|
|
Log in / Subscribe / Register

Security

Brief items

Apache HTTP Server 2.0.47 released

Today the Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:
  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192]

  • Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

  • Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254]

  • The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
The release is available for download now. We'll pass along vendor updates as we see them.

Comments (1 posted)

New vulnerabilities

teapop: SQL injection

Package(s):teapop CVE #(s):CAN-2003-0515
Created:July 9, 2003 Updated:October 1, 2003
Description: teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.

CAN-2003-0515

Alerts:
Gentoo 200309-18 teapop 2003-09-30
Debian DSA-347-1 teapop 2003-07-08

Comments (none posted)

semi: insecure temporary file

Package(s):semi, wemi CVE #(s):CAN-2003-0440
Created:July 7, 2003 Updated:October 1, 2003
Description: semi, a MIME library for GNU Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and semi, potentially with contents supplied by the attacker.

wemi is a fork of semi, and contains the same bug.

CAN-2003-0440

Alerts:
Gentoo 200308-02 semi 2003-08-14
Yellow Dog YDU-20030723-2 wl 2003-07-23
Red Hat RHSA-2003:234-01 semi 2003-07-23
Debian DSA-339-1 semi 2003-07-06

Comments (none posted)

Resources

Linux Advisory Watch

The July 4 issue of the Linux Advisory Watch newsletter from LinuxSecurity.com is available.

Full Story (comments: none)

Linux Security Week

The July 7 issue of the Linux Security Week newsletter from LinuxSecurity.com is available.

Full Story (comments: none)

Events

HiverCon 2003 Announcements

Earlybird registration has opened for this year's HiverCon show which will be held in Dublin on November 6th and 7th. Register for your ticket now and save 200 Euro !

Full Story (comments: none)

Page editor: Rebecca Sobol
Next page: Kernel development>>


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds