--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2002-38
http://www/turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Mod_ssl
Capture of the httpd server authority by unauthorized user.
Release date : 2002-07-03
Solution: package : mod_ssl-2.8.10-2
Problem
There is a possibility of unauthorized user making use of the.htaccess file, and capturing authority of the httpd server.
There is a possibility of memory leak occurring with CA certification processing.
Solution:
Please verify version and execute the command below.
# rpm -qa | grep package name
When problem corresponds, please download the update package. Do the update by the using the command below.
Furthermore, please execute the package number which corresponds to your version number. Without starting a new paragraph, please enter the "\ " Bunchu sign.
Execution example
---------------------------------------------------------------------
# rpm -Fvh Package-1.0.0-1.i586.rpm \
Package-doc-1.0.0-1.i586.rpm \
Package-devel-1.0.0-1.i586.rpm
The case where rpm command is executed, please enter as follows on the command line.
# rpm -Fvh package-1.0.0-1.i586.rpm package-doc-1.0.0-1.i586.rpm package-devel-1.0.0-1.i586.rpm
---------------------------------------------------------------------
< Turbolinux 8 Workstation >
# rpm -Fvh apache-1.3.26-2.i586.rpm \
apache-devel-1.3.26-2.i586.rpm \
apache-manual-1.3.26-2.i586.rpm \
Auth_ldap-1.6.0-2.i586.rpm \
mod_bandwidth-2.0.3-3.i586.rpm \
mod_dav-1.0.3-1.i586.rpm \
mod_perl-1.26-3.i586.rpm \
mod_python-2.7.6-4.i586.rpm \
mod_ruby-0.9.7-3.i586.rpm \
mod_ssl-2.8.10-2.i586.rpm \
mod_throttle-312-3.i586.rpm \
php-4.1.2-6.i586.rpm \
php-gd-4.1.2-6.i586.rpm \
php-imap-4.1.2-6.i586.rpm \
php-ldap-4.1.2-6.i586.rpm \
php-manual-4.1.2-6.i586.rpm \
php-ming-4.1.2-6.i586.rpm \
php-mysql-4.1.2-6.i586.rpm \
php-pgsql-4.1.2-6.i586.rpm
< Turbolinux 7 Server >
# rpm -Fvh apache-1.3.26-2.i586.rpm \
apache-devel-1.3.26-2.i586.rpm \
apache-manual-1.3.26-2.i586.rpm \
Auth_ldap-1.6.0-2.i586.rpm \
mod_bandwidth-2.0.3-3.i586.rpm \
mod_dav-1.0.3-1.i586.rpm \
mod_perl-1.26-3.i586.rpm \
mod_ruby-0.9.7-3.i586.rpm \
mod_ssl-2.8.10-2.i586.rpm \
mod_throttle-312-3.i586.rpm \
php-4.1.2-7.i586.rpm \
php-imap-4.1.2-7.i586.rpm \
php-ldap-4.1.2-7.i586.rpm \
php-manual-4.1.2-7.i586.rpm \
php-mysql-4.1.2-7.i586.rpm \
php-pgsql-4.1.2-7.i586.rpm
< Turbolinux 7 Workstation >
# rpm -Fvh apache-1.3.26-2.i586.rpm \
apache-devel-1.3.26-2.i586.rpm \
apache-manual-1.3.26-2.i586.rpm \
Auth_ldap-1.6.0-2.i586.rpm \
mod_bandwidth-2.0.3-3.i586.rpm \
mod_ruby-0.9.7-3.i586.rpm \
mod_ssl-2.8.10-2.i586.rpm \
mod_throttle-312-3.i586.rpm \
php-4.1.2-7.i586.rpm \
php-imap-4.1.2-7.i586.rpm \
php-ldap-4.1.2-7.i586.rpm \
php-manual-4.1.2-7.i586.rpm \
php-mysql-4.1.2-7.i586.rpm \
php-pgsql-4.1.2-7.i586.rpm
< Turbolinux Server 6.5 >
# rpm -Uvh Cyrus-sasl-1.5.24-15.i386.rpm \
Cyrus-sasl-devel-1.5.24-15.i386.rpm
# rpm -Fvh apache-1.3.26-2.i386.rpm \
apache-devel-1.3.26-2.i386.rpm \
apache-manual-1.3.26-2.i386.rpm \
mod_ssl-2.8.10-2.i386.rpm \
openssl-0.9.6b-1.i386.rpm \
openssl-devel-0.9.6b-1.i386.rpm \
php-3.0.18-10jaJP.i386.rpm \
php-imap-3.0.18-10jaJP.i386.rpm \
php-ldap-3.0.18-10jaJP.i386.rpm \
php-manual-3.0.18-10jaJP.i386.rpm \
php-mysql-3.0.18-10jaJP.i386.rpm \
php-pgsql-3.0.18-10jaJP.i386.rpm
< Turbolinux Advanced Server 6 >
< Turbolinux Server 6.1 >
# rpm -Fvh apache-1.3.23-7.i386.rpm \
apache-devel-1.3.23-7.i386.rpm \
apache-manual-1.3.23-7.i386.rpm \
mod_ssl-2.8.7-7.i386.rpm \
openssl-0.9.6b-1.i386.rpm
< Turbolinux Workstation 6.0 >
* The mod_ssl is not recorded.
* If using the RSA SSL of note TurboLinux Server Japanese edition 6.1 recording, with the environment which constructs the Secure Web Server, please do not update the mod_ssl package.
Package updates:
http://www.turbolinux.co.jp/update/