=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2004/VULN227
_____________________________________________________________________

DATE                      : 13/05/2004

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running apache2 version prior to 2.0.49.
                            
======================================================================

_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name:           apache2
Advisory ID:            MDKSA-2004:043
Date:                   May 10th, 2004

Affected versions: 10.0, 9.1, 9.2
______________________________________________________________________

Problem Description:

A memory leak in mod_ssl in the Apache HTTP Server prior to version
2.0.49 allows a remote denial of service attack against an SSL-enabled
server.

The updated packages provide a patched mod_ssl to correct these
problems.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
532c951a2e856a199362407bbd720bea  10.0/RPMS/apache2-2.0.48-6.1.100mdk.i586.rpm
aaf7818ed49d7eea93cd8be9bafc9604  10.0/RPMS/apache2-common-2.0.48-6.1.100mdk.i586.rpm
42e8e3361a2870ae5c764bee2334d3d2  10.0/RPMS/apache2-devel-2.0.48-6.1.100mdk.i586.rpm
93974a49c89c02483887bdbd80108ab2  10.0/RPMS/apache2-manual-2.0.48-6.1.100mdk.i586.rpm
ba37cf3b1997eb9449a7b1639c495afe  10.0/RPMS/apache2-mod_cache-2.0.48-6.1.100mdk.i586.rpm
16a6141a93fb829f491daf60860f5666  10.0/RPMS/apache2-mod_dav-2.0.48-6.1.100mdk.i586.rpm
6a8d97f4e4ac74aad25483b22fad95fc  10.0/RPMS/apache2-mod_deflate-2.0.48-6.1.100mdk.i586.rpm
1827a1ecf6250cb6d31c2613ad810463  10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.1.100mdk.i586.rpm
5ef4c065e071275a9b291e483b3986e5  10.0/RPMS/apache2-mod_file_cache-2.0.48-6.1.100mdk.i586.rpm
9c863cb5101db085b9955824bd452092  10.0/RPMS/apache2-mod_ldap-2.0.48-6.1.100mdk.i586.rpm
677d50bcfd6400e2d599a0f6076b68af  10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.1.100mdk.i586.rpm
b76151c0bedac4f608617ed2af18abf4  10.0/RPMS/apache2-mod_proxy-2.0.48-6.1.100mdk.i586.rpm
e2adf66af1c6741fb2054197c2dbd6a6  10.0/RPMS/apache2-mod_ssl-2.0.48-6.1.100mdk.i586.rpm
7a27537ef71bc4d5c54625b060dbedf5  10.0/RPMS/apache2-modules-2.0.48-6.1.100mdk.i586.rpm
62e878523dc30fa0eb026b89d53c1194  10.0/RPMS/apache2-source-2.0.48-6.1.100mdk.i586.rpm
2a6c31fcaeb7bd382b2014c0e26e7aa1  10.0/RPMS/libapr0-2.0.48-6.1.100mdk.i586.rpm
10f0202c416df685f75cdf2e9e17371e  10.0/SRPMS/apache2-2.0.48-6.1.100mdk.src.rpm

Mandrakelinux 9.1:
224e5dda94a7a7dab82d79f6c46396a8  9.1/RPMS/apache2-2.0.47-1.7.91mdk.i586.rpm
22968f6ad5b25bff2642ad28021fc4af  9.1/RPMS/apache2-common-2.0.47-1.7.91mdk.i586.rpm
f1f68cdc9b7b7d0c54147dc3bf6640fa  9.1/RPMS/apache2-devel-2.0.47-1.7.91mdk.i586.rpm
0be71b125b03073f6488f36169559c47  9.1/RPMS/apache2-manual-2.0.47-1.7.91mdk.i586.rpm
1ce19c65a7934dfb5fa62ed2115351eb  9.1/RPMS/apache2-mod_dav-2.0.47-1.7.91mdk.i586.rpm
7887a7082207cce69fcc2ced053a4044  9.1/RPMS/apache2-mod_ldap-2.0.47-1.7.91mdk.i586.rpm
4e719e3ec078fe05b6b58916baf311eb  9.1/RPMS/apache2-mod_ssl-2.0.47-1.7.91mdk.i586.rpm
1908bcc959a702a9d7265dc3116a6ead  9.1/RPMS/apache2-modules-2.0.47-1.7.91mdk.i586.rpm
5817db5654c325471219ec4b3c98ccf4  9.1/RPMS/apache2-source-2.0.47-1.7.91mdk.i586.rpm
fcbc8d2e20e477aa0b63bb6a7e67c55b  9.1/RPMS/libapr0-2.0.47-1.7.91mdk.i586.rpm
3a63938eae592a0437fb76f64c7efd60  9.1/SRPMS/apache2-2.0.47-1.7.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
b55c0dfd5a5d90ebc2e536c90d20ccf1  ppc/9.1/RPMS/apache2-2.0.47-1.7.91mdk.ppc.rpm
49400d29d0f7589bbd26f0ae3c4c689d  ppc/9.1/RPMS/apache2-common-2.0.47-1.7.91mdk.ppc.rpm
b07803b544d4e001976229d21fbc531e  ppc/9.1/RPMS/apache2-devel-2.0.47-1.7.91mdk.ppc.rpm
1fb08c4e5db906dc378b2f1c4899ea33  ppc/9.1/RPMS/apache2-manual-2.0.47-1.7.91mdk.ppc.rpm
fda663af745d7ad64279e9572dae211e  ppc/9.1/RPMS/apache2-mod_dav-2.0.47-1.7.91mdk.ppc.rpm
d4de598464a6428923de3043ffa0c2a6  ppc/9.1/RPMS/apache2-mod_ldap-2.0.47-1.7.91mdk.ppc.rpm
2105ce6164a02e459bb3eeeb07f3c8dd  ppc/9.1/RPMS/apache2-mod_ssl-2.0.47-1.7.91mdk.ppc.rpm
65b7f816e1931d238675d24b8395c610  ppc/9.1/RPMS/apache2-modules-2.0.47-1.7.91mdk.ppc.rpm
b1857e8f6b90546a8f0e1640e5af378d  ppc/9.1/RPMS/apache2-source-2.0.47-1.7.91mdk.ppc.rpm
68860abfbb9e7ebd1454feebf2b261dd  ppc/9.1/RPMS/libapr0-2.0.47-1.7.91mdk.ppc.rpm
3a63938eae592a0437fb76f64c7efd60  ppc/9.1/SRPMS/apache2-2.0.47-1.7.91mdk.src.rpm

Mandrakelinux 9.2:
789a99411d67d1ce4ea4476739fe8f05  9.2/RPMS/apache2-2.0.47-6.4.92mdk.i586.rpm
4a69dbc249db52654ce08c458bb12590  9.2/RPMS/apache2-common-2.0.47-6.4.92mdk.i586.rpm
e637e85cf0e7d26a3db224ca275873d4  9.2/RPMS/apache2-devel-2.0.47-6.4.92mdk.i586.rpm
aeba5b682e253a78068a7ee65de2f66c  9.2/RPMS/apache2-manual-2.0.47-6.4.92mdk.i586.rpm
81d435af697858141a8fabc90b33ae26  9.2/RPMS/apache2-mod_cache-2.0.47-6.4.92mdk.i586.rpm
b893135ff384838c0a349ea2eac4d3de  9.2/RPMS/apache2-mod_dav-2.0.47-6.4.92mdk.i586.rpm
9a20ef3b0904bf445b3ece28b7080164  9.2/RPMS/apache2-mod_deflate-2.0.47-6.4.92mdk.i586.rpm
ddec306b01653022bc65631bf05e5fde  9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.4.92mdk.i586.rpm
ffd1676b2b7b86846634979f4b168859  9.2/RPMS/apache2-mod_file_cache-2.0.47-6.4.92mdk.i586.rpm
bac512f8f990400ad0dbef903b38448b  9.2/RPMS/apache2-mod_ldap-2.0.47-6.4.92mdk.i586.rpm
7eda96296894a887d4d7618a24dc5aec  9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.4.92mdk.i586.rpm
6a79afc9bd5f1850be2bd82d244d8ccb  9.2/RPMS/apache2-mod_proxy-2.0.47-6.4.92mdk.i586.rpm
61972ba631c361f0e3f0863a26001d20  9.2/RPMS/apache2-mod_ssl-2.0.47-6.4.92mdk.i586.rpm
d97100f8181716eeb5d2ab4d20bb8bc1  9.2/RPMS/apache2-modules-2.0.47-6.4.92mdk.i586.rpm
08905fea2a078dbb36f953c17f334dce  9.2/RPMS/apache2-source-2.0.47-6.4.92mdk.i586.rpm
93c6a24dd9f4af88157e193df63a47c6  9.2/RPMS/libapr0-2.0.47-6.4.92mdk.i586.rpm
7d51dac774f2d887b4856990dc9fd5b1  9.2/SRPMS/apache2-2.0.47-6.4.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
7348baec2a9ee27adb7d3f0b9338a88d  amd64/9.2/RPMS/apache2-2.0.47-6.4.92mdk.amd64.rpm
9397b3136c547cd44108572b95a77070  amd64/9.2/RPMS/apache2-common-2.0.47-6.4.92mdk.amd64.rpm
96fb3738db8400f305ec9dcb7d1ac6fa  amd64/9.2/RPMS/apache2-devel-2.0.47-6.4.92mdk.amd64.rpm
41e476759a14a345664c23ff41352032  amd64/9.2/RPMS/apache2-manual-2.0.47-6.4.92mdk.amd64.rpm
6e7981bb03b337e006332b3954505353  amd64/9.2/RPMS/apache2-mod_cache-2.0.47-6.4.92mdk.amd64.rpm
9ac5aa7d5d4789c405606ffb94c73c27  amd64/9.2/RPMS/apache2-mod_dav-2.0.47-6.4.92mdk.amd64.rpm
69f831614c30c05396219c1f005e2a8f  amd64/9.2/RPMS/apache2-mod_deflate-2.0.47-6.4.92mdk.amd64.rpm
732d8e9b68178cff1ff84d461782471c  amd64/9.2/RPMS/apache2-mod_disk_cache-2.0.47-6.4.92mdk.amd64.rpm
de7d183e50e3f8d1f21b3096e3b673a6  amd64/9.2/RPMS/apache2-mod_file_cache-2.0.47-6.4.92mdk.amd64.rpm
a6e91e4734ced8e5374efaa1f2ca3a4c  amd64/9.2/RPMS/apache2-mod_ldap-2.0.47-6.4.92mdk.amd64.rpm
23efa2aebf4f31a22e039f30f30c13ae  amd64/9.2/RPMS/apache2-mod_mem_cache-2.0.47-6.4.92mdk.amd64.rpm
ec40d800c099decec00a5aae69b3b703  amd64/9.2/RPMS/apache2-mod_proxy-2.0.47-6.4.92mdk.amd64.rpm
2fbf446a8c3d9bda09598415cb3c641d  amd64/9.2/RPMS/apache2-mod_ssl-2.0.47-6.4.92mdk.amd64.rpm
c6ab1265bf1ea5c2d34ac42293f5e12c  amd64/9.2/RPMS/apache2-modules-2.0.47-6.4.92mdk.amd64.rpm
b1d8ff422f5fd0dd161208018717f0e0  amd64/9.2/RPMS/apache2-source-2.0.47-6.4.92mdk.amd64.rpm
9995904303e6275524baf47b16adbe39  amd64/9.2/RPMS/lib64apr0-2.0.47-6.4.92mdk.amd64.rpm
7d51dac774f2d887b4856990dc9fd5b1  amd64/9.2/SRPMS/apache2-2.0.47-6.4.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

      http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security.  You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

      http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>

======================================================================

        =========================================================
        Les serveurs de référence du CERT-Renater
        http://www.urec.fr/securite
        http://www.cru.fr/securite
        http://www.renater.fr 
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================