[SECURITY] Fedora Core 2 Test Update: httpd-2.0.51-2.5
by Joe Orton
Please add any feedback from testing these packages to:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130750
---------------------------------------------------------------------
Fedora Test Update Notification
FEDORA-2004-313
2004-09-17
---------------------------------------------------------------------
Product : Fedora Core 2
Name : httpd
Version : 2.0.51
Release : 2.5
Summary : Apache HTTP Server
Description :
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.
---------------------------------------------------------------------
This update includes the latest stable release of Apache httpd 2.0,
including fixes for possible denial of service issues in mod_ssl and
mod_dav_fs, and an privilege elevation attack for local users.
---------------------------------------------------------------------
* Thu Sep 16 2004 Joe Orton <jorton(a)redhat.com> 2.0.51-2.5
- mod_ssl: prevent SIGHUP-triggers-SIGSEGV after upgrade from 2.0.50
- revert mod_ldap/mod_auth_ldap changes likewise
* Wed Sep 15 2004 Joe Orton <jorton(a)redhat.com> 2.0.51-2.1
- update to 2.0.51, including security fixes for:
* core: CAN-2004-0747
* mod_dav_fs: CAN-2004-0809
* mod_ssl: CAN-2004-0751, CAN-2004-0748
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/2/
c8170ec9004c74d4fd7dce411389a506 SRPMS/httpd-2.0.51-2.5.src.rpm
8a270fd28bd5852ba4a3f5db9cc4585c x86_64/httpd-2.0.51-2.5.x86_64.rpm
f8e47590495389d6d3294a449505817c x86_64/httpd-devel-2.0.51-2.5.x86_64.rpm
1d179652cd1f07a8ed71e244dce6b476 x86_64/httpd-manual-2.0.51-2.5.x86_64.rpm
e3f09fe6cd1380f10200a12b1cdc95ab x86_64/mod_ssl-2.0.51-2.5.x86_64.rpm
18f8fa53d136cd1d1c0f01dba5679ed2 x86_64/debug/httpd-debuginfo-2.0.51-2.5.x86_64.rpm
fbe31f69f31c7bceacf5dbbdc7ebe385 i386/httpd-2.0.51-2.5.i386.rpm
07cf4c9ac471f15dc79dbf4827924f7d i386/httpd-devel-2.0.51-2.5.i386.rpm
41264556066c57e9ddde1d0cde506515 i386/httpd-manual-2.0.51-2.5.i386.rpm
f444845baf097f6daf36d97bf79cfc50 i386/mod_ssl-2.0.51-2.5.i386.rpm
f9c05dfc22a660c09181ecb3ed78fbfe i386/debug/httpd-debuginfo-2.0.51-2.5.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. You may
need to edit your up2date channels configuration. Within
/etc/sysconfig/rhn/sources enable the following line:
yum updates-testing http://fedora.redhat.com/updates/testing/fedora-core-2
---------------------------------------------------------------------
19 years, 8 months
[SECURITY] Fedora Core 1 Test Update: httpd-2.0.51-1.1
by Joe Orton
Please add any feedback from testing these packages to:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132741
---------------------------------------------------------------------
Fedora Test Update Notification
FEDORA-2004-312
2004-09-17
---------------------------------------------------------------------
Product : Fedora Core 1
Name : httpd
Version : 2.0.51
Release : 1.1
Summary : Apache HTTP Server
Description :
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.
---------------------------------------------------------------------
This update includes the latest stable release of Apache httpd 2.0,
including fixes for possible denial of service issues in mod_ssl and
mod_dav_fs, and an privilege elevation attack for local users.
---------------------------------------------------------------------
* Wed Sep 15 2004 Joe Orton <jorton(a)redhat.com> 2.0.51-1.1
- update to 2.0.51, including security fixes for:
* core: CAN-2004-0747
* mod_dav_fs: CAN-2004-0809
* mod_ssl: CAN-2004-0751, CAN-2004-0748
* Thu Jul 01 2004 Joe Orton <jorton(a)redhat.com> 2.0.50-1.0
- update to 2.0.50 (CVE CAN-2004-0488, CAN-2004-0493, #126864, #125047)
- mod_autoindex: don't truncate output on stat() failure (#126930)
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/1/
642d77814c7dc35df5712378ef633f21 SRPMS/httpd-2.0.51-1.1.src.rpm
55214981f0eef135ba34eab2723e49b3 x86_64/httpd-2.0.51-1.1.x86_64.rpm
66be67022f1ccf365ac294a88da21ff9 x86_64/httpd-devel-2.0.51-1.1.x86_64.rpm
d0cdd881b5a566b878434ac56b53e51d x86_64/httpd-manual-2.0.51-1.1.x86_64.rpm
ba00b408c0119e32f34157340d8294b2 x86_64/mod_ssl-2.0.51-1.1.x86_64.rpm
41e453cef41c19caf5fcbd3a9bbe0666 x86_64/debug/httpd-debuginfo-2.0.51-1.1.x86_64.rpm
ec0eb8af7cc9b6cc75da6852b3eb8296 i386/httpd-2.0.51-1.1.i386.rpm
d7a033b29c3767521919ac366a4f3355 i386/httpd-devel-2.0.51-1.1.i386.rpm
d7900fe46e9aece2c736a34babeb0ab5 i386/httpd-manual-2.0.51-1.1.i386.rpm
f6826cf1089a845c50164850cadbd596 i386/mod_ssl-2.0.51-1.1.i386.rpm
ffb638210db155b4b5710113373d27f1 i386/debug/httpd-debuginfo-2.0.51-1.1.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. You may
need to edit your up2date channels configuration. Within
/etc/sysconfig/rhn/sources enable the following line:
yum updates-testing http://fedora.redhat.com/updates/testing/fedora-core-1
---------------------------------------------------------------------
19 years, 8 months
FC3 test1 install failure
by Chuck Adams
I have downloaded from
ftp://mirror.stanford.edu/
all the FC3-test1 .iso files for x86_64 and the md5sum's
check correctly.
I have a Micro-Star International (MSI) K8N Neo motherboard
with NVIDIA nForce 3 Chipset and AMD Athlon 64 with
1GB of memory. Using either the PNY Technologies Verto
G-Force FX video board or Kaser S315E-32a AGP board
I get the same effect.
When I startup the install with either disc1 or the DVD disc
I get a startup screen that is black with a light to medium
blue mottled effect. This with a 17" 1280x1024 Sharp TFT
display.
The system is running FC2 2.6.2-1.521 at the present time
and memory diagnostics show no problems, so I know it is
not the hardware.
Any help appreciated.
Chuck Adams, K7QO CP-60 WPM
k7qo(a)commspeed.net
http://www.qsl.net/k7qo Ham Radio Stuff
http://www.commspeed.net/k7qo Physics Stuff
Moving to Arizona? Bring your own water, please.
19 years, 8 months
Gnome 2.8
by Paul F. Johnson
Hi,
Given 2.8 is due today, will it be today or tomorrow that we see them in
rawhide with the associated updates to the likes of Evolution etc?
TTFN
Paul
--
"If I face my God tomorrow, I can tell Him I am innocent.
I've never harmed anyone. I have cheated no one.
I have deceived no one. I have hurt no one.
Except myself. And that He will forgive me." - Hans Holzel
19 years, 8 months
dropped to shell on older installations - fsck too old
by Jim Cornette
I usually mount drives from one installation for usage in another
installation.
I noticed that if a drive that was created while setting up a partition
in FC3T2, then you boot into a pre-existing or newly created version of
an earlier installation, you will be dropped to a maintenance shell.
The error seems to point to a volume that is alright, but could not be
verified, because of too new of an installation.
Just a repeatable failure - newly installed FC3T1 and preexisting FC2
release were effected.
No data loss, but hard to catch onto why you are being dropped to a
maintenance shell.
Jim
--
How's the wife? Is she at home enjoying capitalism?
19 years, 8 months
Re: iptables SECURITY - default settings
by Wal
I am suggesting a more secure default setting-
# generated by ____
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:SecLev505-INPUT - [0:0]
-I SecLev505-INPUT -p all -j DROP
-I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1> --sport 53 --dport 1025:65535 -j ACCEPT
-I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2> --sport 53 --dport 1025:65535 -j ACCEPT
-I SecLev505-INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-I SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP
-I SecLev505-INPUT -i lo -s 0/0 -j ACCEPT
-I INPUT -j SecLev505-INPUT
:OUTPUT ACCEPT [0:0]
COMMIT
Alternately (with possible issue when rules actually get applied)-
# generated by ____
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:SecLev505-INPUT - [0:0]
-A SecLev505-INPUT -i lo -s 0/0 -j ACCEPT
-A SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP
-A SecLev505-INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2> --sport 53 --dport 1025:65535 -j ACCEPT
-A SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1> --sport 53 --dport 1025:65535 -j ACCEPT
-A SecLev505-INPUT -p all -j DROP
-A INPUT -j SecLev505-INPUT
:OUTPUT ACCEPT [0:0]
COMMIT
How you get the rules assigned, by adding or by inserting, is personal
(artist) preference. If, however, the rules were ever added to an
active chain, there might be a period of time where undesired access
would exist until the "tigher" rule were applied. Applying the tightest
firsts, lends itself to INSERTing other rules.
I like to start with the more secure settings and INSERT rules.
Besides, when I need to open access to a trusted system, I use-
iptables -I INPUT -s x.x.x.x -j ACCEPT
For most users, DROPing undesired hits is preferable. If you need to be
seen, I suggest INSERTing a rule before the "catch-all" DROP rule and
be more specific - like use REJECT for a 10.0.0.0/8 or for a specific
protocol.
DNS typically only uses TCP for zone transfers, which should only be
done with trusted systems. Most DNS usage is UDP based.
Most users need only the UDP access.
That part of the rules is done automagically when /etc/resolv.conf
changes.
I am running a DNS server for my internal lab, so I also use something like-
-I SecLev505-INPUT -p udp -m udp -s 192.168.8.0/24 --dport 53 -j ACCEPT
Regarding- Having a DROP policy this is redundant.
Yes, it is redundant. When implementing security, sometimes redundancy
is a good thing.
A good example of this is the access lists on Cisco routers. If you have
an access list applied to an interface, the default behavior (that is,
after going thru the list) is to drop packets. If you do not have a list,
the default is to allow all. There was a time when (due to a bug) the
access list setting did allow packets through (if no specified rules
blocked them). Having the last rule in the access list be any,any,deny
would have proven valuable.
Use of the 505 is intended to imply you can have other chains / rulesets
which are more or less secure, with other access requirements.
For those not familiar with iptables, this might help. Since I worked
with a certain firewall product, I actually had to do a double-take with
the name used.
_______________________________
Do you Yahoo!?
Shop for Back-to-School deals on Yahoo! Shopping.
http://shopping.yahoo.com/backtoschool
19 years, 8 months
Does gcc like glibc-2.3.3-51?
by sean darcy
I'm trying to build xine-libs on an updated test2.
glibc-2.3.3-51
gcc-3.4.1-10
I get this error:
gcc -DHAVE_CONFIG_H -I. -I. -I../../../..
-I../../../../src/input/vcd/libcdio -mtune=athlon -O3 -pipe
-fomit-frame-pointer -falign-functions=4 -falign-loops=4 -falign-jumps=4
-mpreferred-stack-boundary=2 -fexpensive-optimizations -fschedule-insns2
-fno-strict-aliasing -ffast-math -funroll-loops -finline-functions -Wall
-DNDEBUG -D_REENTRANT -D_FILE_OFFSET_BITS=64 -DXINE_COMPILE -Wpointer-arith
-Wnested-externs -Wcast-align -Wchar-subscripts -Wmissing-declarations
-Wmissing-prototypes -march=athlon-xp -m3dnow -msse -mmmx -mfpmath=sse
-ffast-math -Os -funit-at-a-time -c image/bincue.c -MT bincue.lo -MD -MP -MF
.deps/bincue.TPlo -o .libs/bincue.o
In file included from image/bincue.c:50:
/usr/include/glob.h:193: error: syntax error before "asm"
/usr/include/glob.h:197: error: syntax error before "asm"
make[6]: *** [bincue.lo] Error 1
make[6]: Leaving directory
`/usr/src/redhat/BUILD/xine-lib-1-rc6a/src/input/vcd/libcdio'
Is this a xine-lib error? It looks to me like gcc just doesn't like glob.h
from glibc.
sean
19 years, 8 months
FC3 Test 2 Support For Socket 939 Athlon 64 CPU
by Robert L Cochran
Is there a set of Fedora Core 3 installation CDs for Socket 939 Athlon
64 systems? I'm hoping to get an Athlon 64 3800+ cpu at the end of this
month. I already have the motherboard and memory. I might wait for the
90 nm chips to come out in October though -- if indeed they do, and if I
can remain patient.
Thanks
Bob Cochran
Greenbelt, Maryland, USA
19 years, 8 months
Fedora Core 2 Test Update: system-config-samba-1.2.15-0.fc2.1
by Nils Philippsen
Among some fixes this update lets the user configure the share name
instead of always using an automatically determined default. Please test
extensively. I play to make this final by end of next week or so.
Nils
---------------------------------------------------------------------
Fedora Test Update Notification
FEDORA-2004-306
2004-09-16
---------------------------------------------------------------------
Product : Fedora Core 2
Name : system-config-samba
Version : 1.2.15
Release : 0.fc2.1
Summary : Samba server configuration tool
Description :
system-config-samba is a graphical user interface for creating,
modifying, and deleting samba shares.
---------------------------------------------------------------------
* Wed Sep 15 2004 Nils Philippsen <nphilipp(a)redhat.com> - 1.2.15-0.fc2.1
- write smbpasswd file when adding user (#132084)
* Sun Aug 15 2004 Nils Philippsen <nphilipp(a)redhat.com> - 1.2.14-1
- make share name configurable (#110804, use patch from Philip Van Hoof, fix
it up a bit)
- do some more code consolidation
* Tue Jul 20 2004 Brent Fox <bfox(a)redhat.com> - 1.2.13-1
- add 'cups option' entry (bug #128245)
* Wed Jun 23 2004 Brent Fox <bfox(a)redhat.com> - 1.2.12-1
- use popen instead of system (bug #112528)
* Tue Jun 22 2004 Brent Fox <bfox(a)redhat.com> - 1.2.11-1
- fix security and guest account defaults (bug #121745)
* Mon Jun 21 2004 Brent Fox <bfox(a)redhat.com> - 1.2.10-1
- write workgroup name explicitly (bug #126435)
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/2/
04973b3fbd04f7ccf4ced81852a225d0 SRPMS/system-config-samba-1.2.15-0.fc2.1.src.rpm
8f4ca37d6d68881f5ebc753b591be578 x86_64/system-config-samba-1.2.15-0.fc2.1.noarch.rpm
8f4ca37d6d68881f5ebc753b591be578 i386/system-config-samba-1.2.15-0.fc2.1.noarch.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. You may
need to edit your up2date channels configuration. Within
/etc/sysconfig/rhn/sources enable the following line:
yum updates-testing http://fedora.redhat.com/updates/testing/fedora-core-2
---------------------------------------------------------------------
--
Nils Philippsen / Red Hat / nphilipp(a)redhat.com
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
19 years, 8 months