Yellow Dog Linux Security Announcement: YDU-20020626-1
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
26 Jun 2002 14:09:20 -0600
(note: not all mirrors have this update yet, and the ones that do are
extremely congested. They are temporarily available for manual download
at: ftp://ftp.terraplex.com/updates)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: apache
Issue Date: June 26, 2002
Priority: high
Advisory ID: YDU-20020626-1
1. Topic:
Updated apache packages are available.
2. Problem:
"Versions of the Apache Web server up to and including 1.3.24 contain a bug
in the routines which deal with requests encoded using "chunked" encoding.
A carefully crafted invalid request can cause an Apache child process to
call the memcpy() function in a way that will write past the end of its
buffer, corrupting the stack.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0392 to this issue.
We have backported the security fix from the official Apache 1.3.26
release. This should help minimize the impact of upgrading to our errata
packages.
All users of Apache should update to these errata packages to correct this
security issue."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install apache
b) Updating manually...
Download the updates below for your version of Yellow Dog Linux
and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
Yellow Dog Linux 2.3
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/apache-1.3.22-6.2.3a.ppc.rpm
ppc/apache-devel-1.3.22-6.2.3a.ppc.rpm
ppc/apache-manual-1.3.22-6.2.3a.ppc.rpm
Yellow Dog Linux 2.2
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
ppc/apache-1.3.22-6.2.2a.ppc.rpm
ppc/apache-devel-1.3.22-6.2.2a.ppc.rpm
ppc/apache-manual-1.3.22-6.2.2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
[Yellow Dog Linux 2.3]
1d78dc187a6eb53d065313317ebd1f78 SRPMS/apache-1.3.22-6.2.3a.src.rpm
203816970f4b91b24f2b2f0f261b4fbf ppc/apache-1.3.22-6.2.3a.ppc.rpm
24ccb581b5f4f6541ac643520c4ab05d ppc/apache-devel-1.3.22-6.2.3a.ppc.rpm
82006094165512139bd01a40ab78c4a4 ppc/apache-manual-1.3.22-6.2.3a.ppc.rpm
[Yellow Dog Linux 2.2]
39c453c3daec443b983d86c78405a976 SRPMS/apache-1.3.22-6.2.2a.src.rpm
d76a68755fafe67af0bb277eb6a5d396 ppc/apache-1.3.22-6.2.2a.ppc.rpm
84b7fb98be044c557f7b2cd70ec59c8e ppc/apache-devel-1.3.22-6.2.2a.ppc.rpm
1c7fc06d2770d4f915ed2b0a5783fd07 ppc/apache-manual-1.3.22-6.2.2a.ppc.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml