OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 23-Oct-2002 14:24:15
Branch: HEAD Handle: 2002102313241400
Added files:
openpkg-web/security OpenPKG-SA-2002.010-apache.txt
Modified files:
openpkg-web security.txt security.wml
Log:
add SA for Apache/mod_ssl
Summary:
Revision Changes Path
1.6 +1 -0 openpkg-web/security.txt
1.22 +1 -0 openpkg-web/security.wml
1.1 +73 -0 openpkg-web/security/OpenPKG-SA-2002.010-apache.txt
____________________________________________________________________________
Index: openpkg-web/security.txt
============================================================
$ cvs diff -u -r1.5 -r1.6 security.txt
--- openpkg-web/security.txt 4 Oct 2002 19:47:18 -0000 1.5
+++ openpkg-web/security.txt 23 Oct 2002 12:24:14 -0000 1.6
@@ -1,3 +1,4 @@
+23-Oct-2002: Security Advisory: S<OpenPKG-SA-2002.010-apache>
04-Oct-2002: Security Advisory: S<OpenPKG-SA-2002.009-apache>
30-Jul-2002: Security Advisory: S<OpenPKG-SA-2002.008-openssl>
30-Jul-2002: Security Advisory: S<OpenPKG-SA-2002.007-mm>
Index: openpkg-web/security.wml
============================================================
$ cvs diff -u -r1.21 -r1.22 security.wml
--- openpkg-web/security.wml 4 Oct 2002 19:47:18 -0000 1.21
+++ openpkg-web/security.wml 23 Oct 2002 12:24:14 -0000 1.22
@@ -70,6 +70,7 @@
<a href="security/OpenPKG-SA-%0-%1.txt">TXT</a>)<br>
</define-tag>
<box bdspace=10 bgcolor="#e5e0d5">
+ <sa 2002.010 apache>
<sa 2002.009 apache>
<sa 2002.008 openssl>
<sa 2002.007 mm>
Index: openpkg-web/security/OpenPKG-SA-2002.010-apache.txt
============================================================
$ cvs update -p -r1.1 OpenPKG-SA-2002.010-apache.txt
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2002.010 23-Oct-2002
________________________________________________________________________
Package: apache
Vulnerability: cross side scripting
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG 1.0 <= apache-1.3.22-1.0.5 >= apache-1.3.22-1.0.6
OpenPKG 1.1 <= apache-1.3.26-1.1.1 >= apache-1.3.26-1.1.2
OpenPKG CURRENT <= apache-1.3.27-20021009 >= apache-1.3.27-20021023
Description:
Joe Orton <[EMAIL PROTECTED]> discovered a cross site scripting (XSS)
bug [3] in mod_ssl [1], the SSL/TLS component for the Apache webserver
[2]. Like the other recent Apache XSS bugs, this only affects servers
using a combination of "UseCanonicalName off" (_not_ the default in
OpenPKG package of Apache) and a wildcard A record of the server in
the DNS. Although this combination for HTTPS servers is even less
common than with plain HTTP servers, this nevertheless could allow
remote attackers to execute client-side script code as other web page
visitors via the HTTP "Host" header.
Please check whether you are affected by running "<prefix>/bin/rpm -q
apache". If you have an affected version of the "apache" package (see
above), upgrade it according to the solution below. Remember to also
rebuild and reinstall any dependent OpenPKG packages. [4]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6][7], fetch it from the OpenPKG FTP service or a mirror location,
verify its integrity [8], build a corresponding binary RPM from it
and update your OpenPKG installation by finally installing the binary
RPM [4]. For the latest OpenPKG 1.1 release, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.1/UPD
ftp> get apache-1.3.26-1.1.2.src.rpm
ftp> bye
$ <prefix>/bin/rpm --checksig apache-1.3.26-1.1.2.src.rpm
$ <prefix>/bin/rpm --rebuild apache-1.3.26-1.1.2.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.26-1.1.2.*.rpm
# <prefix>/etc/rc apache stop start
________________________________________________________________________
References:
[1] http://www.modssl.org/
[2] http://httpd.apache.org/
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
[4] http://www.openpkg.org/tutorial.html#regular-source
[5] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.6.src.rpm
[6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.2.src.rpm
[7] ftp://ftp.openpkg.org/current/SRC/apache-1.3.27-20021023.src.rpm
[8] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
