[CLA-2001:430] Conectiva Linux Security Announcement - apache

2001-10-1900:00:00

vulners.com

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE : apache
SUMMARY : Remote vulnerabilities in Apache < 1.3.22
DATE : 2001-10-18 18:54:00
ID : CLA-2001:430
RELEVANT
RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

DESCRIPTION
Apache is a robust, commercial-grade web server.

Security problems have been found in the Apache packages shipped with
all versions of Conectiva Linux. This update fixes the following
vulnerabilities:

A intentionally malformed Host: header could allow any file with
a .log extention to be overwritten due to a problem in the
split-logfile script. Conectiva Linux does not ship split-logfile,
but users who may have installed this script manually are thus
advised to check their systems for this vulnerability. [1]
When Multiviews are used to negotiate the directory index, under
certain conditions a request for the URI /?M=D could return a
directory listing rather than negotiated content. [2] [3]

Additionally, this update solves a problem in mod_bandwidth shipped
with Conectiva Linux 7.0. [4]

REFERENCES

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0730
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731
[3] http://www.securityfocus.com/bid/3009
[4] http://bugzilla.conectiva.com.br/show_bug.cgi?id=4371

SOLUTION
All affected users should upgrade their packages.

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:

add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

run: apt-get update
after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7z0Jo42jd0JmAcZARAs7eAJ9vxHsjmYoXWm78thi20zUstubztwCgwln7
FmzF3ZqxBoVtNeMT9apw3mY=
=Kc7T
-----END PGP SIGNATURE-----