Debian: 'libapache-mod-ssl' Buffer overflow / DoS

    Date02 Jul 2002
    CategoryDebian
    2994
    Posted ByLinuxSecurity Advisories
    Recently, a problem has been found in the handling of .htaccess files,allowing arbitrary code execution as the web server user (regardless ofExecCGI / suexec settings), DoS attacks (killing off apache children), andallowing someone to take control of apache child processes - all troughspecially crafted .htaccess files.
    
    ------------------------------------------------------------------------
    Debian Security Advisory DSA-135-1                   This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/ Robert van der Meulen
    July  2, 2002
    ------------------------------------------------------------------------
    
    
    Package        : libapache-mod-ssl
    Problem type   : buffer overflow / DoS
    Debian-specific: no
    
    The libapache-mod-ssl package provides SSL capability to the apache
    webserver.
    Recently, a problem has been found in the handling of .htaccess files,
    allowing arbitrary code execution as the web server user (regardless of
    ExecCGI / suexec settings), DoS attacks (killing off apache children), and
    allowing someone to take control of apache child processes - all trough
    specially crafted .htaccess files.
    More information about this vulnerability can be found at
     
    http://online.securityfocus.com/bid/5084
    
    This has been fixed in the libapache-mod-ssl_2.4.10-1.3.9-1potato2 package
    (for potato), and the libapache-mod-ssl_2.8.9-2 package (for woody) .
    We recommend you upgrade as soon as possible.
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    Debian GNU/Linux 2.2 alias potato
    ---------------------------------
    
      Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
      Packages for m68k are not available at this moment.
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2.dsc
    MD5 checksum:	5b2cb207ba8214f52ffbc28836dd8dc4
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2.diff.gz
    MD5 checksum:	29eef2b3307f00d92eb425ac669dabec
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gz
    MD5 checksum:	cb0f2e07065438396f0d5df403dd2c16
    
      Architecture independent packages:
    
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato2_all.deb
    MD5 checksum:	ebd8154f614e646b3a12980c8db606b6
    
      alpha architecture (DEC Alpha)
    
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_alpha.deb
    MD5 checksum:	a3d73598e692b9c0bb945a52a00a363c
    
      arm architecture (ARM)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_arm.deb
    MD5 checksum:	11e1085504430cacadd0255a0743b80a
    
      i386 architecture (Intel ia32)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_i386.deb
    MD5 checksum:	a1fd7d6a7ef3506ee0f94e56735d3d08
    
      powerpc architecture (PowerPC)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_powerpc.deb
    MD5 checksum:	0f01742c2a77f2728baea4e1e9ad7ff0
    
      sparc architecture (Sun SPARC/UltraSPARC)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato2_sparc.deb
    MD5 checksum:	4982a209adc93acbf50a650a3569d217
    
      These packages will be moved into the stable distribution on its next
      revision.
    
    Debian GNU/Linux 3.0 alias woody
    --------------------------------
    
      Woody will be released for alpha, arm, hppa, i386, ia64, m68k, mips,
      mipsel, powerpc, s390 and sparc.
      Packages for ia64 and hppa are not available for the moment.
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.dsc
    MD5 checksum:	7cce5c97bd3cf35c8782d54a25138165
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.diff.gz
    MD5 checksum:	fc9f20e6d3bece6f0d3bad067c61d56a
    
      Architecture independent packages:
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.9-2_all.deb
    MD5 checksum:	541257e99c523141625f5fc43fb3dec4
    
      alpha architecture (DEC Alpha)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_alpha.deb
    MD5 checksum:	712e406d8be713047f3e46bbf58269a5
    
      arm architecture (ARM)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_arm.deb
    MD5 checksum:	8ce3d4d45f45423a6c6b7d795c319d33
    
      i386 architecture (intel ia32)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_i386.deb
    MD5 checksum:	06733dc49c228230e5713f34eae7f8b0
    
      m68k architecture
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_m68k.deb
    MD5 checksum: 	e5a8518aac6d08bb5e9cc50195d336e3
    
      mips architecture
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_mips.deb
    MD5 checksum:	dde883d6ee72f3b29fc324d9cb497670
    
      mipsel architecture
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_mipsel.deb
    MD5 checksum:	a80756857248358c7973a5b0fb9372e2
    
      powerpc architecture (PowerPC)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_powerpc.deb
    MD5 checksum:	715876a54ddddf1e17e4c2ec9d2f5eea
    
      s390 architecture (S390)
         http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2_s390.deb
    MD5 checksum:	1a31f564ceba0ca82d9892d023caffd0
    
    --
    ----------------------------------------------------------------------------
    apt-get: deb  http://security.debian.org/ stable/updates main
    dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"65","type":"x","order":"1","pct":57.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.2,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.