-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2005-81
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date: 09 Aug 2005
Last revised: 09 Aug 2005
Package: apache, httpd
Summary: Two vulnerabilities discovered in apache
More information:
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the Internet.
- A vulnerability in the manner in which mod_ssl handles CRL
could allow remote attackers to cause a denial of service.
- The apache, when acting as an HTTP proxy, allows remote attackers to poison the web cache,
bypass web application firewall protection, and conduct XSS attacks via an HTTP request.
Impact:
These vulerabilities allow remote attackers to cause a denial of service.
Affected Products:
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server]
# turbopkg
or
# zabom -u httpd httpd-debug httpd-devel httpd-manual mod_bwshare mod_ssl
[Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home,
Turbolinux Multimedia, Turbolinux Personal]
# turbopkg
or
# zabom -u httpd
[other]
# turbopkg
or
# zabom update apache apache-devel apache-manual mod_ssl
---------------------------------------------
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size: MD5
apache-1.3.27-31.src.rpm
3109373 f3c422c3fd5937e982b055a56b8dfb7f
Binary Packages
Size: MD5
apache-1.3.27-31.i586.rpm
502063 9c3237f154eecbbcf843bfab043510d1
apache-devel-1.3.27-31.i586.rpm
94811 7f2ab013abbf2b4f8b897edfe847e877
mod_ssl-2.8.14-31.i586.rpm
182059 8136bef9d07bdef3794733003bd5bbb4
<Turbolinux Appliance Server 1.0 Workgroup Edition>
Source Packages
Size: MD5
apache-1.3.27-31.src.rpm
3109373 6f1b86ceef3c22a2aaf78ff5a0f268b2
Binary Packages
Size: MD5
apache-1.3.27-31.i586.rpm
502238 cdc276e4b1b03f0737154a11bc59aca0
apache-devel-1.3.27-31.i586.rpm
94998 d6c336e8d1c20ffda272cdc9bf618288
mod_ssl-2.8.14-31.i586.rpm
182145 c2cdd31b9d6a2a9124e5716250b1bf1b
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/httpd-2.0.51-13.src.rpm
6845674 e0e80d62e9f6b1bb0d7f24c0d264b324
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-2.0.51-13.i586.rpm
1032364 73cd9f215eb7801e46ff8a613cb39c84
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-debug-2.0.51-13.i586.rpm
3240709 09c4172f27daa0cd2c8c7e41c84ca3c5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-devel-2.0.51-13.i586.rpm
223780 574b59c43c30b3e0dfd909add88d8e60
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-manual-2.0.51-13.i586.rpm
1132138 7b681e4dedd57a8799c561f791000c78
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/mod_bwshare-2.0.51-13.i586.rpm
39858 21761ba8dd243c6b3a7eb2645d08b628
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/mod_ssl-2.0.51-13.i586.rpm
87816 78f8dea6f221c5b11b8e6f3028ebc68a
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/httpd-2.0.48-16.src.rpm
6317174 155e20c604e5fc909a5949ab1ec1d699
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-2.0.48-16.i586.rpm
892515 b753dd90453872d154ed3c6389c1aa0f
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/apache-1.3.27-31.src.rpm
3109373 0dd83ad7d7074c99f16d2daffe916608
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/apache-1.3.27-31.i586.rpm
503183 0433a84107748e43b2ff841a8728a8a1
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/apache-devel-1.3.27-31.i586.rpm
94954 5441d2a424dd163eff80a5debdb42be4
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/apache-manual-1.3.27-31.i586.rpm
850909 383037e0cfe8d07f7463b6930d7a1fce
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/mod_ssl-2.8.14-31.i586.rpm
182224 1976847793c1c706dc3749153b2f73bf
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/apache-1.3.27-31.src.rpm
3109373 0e9125ba1ee25bb38cf47eaea08b5f19
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/apache-1.3.27-31.i586.rpm
503125 e644eff23a0c14062066825f441a5bc1
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/apache-devel-1.3.27-31.i586.rpm
95144 e4e230ee2642ac7bada171568a00ed31
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/apache-manual-1.3.27-31.i586.rpm
851104 6596aef1907079a1f7b867dc5d61c4ef
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/mod_ssl-2.8.14-31.i586.rpm
182128 5961459b0ae85a25f9204fdd5e62f20c
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/apache-1.3.27-31.src.rpm
3109373 ac3fd7f0b4e448afc6a3b31c9286c166
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/apache-1.3.27-31.i586.rpm
489948 3c357f8396a98919c5f1cb58df49a40e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/apache-devel-1.3.27-31.i586.rpm
95166 d3e927c21f0092000bad1d3598cdb3e2
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/apache-manual-1.3.27-31.i586.rpm
851896 fe50d563c61f31759f61ae99ece5e4c1
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/mod_ssl-2.8.14-31.i586.rpm
179785 a3935782ffad1be2f624bca280651299
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/apache-1.3.27-31.src.rpm
3109373 abb5e45b253f4c089d1bfb17f60c7986
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/apache-1.3.27-31.i586.rpm
489706 afc3cc31649c14b74c4591e742733003
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/apache-devel-1.3.27-31.i586.rpm
95164 88d57c6d8d07cab36b1d8710ea19cd70
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/apache-manual-1.3.27-31.i586.rpm
851886 5f3add0220a52daad36658de93eafeee
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/mod_ssl-2.8.14-31.i586.rpm
180083 5ff5110a64069eb39c4a28235ac4e626
References:
CVE
[
CAN-2005-1268]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2005-1268
[
CAN-2005-2088]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2005-2088
--------------------------------------------------------------------------
Revision History
09 Aug 2005 Initial release
--------------------------------------------------------------------------
Copyright(C) 2005 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFC+GizK0LzjOqIJMwRAtpgAJ9pjPIIP9KjKCN1umFnA0mh4t142wCfeQnP
nYCVuG8YQUIUm01GXChT1DU=
=UZ0q
-----END PGP SIGNATURE-----