Re: [SECURITY] [DSA 187-1] New Apache packages fix several vulnerabilities
Anyone know how to see if UseCannocialName is on or off by default? I am using Apache 1.3.26. Thanks, Roger On Mon, 2002-11-04 at 10:26, Martin Schulze wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 187-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > November 4th, 2002 http://www.debian.org/security/faq > - -- > > Package: apache > Vulnerability : several > Problem-Type : remote, local > Debian-specific: no > CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 > CAN-2002-1233 > BugTraq ID : 5847 5884 5887 > > According to David Wagner, iDEFENSE and the Apache HTTP Server > Project, several remotely exploitable vulnerabilities have been found > in the Apache package, a commonly used webserver. These > vulnerabilities could allow an attacker to enact a denial of service > against a server or execute a cross scripting attack. The Common > Vulnerabilities and Exposures (CVE) project identified the following > vulnerabilities: > > 1. CAN-2002-0839: A vulnerability exists on platforms using System V >shared memory based scoreboards. This vulnerability allows an >attacker who can execute under the Apache UID to exploit the Apache >shared memory scoreboard format and send a signal to any process as >root or cause a local denial of service attack. > > 2. CAN-2002-0840: Apache is susceptible to a cross site scripting >vulnerability in the default 404 page of any web server hosted on a >domain that allows wildcard DNS lookups. > > 3. CAN-2002-0843: There were some possible overflows in the utility >ApacheBench (ab) which could be exploited by a malicious server. > > 4. CAN-2002-1233: A race condition in the htpasswd and htdigest >program enables a malicious local user to read or even modify the >contents of a password file or easily create and overwrite files as >the user running the htpasswd (or htdigest respectively) program. > > 5. CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and >others allows local users to overwrite arbitrary files via a >symlink attack. > >This is the same vulnerability as CAN-2002-1233, which was fixed in >potato already but got lost later and was never applied upstream. > > 5. NO-CAN: Several buffer overflows have been found in the ApacheBench >(ab) utility that could be exploited by a remote server returning >very long strings. > > These problems have been fixed in version 1.3.26-0woody3 for the > current stable distribution (woody) and in 1.3.9-14.3 for the old > stable distribution (potato). Corrected packages for the unstable > distribution (sid) are expected soon. > > We recommend that you upgrade your Apache package immediately. > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 2.2 alias potato > - - > > Source archives: > > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.diff.gz > Size/MD5 checksum: 345741 5f88eecddfe95c8366888bb71e0917ce > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.dsc > Size/MD5 checksum: 666 d69af430768983c68a2d881c4c9ee236 > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9.orig.tar.gz > Size/MD5 checksum: 1691969 6758fe8b931be0b634b6737d9debf703 > > Architecture independent components: > > > http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.9-14.3_all.deb > Size/MD5 checksum: 544588 95611594e54cb8bf69b5ffa47598a17d > > Alpha architecture: > > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_alpha.deb > Size/MD5 checksum: 409920 178a31efa994c54161515d7e5dceb32a > > http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_alpha.deb > Size/MD5 checksum: 809564 102b7a7ed3be7752ff80f209c755ca8e > > http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_alpha.deb > Size/MD5 checksum: 754386 39db60aedbba0afaa45015149e6cabd6 > > ARM architecture: > > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_arm.deb > Size/MD5 checksum: 366248 3cba61971237b64017d19ed554d89d99 > > http://security.debian.org/pool/up
Re: [SECURITY] [DSA 187-1] New Apache packages fix severalvulnerabilities
Anyone know how to see if UseCannocialName is on or off by default? I am using Apache 1.3.26. Thanks, Roger On Mon, 2002-11-04 at 10:26, Martin Schulze wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- > Debian Security Advisory DSA 187-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Martin Schulze > November 4th, 2002 http://www.debian.org/security/faq > - -- > > Package: apache > Vulnerability : several > Problem-Type : remote, local > Debian-specific: no > CVE Id : CAN-2002-0839 CAN-2002-0840 CAN-2002-0843 CAN-2001-0131 >CAN-2002-1233 > BugTraq ID : 5847 5884 5887 > > According to David Wagner, iDEFENSE and the Apache HTTP Server > Project, several remotely exploitable vulnerabilities have been found > in the Apache package, a commonly used webserver. These > vulnerabilities could allow an attacker to enact a denial of service > against a server or execute a cross scripting attack. The Common > Vulnerabilities and Exposures (CVE) project identified the following > vulnerabilities: > > 1. CAN-2002-0839: A vulnerability exists on platforms using System V >shared memory based scoreboards. This vulnerability allows an >attacker who can execute under the Apache UID to exploit the Apache >shared memory scoreboard format and send a signal to any process as >root or cause a local denial of service attack. > > 2. CAN-2002-0840: Apache is susceptible to a cross site scripting >vulnerability in the default 404 page of any web server hosted on a >domain that allows wildcard DNS lookups. > > 3. CAN-2002-0843: There were some possible overflows in the utility >ApacheBench (ab) which could be exploited by a malicious server. > > 4. CAN-2002-1233: A race condition in the htpasswd and htdigest >program enables a malicious local user to read or even modify the >contents of a password file or easily create and overwrite files as >the user running the htpasswd (or htdigest respectively) program. > > 5. CAN-2001-0131: htpasswd and htdigest in Apache 2.0a9, 1.3.14, and >others allows local users to overwrite arbitrary files via a >symlink attack. > >This is the same vulnerability as CAN-2002-1233, which was fixed in >potato already but got lost later and was never applied upstream. > > 5. NO-CAN: Several buffer overflows have been found in the ApacheBench >(ab) utility that could be exploited by a remote server returning >very long strings. > > These problems have been fixed in version 1.3.26-0woody3 for the > current stable distribution (woody) and in 1.3.9-14.3 for the old > stable distribution (potato). Corrected packages for the unstable > distribution (sid) are expected soon. > > We recommend that you upgrade your Apache package immediately. > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > > Debian GNU/Linux 2.2 alias potato > - - > > Source archives: > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.diff.gz > Size/MD5 checksum: 345741 5f88eecddfe95c8366888bb71e0917ce > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3.dsc > Size/MD5 checksum: 666 d69af430768983c68a2d881c4c9ee236 > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9.orig.tar.gz > Size/MD5 checksum: 1691969 6758fe8b931be0b634b6737d9debf703 > > Architecture independent components: > > >http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.9-14.3_all.deb > Size/MD5 checksum: 544588 95611594e54cb8bf69b5ffa47598a17d > > Alpha architecture: > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_alpha.deb > Size/MD5 checksum: 409920 178a31efa994c54161515d7e5dceb32a > >http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.9-14.3_alpha.deb > Size/MD5 checksum: 809564 102b7a7ed3be7752ff80f209c755ca8e > >http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.9-14.3_alpha.deb > Size/MD5 checksum: 754386 39db60aedbba0afaa45015149e6cabd6 > > ARM architecture: > > http://security.debian.org/pool/updates/main/a/apache/apache_1.3.9-14.3_arm.deb > Size/MD5 checksum: 366248 3cba61971237b64017d19ed554d89d99 > >http://security.debian.org/pool/updates/main/a/apache/
Bind 4 & 8 issues
It is my understanding all of these vulnerabilities exist in the *stock* version of Bind 8.3.3-REL from ISC. Have any of these issues been addressed in the current version? CAN-2002-1219 BIND SIG Cached RR Overflow Vulnerability CAN-2002-1220 BIND OPT DoS CAN-2002-1221 BIND SIG Expiry Time DoS Good luck to all, Roger Ward Programmer, National Net Inc.
Bind 4 & 8 issues
It is my understanding all of these vulnerabilities exist in the *stock* version of Bind 8.3.3-REL from ISC. Have any of these issues been addressed in the current version? CAN-2002-1219 BIND SIG Cached RR Overflow Vulnerability CAN-2002-1220 BIND OPT DoS CAN-2002-1221 BIND SIG Expiry Time DoS Good luck to all, Roger Ward Programmer, National Net Inc.
Re: Debian (Unstable) problem with SSH and PAM
What? You're a coder? A sysadmin? Why do you need help setting up an ISP on your MODEM, setting up postfix, and also with package version control? All things debian provides easily, through dpkg, the debian-policy, and its inclusion of documentation in the base distribution. Please don't flood this mailing list with useless crap blasting us for reasons far above your head. And don't try to appear like a experienced sysadmin giving out your advice like it is god-given word. Some people find your nature offensive, while others doing a little bit of research find your personality quite amusing :) DO support whichever distribution you like best, but DON'T claim to be a sysadmin unless you are. Some of us get paid for it and actually are. -Roger - [From the gentoo-USER list] > > Hugo <[EMAIL PROTECTED]> writes: > > > > > anybody knows where i can find a doc talking about postfix and his > > > configuration? > > > > > > Tanks in advance... DiOz [EMAIL PROTECTED] Sun, 25 Aug 2002 16:49:41 + writes: Yea that is a *must* have to Gentoo... i hope this is already done... or it is in the way :) Have a nice day --- From: "Hugo" <[EMAIL PROTECTED]> To: Sent: Monday, August 19, 2002 5:36 AM Subject: [gentoo-user] other off topic > Hi > > I was searching by how to make an little isp (thought my unused modem) > but i cant find nothing about... > > Is there a portage to do this? or some info about? > > Tanks in advance -- On Sun, 2002-08-25 at 21:57, Tim Head wrote: > Hi > > maybe i am a bit stupid or not reading the screen but is there a realy > easy,obvious way of fidning out which version of a package is installed? > or is it possible to get emerge to tell you from wich version it is > updating xyz if i do emerge --update world/system/single package . for a > few packages (webserver et al) you know the version and for a few things > you can find out by searching for the package but for some things (libs > are a thing if idn very difficult to keep track of) this search/remember > thing is to much for my small brain. if not here where should i put this > sort of "Want-to-have" feature? > > tim > or perhaps there is already what i'm looking for but i can't find it > -- > There are only 10 types of people in the world: > Those who understand binary, and those who don't On 04 Oct 2002 00:37:52 + _El_ArKiTeKt0_DeL_FuTuR0_ <[EMAIL PROTECTED]> wrote: > Yea... you are getting nice... LaMer... i am a system administrador and > a coder... so...shut up. > > On Thu, 2002-10-03 at 18:24, Ian Greenhoe wrote: > > > > ROTFLMAO > > > > When I want an insecure OS, I might take your advice. > > > > BTW, any time that *I* compile a program, *I* have to deal with any of > > the problems of compiling that program. That's the nice thing about > > Debian: I know that there is an active community out there discovering > > and reporting bugs (as I have done a few times), and an active community > > out there fixing them. Not only that, but there is also an active > > community helping to support people who want to use it. > > > > So, please do one of the following: > > > > 1) Be nice > > > > 2) If Debian sucks* in your opinion, don't complain obnoxiously > > -- DO SOMETHING ABOUT IT > > > > 3) Go away > > > > * Debian is the /least/ sucky OS, IMNSHO. > > > > -Ian > > > > PS. Speaking as a developer and a sysadmin. > > > > > > Thus spake _ArKiTeKt0_: > > >A tip: > > > > > >Put debian's cd in trashcan and buy windows xp x or you can do > > >other thing... more bether... > > > > > >Download linux Gentoo. and learn how to do the things GOOD, not like > > >redhat, debian, or mandrake... > > > > > >Have a nice day > > > > > > > > > > > > -- > Here is a tip for those... > Who always are calling lamer to all... >Only because you have linux... > But. If you still being kind of windows user... > then dont callme lamer.. > Just because you are one.. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Debian (Unstable) problem with SSH and PAM
What? You're a coder? A sysadmin? Why do you need help setting up an ISP on your MODEM, setting up postfix, and also with package version control? All things debian provides easily, through dpkg, the debian-policy, and its inclusion of documentation in the base distribution. Please don't flood this mailing list with useless crap blasting us for reasons far above your head. And don't try to appear like a experienced sysadmin giving out your advice like it is god-given word. Some people find your nature offensive, while others doing a little bit of research find your personality quite amusing :) DO support whichever distribution you like best, but DON'T claim to be a sysadmin unless you are. Some of us get paid for it and actually are. -Roger - [From the gentoo-USER list] > > Hugo <[EMAIL PROTECTED]> writes: > > > > > anybody knows where i can find a doc talking about postfix and his > > > configuration? > > > > > > Tanks in advance... DiOz [EMAIL PROTECTED] Sun, 25 Aug 2002 16:49:41 + writes: Yea that is a *must* have to Gentoo... i hope this is already done... or it is in the way :) Have a nice day --- From: "Hugo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 19, 2002 5:36 AM Subject: [gentoo-user] other off topic > Hi > > I was searching by how to make an little isp (thought my unused modem) > but i cant find nothing about... > > Is there a portage to do this? or some info about? > > Tanks in advance -- On Sun, 2002-08-25 at 21:57, Tim Head wrote: > Hi > > maybe i am a bit stupid or not reading the screen but is there a realy > easy,obvious way of fidning out which version of a package is installed? > or is it possible to get emerge to tell you from wich version it is > updating xyz if i do emerge --update world/system/single package . for a > few packages (webserver et al) you know the version and for a few things > you can find out by searching for the package but for some things (libs > are a thing if idn very difficult to keep track of) this search/remember > thing is to much for my small brain. if not here where should i put this > sort of "Want-to-have" feature? > > tim > or perhaps there is already what i'm looking for but i can't find it > -- > There are only 10 types of people in the world: > Those who understand binary, and those who don't On 04 Oct 2002 00:37:52 + _El_ArKiTeKt0_DeL_FuTuR0_ <[EMAIL PROTECTED]> wrote: > Yea... you are getting nice... LaMer... i am a system administrador and > a coder... so...shut up. > > On Thu, 2002-10-03 at 18:24, Ian Greenhoe wrote: > > > > ROTFLMAO > > > > When I want an insecure OS, I might take your advice. > > > > BTW, any time that *I* compile a program, *I* have to deal with any of > > the problems of compiling that program. That's the nice thing about > > Debian: I know that there is an active community out there discovering > > and reporting bugs (as I have done a few times), and an active community > > out there fixing them. Not only that, but there is also an active > > community helping to support people who want to use it. > > > > So, please do one of the following: > > > > 1) Be nice > > > > 2) If Debian sucks* in your opinion, don't complain obnoxiously > > -- DO SOMETHING ABOUT IT > > > > 3) Go away > > > > * Debian is the /least/ sucky OS, IMNSHO. > > > > -Ian > > > > PS. Speaking as a developer and a sysadmin. > > > > > > Thus spake _ArKiTeKt0_: > > >A tip: > > > > > >Put debian's cd in trashcan and buy windows xp x or you can do > > >other thing... more bether... > > > > > >Download linux Gentoo. and learn how to do the things GOOD, not like > > >redhat, debian, or mandrake... > > > > > >Have a nice day > > > > > > > > > > > > -- > Here is a tip for those... > Who always are calling lamer to all... >Only because you have linux... > But. If you still being kind of windows user... > then dont callme lamer.. > Just because you are one.. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: http://www.securiteam.com/unixfocus/5QP020K350.html
Which bug? this url does not work -Roger On Thu, 8 Aug 2002 15:19:34 -0400 (EDT) Mike Dresser <[EMAIL PROTECTED]> wrote: > Did the above mentioned hole ever get fixed in potato bitchx? > > Seems that it should have been, but the exploit is well over a year old, > and I see nothing in the changelog. > > Mike > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > pgpSWxnBaQ5MO.pgp Description: PGP signature
