--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated mod_python package fixes a security issue Advisory ID: FLSA:152896 Issue date: 2006-04-04 Product: Red Hat Linux, Fedora Core Keywords: Bugfix, Security CVE Name: CVE-2005-0088 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: An Updated mod_python package that fixes a security issue in the publisher handler is now available. Mod_python is a module that embeds the Python language interpreter within the Apache web server, allowing handlers to be written in Python. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: Graham Dumpleton discovered a flaw affecting the publisher handler of mod_python, used to make objects inside modules callable via URL. A remote user could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0088 to this issue. Users of mod_python are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152896 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/mod_python-3.0.1-4.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- f936f1ddb29779efae651ff90a19fa17d4edb9f8 redhat/7.3/updates/i386/mod_python-2.7.8-1.7.3.3.legacy.i386.rpm d7792718f71006a00d5e932009dff9b8688330a5 redhat/7.3/updates/SRPMS/mod_python-2.7.8-1.7.3.3.legacy.src.rpm 6b1e637878a7af1f58f1127d07b7614334b71136 redhat/9/updates/i386/mod_python-3.0.1-4.1.legacy.i386.rpm 5ef5e32ac4d17f77c602d99299baab7f7c00c52d redhat/9/updates/SRPMS/mod_python-3.0.1-4.1.legacy.src.rpm d3959d23e0718b15a4a0b4fc4126b3198e7e98f8 fedora/1/updates/i386/mod_python-3.0.4-0.1.1.legacy.i386.rpm 20c04acf2eadcb2d99cf6c076a6d1ea34537ed24 fedora/1/updates/SRPMS/mod_python-3.0.4-0.1.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0088 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature