Yellow Dog Security Advisory: YDU-20030127-4

yellowdog-updates@lists.terrasoftsolutions.com yellowdog-updates@lists.terrasoftsolutions.com
Mon, 27 Jan 2003 01:14:19 -0700 (MST) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	webalizer
Issue Date:	January 27, 2003
Priority:	medium	
Advisory ID: 	YDU-20030127-4


1. 	Topic:

	Updated webalizer packages are available.


2. 	Problem:

	"The Webalizer is a Web server log file analysis program which produces
	detailed usage reports in HTML format.

	A buffer overflow in Webalizer versions prior to 2.01-10, when configured
	to use reverse DNS lookups, may allow remote attackers to execute arbitrary
	code by connecting to the monitored Web server from an IP address that
	resolves to a long hostname.

	[Yellow Dog Linux 2.3] shipped with Webalizer 2.01-9 which is vulnerable to this
	issue.

	Users of webalizer on [Yellow Dog Linux 2.3] are advised to upgrade to these
	errata packages which contain Webalizer version 2.01-09 with backported
	security and bug fix patches."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install webalizer

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/webalizer-2.01_09-1.72.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
c15f69de408b21dbb01075c449e7d2a7  ppc/webalizer-2.01_09-1.72.ppc.rpm
a82cdaf10888b523bf6a84be4e174970  SRPMS/webalizer-2.01_09-1.72.src.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml