From:	 secure@conectiva.com.br
To:	 conectiva-updates@papaleguas.conectiva.com.br,
	 linuxlist@securityportal.com, lwn@lwn.net, bugtraq@securityfocus.com,
	 security-alerts@linuxsecurity.com
Subject: [CLA-2001:421] Conectiva Linux Security Announcement - mod_auth_mysql
Date:	 Thu, 6 Sep 2001 14:22:33 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : mod_auth_mysql
SUMMARY   : Remote vulnerability in the mod_auth_mysql authentication module
DATE      : 2001-09-06 14:18:00
ID        : CLA-2001:421
RELEVANT
RELEASES  : 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 "mod_auth_mysql" is an authentication module for apache which
 authenticates users against a MySQL database.
 RUS-CERT[3] discovered a vulnerability[1][2] in several Apache
 authentication modules which use SQL databases to retrieve user
 information. This vulnerability allows a remote attacker to change
 the query that the module sends to the SQL server and potentially
 circumvent the authentication process.
 The mysql_query() function, used by this module, does not allow
 multiple commands do be sent to the server, that is, the ";"
 character is not allowed. This restricts this vulnerability somewhat,
 since the attacker can no longer issue other commands besides the
 SELECT one the module is already doing, but he/she can still mangle
 this query and this should not be underestimated.
 Additionally, this update also fixes a problem with this package
 which wasn't linked against the MySQL libraries in previous releases.


SOLUTION
 All mod_auth_mysql users should upgrade.
 
 IMPORTANT: it is necessary to restart the apache server after
 applying the update.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/mod_auth_mysql-1.11-1U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_auth_mysql-1.11-1U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/mod_auth_mysql-1.11-1U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_auth_mysql-1.11-1U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/mod_auth_mysql-1.11-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_auth_mysql-1.11-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/mod_auth_mysql-1.11-1U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_auth_mysql-1.11-1U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/mod_auth_mysql-1.11-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mod_auth_mysql-1.11-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mod_auth_mysql-1.11-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mod_auth_mysql-1.11-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/mod_auth_mysql-1.11-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mod_auth_mysql-1.11-1U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/mod_auth_mysql-1.11-1U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mod_auth_mysql-1.11-1U50_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7l7DY42jd0JmAcZARAqfFAKDD8J5w+TNnRej5UvZsKCkW81mvGACaAjIh
NZG+Ynxoq8IOqEGOdzmkBrQ=
=JraI
-----END PGP SIGNATURE-----