[PLDSA 23-1] New apache-mod_ssl packages fix cross site scripting

Krzysiek Taraszka dzimi at pld.org.pl
Sun Feb 9 12:49:17 CET 2003


- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 23-1                        security at pld.org.pl
http://www.pld.org.pl/security/                          PLD Security Team
03 February 2003 			http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------

Package        : prior to apache-mod_ssl-2.8.11_1.3.27-1		
Vulnerability  : cross site scripting
Problem-Type   : remote
PLD-specific   : no
CVE references : CAN-2002-1157

A cross-site scripting vulnerability was discovered in mod_ssl by Joe
Orton. This only affects servers using a combination of wildcard DNS
and "UseCanonicalName off". 
With this setting turned off, Apache will attempt to use the
hostname:port that the client supplies, which is where the problem
comes into play. With this setting turned on, Apache constructs a 
self-referencing URL and will use ServerName and Port to
form the canonical name.

The above problems have been fixed in version 2.8.12_1.3.27-1 for the
current stable distribution (ra).

We recommend that you upgrade your apache-mod_ssl packages.

wget -c url
	will fetch the file for you
rpm -Uhv file(s)*.rpm
        will upgrade the referenced file.

If you are using "poldek" - the package manager, use the line as given below
for upgrade packages

poldek --update
        will update the internal database
poldek --upgrade 'apache-mod_ssl*'
        will install corrected packages

If you are using "apt" - the package manager, use the line as given below
for upgrade packages

apt-get update
        will update the internal database
apt-get upgrade 'apache-mod_ssl*'
        will install corrected packages

PLD Linux 1.0 alias ra
- --------------------

  Source archives:

ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/apache-mod_ssl-2.8.12_1.3.27-1.src.rpm
       MD5 checksum: ee4adecfd8a4cb75952fab0072d515f8

  I386 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/apache-mod_ssl-2.8.12_1.3.27-1.i386.rpm
       MD5 checksum: 6d103e0598bff9e9559c9ae24230c0ae

ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/apache-mod_sxnet-2.8.12_1.3.27-1.i386.rpm
       MD5 checksum: 84d7baa30e718294ec29770d98176b67


  I586 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/apache-mod_ssl-2.8.12_1.3.27-1.i586.rpm
       MD5 checksum: 0cf9460bf3d8655a09de2b05e4abd8fd

ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/apache-mod_sxnet-2.8.12_1.3.27-1.i586.rpm
       MD5 checksum: 9085e4886988bfea61eb2b472c5f119f


  I686 Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/apache-mod_ssl-2.8.12_1.3.27-1.i686.rpm
       MD5 checksum: 6d4adab2bbdd2e435cf7ee8714004c3b

ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/apache-mod_sxnet-2.8.12_1.3.27-1.i686.rpm
       MD5 checksum: 8fa6cf8da19cd2e96101340fa3377282


  PowerPC Architecture components:

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/apache-mod_ssl-2.8.12_1.3.27-1.ppc.rpm
       MD5 checksum: 757773d2dc7688ba960ad12b1cee6c20

ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/apache-mod_sxnet-2.8.12_1.3.27-1.ppc.rpm
       MD5 checksum: 022281cd0b8eda61494b552a0791b393


-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.

For i386 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek:         source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get:        rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security



More information about the pld-security-announce mailing list