Yellow Dog Linux Security Announcement -------------------------------------- Package: httpd Issue Date: Apr 23,2003 Priority: medium Advisory ID: YDU-20030423-9 1. Topic: Updated httpd packages are available. 2. Problem: "The Apache HTTP Web Server is a secure, efficient, and extensible Web server that provides HTTP services. A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a significant denial of service (DoS) by sending requests containing lots of linefeed characters. Apache 2.0 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. All users of the Apache HTTP Web Server are advised to upgrade to the applicable errata packages containing back-ported fixes applied to Apache version 2.0.40. After the errata packages are installed, restart the Web service by running the following command: /sbin/service httpd restart" (From Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get httpd apt-get httpd-devel apt-get httpd-manual apt-get install httpd apt-get install httpd-devel apt-get install httpd-manual b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] Yellow Dog Linux 3.0 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/ ppc/httpd-2.0.40-21.1a.ppc.rpm ppc/httpd-devel-2.0.40-21.1a.ppc.rpm ppc/httpd-manual-2.0.40-21.1a.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- [Yellow Dog Linux 3.0] 350ae2de1214fd4ccd3a4d7b9ddf966b SRPMS/httpd-2.0.40-21.1a.src.rpm e2917e6c6f8040d23beebe481dfba012 ppc/httpd-2.0.40-21.1a.ppc.rpm 84092efa4667e4ba291d0902bde2e70f ppc/httpd-devel-2.0.40-21.1a.ppc.rpm 61ce157651256b7de843a0d52bc057b9 ppc/httpd-manual-2.0.40-21.1a.ppc.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: md5sum 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml