===================================================================== CERT-Renater Note d'Information No. 2005/VULN119 _____________________________________________________________________ DATE : 24/02/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running mod_python. ====================================================================== - -------------------------------------------------------------------------- Debian Security Advisory DSA 689-1 security@debian.org http://www.debian.org/security/ Martin Schulze February 23rd, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : libapache-mod-python Vulnerability : missing input sanisiting Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0088 Graham Dumpleton discovered a flaw which can affect anyone using the publisher handle of the Apache Software Foundation's mod_python. The publisher handle lets you publish objects inside modules to make them callable via URL. The flaw allows a carefully crafted URL to obtain extra information that should not be visible (information leak). For the stable distribution (woody) this problem has been fixed in version 2.7.8-0.0woody5. For the unstable distribution (sid) this problem has been fixed in version 2.7.10-4 of libapache-mod-python and in version 3.1.3-3 of libapache2-mod-python. We recommend that you upgrade your libapache-mod-python package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5.dsc Size/MD5 checksum: 715 b0716ef2fca40600c41d77c45bcc4167 http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5.diff.gz Size/MD5 checksum: 8261 69110f0e179d5b6f93542233ca6014c4 http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8.orig.tar.gz Size/MD5 checksum: 176639 4d5bee8317bfb45a3bb09f02b435e917 Alpha architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_alpha.deb Size/MD5 checksum: 120410 64e141ce045b242ce8372b0a2b4be1d7 ARM architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_arm.deb Size/MD5 checksum: 118242 d5738e2ae1a50394ad6964c6fc698652 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_i386.deb Size/MD5 checksum: 117626 acc4d8975aff9f0df543ba7015781ac3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_ia64.deb Size/MD5 checksum: 131522 d7ad903ce69e71242e62ad37b7faa91a HP Precision architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_hppa.deb Size/MD5 checksum: 120182 6bce263b5cb8b4f4812c56483aa50e37 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_m68k.deb Size/MD5 checksum: 118688 3bf883aeee5ad3918b8dc303269f4475 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_mips.deb Size/MD5 checksum: 117644 5221344e02f32234c1e889d6d66f6f5d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_mipsel.deb Size/MD5 checksum: 117386 e3acec959d1bfbdfcc10a6faff7c83cf PowerPC architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_powerpc.deb Size/MD5 checksum: 118564 574476da068dc51a89d434506059483b IBM S/390 architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_s390.deb Size/MD5 checksum: 119368 a5bf1d308b8fd847af7c22a657316834 Sun Sparc architecture: http://security.debian.org/pool/updates/main/liba/libapache-mod-python/libapache-mod-python_2.7.8-0.0woody5_sparc.deb Size/MD5 checksum: 118498 841af8c2e626a24c182cee27d7e71a24 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================