--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2002-15
http://www/turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Mod_ssl
Buffer overflow command
Release date : 2002-03-15
Object package : mod_ssl-2.8.7-3
Problem
The occasion where the certificate is issued from the server
in the environment of the apache+mod_ssl, there is a vulnerability for hackers to gain access to server.
Solution:
Please verify version and execute the command below.
Update from the mod_ssl-2.8.7-3 version before using.
# rpm -qa | grep mod_ssl
Please download the update package that corresponds to the version number.
Execution example
---------------------------------------------------------------------
# rpm -Fvh Package-1.0.0-1.i586.rpm \
Package-doc-1.0.0-1.i586.rpm \
Package-devel-1.0.0-1.i586.rpm
When the rpm command is executed, please enter on the command line as follows:
# rpm -Fvh package-1.0.0-1.i586.rpm package-doc-1.0.0-1.i586.rpm package-devel-1.0.0-1.i586.rpm
---------------------------------------------------------------------
< Turbolinux 7 Server >
< Turbolinux 7 Workstation >
# rpm -Fvh mod_ssl-2.8.7-3.i586.rpm \
apache-1.3.23-3.i586.rpm \
apache-devel-1.3.23-3.i586.rpm \
apache-manual-1.3.23-3.i586.rpm
< Turbolinux Server 6.5 >
< Turbolinux Advanced Server 6 >
# rpm -Fvh mod_ssl-2.8.7-3.i386.rpm \
apache-1.3.23-3.i386.rpm \
apache-devel-1.3.23-3.i386.rpm \
apache-manual-1.3.23-3.i386.rpm \
openssl-0.9.6b-1.i386.rpm \
openssl-devel-0.9.6b-1.i386.rpm
< Turbolinux Server 6.1 >
< Turbolinux Workstation 6.0 >
# rpm -Uvh Rpm-3.0.6-15.i386.rpm \
Popt-1.5-15.i386.rpm
# rpm -Fvh apache-1.3.23-3.i386.rpm \
apache-devel-1.3.23-3.i386.rpm \
apache-manual-1.3.23-3.i386.rpm \
openssl-0.9.6b-1.i386.rpm \
openssl-devel-0.9.6b-1.i386.rpm
# rpm -ivh mod_ssl-2.8.7-3.i386.rpm
* When the Secure Web Server (the https) uses the note OpenSsl, it is necessary for the mod_ssl package to update simultaneously.
Furthermore, if using the RSA SSL of TurboLinux Server Japanese edition 6.1 recording, please do not update the mod_ssl package.
Package updates:
http://www.turbolinux.co.jp/update/