-------------------------------------------------------------------------- Turbolinux Security Advisory TLSA-2002-73 http://www/turbolinux.co.jp/security/ security-team@turbolinux.co.jp -------------------------------------------------------------------------- Apache Problem on four security Release date : 2002-11-19 Solution: package : apache-1.3.27-7 Problematical point * In Apache HTTP server benchmarking in the tool, possibility of buffer overflow. * Possibility of being attacked DoS because Shared memory making use of vulnerability of the scoreboard. * Cross * sight problem of the script exists. * Possibility of Mod_php making use of vulnerability of module and the file descriptor - reuse. Solution: Using turbopkg command, please do automatic operation update. When there is a necessity only, update is done automatically. Use the following command to verify the version currently installed. # rpm -qa | grep package name When automatic operation update is used, those which are presently are installed update all objects. Select the package, and use the rpm command to select when you would like to update. Execution example --------------------------------------------------------------------- 1. In super user modification $ su - 2. Password of super user input Password: 3. Starting the turbopkg # turbopkg 4. Menu selection " Update " " FTP server " " Update sight " Optional sight selection 5. In general user modification # exit --------------------------------------------------------------------- < Turbolinux 8 Server > apache-1.3.27-7.i586.rpm apache-devel-1.3.27-7.i586.rpm apache-manual-1.3.27-7.i586.rpm auth_ldap-1.6.0-3.i586.rpm mod_bandwidth-2.0.3-6.i586.rpm mod_dav-1.0.3-3.i586.rpm mod_jk-1.3-1.0-7.i586.rpm mod_perl-1.26-4.i586.rpm mod_python-2.7.8-3.i586.rpm mod_ruby-0.9.7-5.i586.rpm mod_ssl-2.8.12-7.i586.rpm mod_throttle-312-4.i586.rpm php-4.2.3-4.i586.rpm php-gd-4.2.3-4.i586.rpm php-imap-4.2.3-4.i586.rpm php-ldap-4.2.3-4.i586.rpm php-manual-4.2.3-4.i586.rpm php-ming-4.2.3-4.i586.rpm php-mysql-4.2.3-4.i586.rpm php-pgsql-4.2.3-4.i586.rpm < Turbolinux 8 Workstation > apache-1.3.27-7.i586.rpm apache-devel-1.3.27-7.i586.rpm apache-manual-1.3.27-7.i586.rpm auth_ldap-1.6.0-3.i586.rpm mod_bandwidth-2.0.3-6.i586.rpm mod_dav-1.0.3-3.i586.rpm mod_perl-1.26-4.i586.rpm mod_python-2.7.8-3.i586.rpm mod_ruby-0.9.7-5.i586.rpm mod_ssl-2.8.12-7.i586.rpm mod_throttle-312-4.i586.rpm php-4.1.2-12.i586.rpm php-gd-4.1.2-12.i586.rpm php-imap-4.1.2-12.i586.rpm php-ldap-4.1.2-12.i586.rpm php-manual-4.1.2-12.i586.rpm php-ming-4.1.2-12.i586.rpm php-mysql-4.1.2-12.i586.rpm php-pgsql-4.1.2-12.i586.rpm < Turbolinux 7 Server > apache-1.3.27-7.i586.rpm apache-devel-1.3.27-7.i586.rpm apache-manual-1.3.27-7.i586.rpm auth_ldap-1.6.0-3.i586.rpm mod_bandwidth-2.0.3-6.i586.rpm mod_dav-1.0.3-3.i586.rpm mod_perl-1.26-4.i586.rpm mod_ruby-0.9.7-5.i586.rpm mod_ssl-2.8.12-7.i586.rpm mod_throttle-312-4.i586.rpm php-4.1.2-12.7.i586.rpm php-imap-4.1.2-12.7.i586.rpm php-ldap-4.1.2-12.7.i586.rpm php-manual-4.1.2-12.7.i586.rpm php-mysql-4.1.2-12.7.i586.rpm php-pgsql-4.1.2-12.7.i586.rpm postgresql-7.2.2-1.i586.rpm postgresql-contrib-7.2.2-1.i586.rpm postgresql-devel-7.2.2-1.i586.rpm postgresql-docs-7.2.2-1.i586.rpm postgresql-jdbc-7.2.2-1.i586.rpm postgresql-libs-7.2.2-1.i586.rpm postgresql-odbc-7.2.2-1.i586.rpm postgresql-perl-7.2.2-1.i586.rpm postgresql-python-7.2.2-1.i586.rpm postgresql-server-7.2.2-1.i586.rpm postgresql-tcl-7.2.2-1.i586.rpm postgresql-test-7.2.2-1.i586.rpm postgresql-tk-7.2.2-1.i586.rpm ruby-postgres-0.6.4-3.i586.rpm * The case where version of the postgresql is increased is a point of caution. < Turbolinux 7 Workstation > apache-1.3.27-7.i586.rpm apache-devel-1.3.27-7.i586.rpm apache-manual-1.3.27-7.i586.rpm auth_ldap-1.6.0-3.i586.rpm mod_bandwidth-2.0.3-6.i586.rpm mod_ruby-0.9.7-5.i586.rpm mod_ssl-2.8.12-7.i586.rpm mod_throttle-312-4.i586.rpm php-4.1.2-12.7.i586.rpm php-imap-4.1.2-12.7.i586.rpm php-ldap-4.1.2-12.7.i586.rpm php-manual-4.1.2-12.7.i586.rpm php-mysql-4.1.2-12.7.i586.rpm php-pgsql-4.1.2-12.7.i586.rpm < Turbolinux Server 6.5 > < Turbolinux Advanced Server 6 > apache-1.3.27-7.i386.rpm apache-devel-1.3.27-7.i386.rpm apache-manual-1.3.27-7.i386.rpm mod_ssl-2.8.12-7.i386.rpm php-3.0.18-15jaJP.i386.rpm php-imap-3.0.18-15jaJP.i386.rpm php-ldap-3.0.18-15jaJP.i386.rpm php-manual-3.0.18-15jaJP.i386.rpm php-mysql-3.0.18-15jaJP.i386.rpm php-pgsql-3.0.18-15jaJP.i386.rpm < Turbolinux Server 6.1 > apache-1.3.27-7.i386.rpm apache-devel-1.3.27-7.i386.rpm apache-manual-1.3.27-7.i386.rpm mod_ssl-2.8.12-7.i386.rpm php-3.0.18-15jaJP.i386.rpm php-ldap-3.0.18-15jaJP.i386.rpm php-manual-3.0.18-15jaJP.i386.rpm php-mysql-3.0.18-15jaJP.i386.rpm php-pgsql-3.0.18-15jaJP.i386.rpm < Turbolinux Workstation 6.0 > apache-1.3.27-7.i386.rpm apache-devel-1.3.27-7.i386.rpm apache-manual-1.3.27-7.i386.rpm * Upon the maintenance of our company FTP sight, we determined that update of the turbopkg is neccesary. Details the below-mentioned URL reference. http://www.turbolinux.co.jp/download/zabom.html Package updates: http://www.turbolinux.co.jp/update/