Yellow Dog Linux Security Announcement -------------------------------------- Package: webalizer Issue Date: January 27, 2003 Priority: medium Advisory ID: YDU-20030127-4 1. Topic: Updated webalizer packages are available. 2. Problem: "The Webalizer is a Web server log file analysis program which produces detailed usage reports in HTML format. A buffer overflow in Webalizer versions prior to 2.01-10, when configured to use reverse DNS lookups, may allow remote attackers to execute arbitrary code by connecting to the monitored Web server from an IP address that resolves to a long hostname. [Yellow Dog Linux 2.3] shipped with Webalizer 2.01-9 which is vulnerable to this issue. Users of webalizer on [Yellow Dog Linux 2.3] are advised to upgrade to these errata packages which contain Webalizer version 2.01-09 with backported security and bug fix patches." (from Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install webalizer b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/webalizer-2.01_09-1.72.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- c15f69de408b21dbb01075c449e7d2a7 ppc/webalizer-2.01_09-1.72.ppc.rpm a82cdaf10888b523bf6a84be4e174970 SRPMS/webalizer-2.01_09-1.72.src.rpm I wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml