rpm
1c7fc06d2770d4f915ed2b0a5783fd07  ppc/apache-manual-1.3.22-6.2.2a.ppc.rpm


If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml