Gentoo Archives: gentoo-user-es

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-user-es] [gentoo-announce] GLSA: mod_ssl
Date: Sat, 26 Oct 2002 19:39:20
Message-Id: 20021027003803.8923E3368D@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200210-009
6 - - --------------------------------------------------------------------
7
8 PACKAGE : mod_ssl
9 SUMMARY : cross site scripting
10 DATE    : 2002-10-27 00:40 UTC
11 EXPLOIT : remote
12
13 - - --------------------------------------------------------------------
14
15 Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9
16 and earlier, when UseCanonicalName is off and wildcard DNS is enabled,
17 allows remote attackers to execute script as other web site visitors,
18 via the server name in an HTTPS response on the SSL port, which is used
19 in a self-referencing URL.
20
21 SOLUTION
22
23 It is recommended that all Gentoo Linux users who are running
24 net-www/mod_ssl-2.8.11 and earlier update their systems as follows:
25
26 emerge rsync
27 emerge mod_ssl
28 emerge clean
29
30 - - --------------------------------------------------------------------
31 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
32 - - --------------------------------------------------------------------
33 -----BEGIN PGP SIGNATURE-----
34 Version: GnuPG v1.0.7 (GNU/Linux)
35
36 iD8DBQE9uzVqfT7nyhUpoZMRAt2JAKC3lguQrRSwDKcDdtUL4042aHwWKACdHblk
37 UEB8oAlG58KkmP0LXt2YJ1I=
38 =E/JR
39 -----END PGP SIGNATURE-----
40 _______________________________________________
41 gentoo-announce mailing list
42 gentoo-announce@g.o
43 http://lists.gentoo.org/mailman/listinfo/gentoo-announce