Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Security Update: [CSSA-2003-007.0] Linux: Apache mod_dav module format string vulnerability

From: security () caldera com
Date: Mon, 17 Feb 2003 13:45:28 -0800
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure () 
lists netsys com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: Apache mod_dav module format string vulnerability
Advisory number:        CSSA-2003-007.0
Issue date:             2003 February 17
Cross reference:
______________________________________________________________________________


1. Problem Description

        The Apache mod_dav module contains a format string vulnerability
        in the "ap_log_rerror()" function.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to mod_dav-1.0.2_1.3.6-3.i386.rpm
                                        prior to mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to mod_dav-1.0.2_1.3.6-3.i386.rpm
                                        prior to mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        OpenLinux 3.1 Server            prior to mod_dav-1.0.2_1.3.6-3.i386.rpm
                                        prior to mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        OpenLinux 3.1 Workstation       prior to mod_dav-1.0.2_1.3.6-3.i386.rpm
                                        prior to mod_dav-devel-1.0.2_1.3.6-3.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-007.0/RPMS

        4.2 Packages

        bcb45e6cffe4b274dd2363b6880a9164        mod_dav-1.0.2_1.3.6-3.i386.rpm
        ef8f5066aa46ee037f69550b8438a322        mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        4.3 Installation

        rpm -Fvh mod_dav-1.0.2_1.3.6-3.i386.rpm
        rpm -Fvh mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-007.0/SRPMS

        4.5 Source Packages

        d28984d21aca280a74588b98459a9e4e        mod_dav-1.0.2_1.3.6-3.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-007.0/RPMS

        5.2 Packages

        ddace8089a1a4eea49db6b86b10ad38f        mod_dav-1.0.2_1.3.6-3.i386.rpm
        83d069194ae139ea7e967fcfb6679db1        mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        5.3 Installation

        rpm -Fvh mod_dav-1.0.2_1.3.6-3.i386.rpm
        rpm -Fvh mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-007.0/SRPMS

        5.5 Source Packages

        fa28668cc98cac3ad22eee23e77c2693        mod_dav-1.0.2_1.3.6-3.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-007.0/RPMS

        6.2 Packages

        3853d37862ee61ddd9720fdf17d58bf4        mod_dav-1.0.2_1.3.6-3.i386.rpm
        739ca25c48cf6708066d94526bf2ec7d        mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        6.3 Installation

        rpm -Fvh mod_dav-1.0.2_1.3.6-3.i386.rpm
        rpm -Fvh mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-007.0/SRPMS

        6.5 Source Packages

        35f41886e5019c46aa2504f5c3338c2e        mod_dav-1.0.2_1.3.6-3.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-007.0/RPMS

        7.2 Packages

        9bce03b0080e3f088c315fd7ed0eee49        mod_dav-1.0.2_1.3.6-3.i386.rpm
        6105508bfa30dec40785269e97152836        mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        7.3 Installation

        rpm -Fvh mod_dav-1.0.2_1.3.6-3.i386.rpm
        rpm -Fvh mod_dav-devel-1.0.2_1.3.6-3.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-007.0/SRPMS

        7.5 Source Packages

        83429117c53516e8e94e1c36e25446f5        mod_dav-1.0.2_1.3.6-3.src.rpm


8. References

        Specific references for this advisory:

                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0842

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr869830, fz526205,
        erg712132.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


10. Acknowledgements

        David Litchfield discovered and investigated this vulnerability.

______________________________________________________________________________

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: