Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: apache
Date: Tue, 12 Nov 2002 15:34:52
Message-Id: 20021112142331.C3ED333930@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200211-003
6 - - --------------------------------------------------------------------
7
8 PACKAGE : apache
9 SUMMARY : Cross-Site Scripting Vulnerability
10 DATE    : 2002-11-12 14:11 UTC
11 EXPLOIT : local
12
13 - - --------------------------------------------------------------------
14
15 A vulnerability exists in the SSI error pages of Apache 2.0 that
16 involves incorrect filtering of server signature data.
17 The vulnerability could enable an attacker to hijack web sessions,
18 allowing a range of potential compromises on the targeted host.
19
20 Read the full advisory at
21 http://online.securityfocus.com/archive/1/293791
22
23 SOLUTION
24
25 It is recommended that all Gentoo Linux users who are running
26 net-www/apache-2.0.42 and earlier update their systems as follows:
27
28 emerge rsync
29 emerge apache
30 emerge clean
31
32 - - --------------------------------------------------------------------
33 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
34 - - --------------------------------------------------------------------
35 -----BEGIN PGP SIGNATURE-----
36 Version: GnuPG v1.0.7 (GNU/Linux)
37
38 iD8DBQE90Q7hfT7nyhUpoZMRArM0AJ4htFFr3gBDW5tga3p02/CAleoK/wCeK8gc
39 VMxVJ4+E8XG9wCy81Y1TwOA=
40 =wYi6
41 -----END PGP SIGNATURE-----