Yellow Dog Linux Security Announcement -------------------------------------- Package: apache Issue Date: June 26, 2002 Priority: high Advisory ID: YDU-20020626-1 1. Topic: Updated apache packages are available. 2. Problem: "Versions of the Apache Web server up to and including 1.3.24 contain a bug in the routines which deal with requests encoded using "chunked" encoding. A carefully crafted invalid request can cause an Apache child process to call the memcpy() function in a way that will write past the end of its buffer, corrupting the stack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue. We have backported the security fix from the official Apache 1.3.26 release. This should help minimize the impact of upgrading to our errata packages. All users of Apache should update to these errata packages to correct this security issue." (from Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install apache b) Updating manually... Download the updates below for your version of Yellow Dog Linux and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] Yellow Dog Linux 2.3 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/apache-1.3.22-6.2.3a.ppc.rpm ppc/apache-devel-1.3.22-6.2.3a.ppc.rpm ppc/apache-manual-1.3.22-6.2.3a.ppc.rpm Yellow Dog Linux 2.2 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ ppc/apache-1.3.22-6.2.2a.ppc.rpm ppc/apache-devel-1.3.22-6.2.2a.ppc.rpm ppc/apache-manual-1.3.22-6.2.2a.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- [Yellow Dog Linux 2.3] 1d78dc187a6eb53d065313317ebd1f78 SRPMS/apache-1.3.22-6.2.3a.src.rpm 203816970f4b91b24f2b2f0f261b4fbf ppc/apache-1.3.22-6.2.3a.ppc.rpm 24ccb581b5f4f6541ac643520c4ab05d ppc/apache-devel-1.3.22-6.2.3a.ppc.rpm 82006094165512139bd01a40ab78c4a4 ppc/apache-manual-1.3.22-6.2.3a.ppc.rpm [Yellow Dog Linux 2.2] 39c453c3daec443b983d86c78405a976 SRPMS/apache-1.3.22-6.2.2a.src.rpm d76a68755fafe67af0bb277eb6a5d396 ppc/apache-1.3.22-6.2.2a.ppc.rpm 84b7fb98be044c557f7b2cd70ec59c8e ppc/apache-devel-1.3.22-6.2.2a.ppc.rpm 1c7fc06d2770d4f915ed2b0a5783fd07 ppc/apache-manual-1.3.22-6.2.2a.ppc.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_2.2/apt-get.shtml