Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 08, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see http://www.apache.org/dist/httpd/Announcement2.html.
Notified: April 08, 2003 Updated: April 11, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see http://lists.apple.com/mhonarc/security-announce/msg00028.html.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: May 01, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : apache SUMMARY : Denial of service vulnerability DATE : 2003-04-30 14:48:00 ID : CLA-2003:632 RELEVANT RELEASES : 9 DESCRIPTION Apache[1] is the most popular webserver in use today. This update fixes two security vulnerabilities: 1. Denial of service (CAN-2003-0132)[3] David Endler from iDefense reported[2] a denial of service condition that affects the apache 2.0 branch which affects all unpatched servers up to and including version 2.0.44. There is a memory leak in these apache versions which can be remotely triggered by sending large chunks of consecutive linefeed characters. Each linefeed will cause the server to allocate 80 bytes of memory. A remote attacker can keep sending these simple requests until the server's memory is exhausted. 2. File descriptor leak[5] Christian Kratzer and Bjoern A. Zeeb identified several file descriptor leaks to child processes, such as CGI scripts, which could consitute a security threat on servers that run untrusted CGI scripts. The Apache HTTP Server Project released[4] Apache version 2.0.45 to address these issues, and this is the version provided via this update. SOLUTION It is recommended that all Apache users upgrade their packages. IMPORTANT: it is necessary to manually restart the httpd server after upgrading the packages. In order to do this, execute the following as root: service apache stop (wait a few seconds and check with "ps ax|grep httpd" if there are any httpd processes running. On a busy webserver this could take a little longer) service apache start REFERENCES 1. http://httpd.apache.org/ 2. http://www.idefense.com/advisory/04.08.03.txt 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132 4. http://www.apache.org/dist/httpd/Announcement2.html 5. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17206 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_1cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+sAyO42jd0JmAcZARAoRzAJ4/YiZhEH/a5PKSls5bXKbPDI0bSwCdFjWO yLHZiBj+wWOkv+2DLxpHjHI= =AIKW -----END PGP SIGNATURE-----
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 08, 2003
Affected
Neither the stable nor the old stable distributions are affected by this problem. Apache 2 is only part of the unstable distribution and version 2.0.45-2 has been uploaded including the fix. Any package with a version of 2.0.45-2 or higher are fixed.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Not Affected
We do not ship Apache 2.x in any of our products, so we are not vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 10, 2003
Not Affected
Foundry Networks is currently not shipping any products with Apache 2.x. Foundry Networks is not affected by the Apache vulnerability described in CERT VU#206537.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 17, 2003
Not Affected
Fujitsu's UXP/V o.s. is not affected by the problem in VU#206537 because it does not support the Apache.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see GLSA 200304-01.
Notified: April 08, 2003 Updated: September 18, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 **REVISED 01**
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0304-256
Originally issued: 25 April 2003
Last Revised: 03 Sept. 2003
SSRT3534 Potential Security Vulnerabilities in Apache HTTP Server
(rev. 1) NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact. The information in the following Security Bulletin should be
acted upon as soon as possible. Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible. PROBLEM: 1. A memory leak in Apache 2.0 through 2.0.44 potentially
allows remote attackers to cause a denial of service
(memory consumption). More details are available at:
Notified: April 08, 2003 Updated: April 14, 2003
Not Affected
Hitachi Web Server is NOT vulnerable, because it is not based on Apache 2.x.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Not Affected
The AIX operating system does not ship with the Apache web server. The AIX operating system is not vulnerable to the issues discussed in CERT vulnerability note VU#206537. The AIX Toolbox For Linux does not ship with a vulnerable version of the Apache web server. Please note that the AIX Toolbox for Linux is shipped "as is" and is unwarranted.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: September 18, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Mandrake Linux Security Update Advisory Package name: apache2
Advisory ID: MDKSA-2003:050
Date: April 22nd, 2003 Affected versions: 9.1 Problem Description: A memory leak was discovered in Apache 2.0 through 2.0.44 that can
allow a remote attacker to cause a significant denial of service
(DoS) by sending requests containing a lot of linefeed characters to
the server. As well, Apache does not filter terminal escape sequences from its
log files, which could make it easy for an attacker to insert those
sequences into the error and access logs, which could possibly be
viewed by certain terminal emulators with vulnerabilities related to
escape sequences. After upgrading these packages, be sure to restart the httpd server
by executing: service httpd restart References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0132 Updated Packages: Mandrake Linux 9.1: ad53df84893a5cc1114c3de55cc91658 9.1/RPMS/apache2-2.0.45-4.2mdk.i586.rpm
60d8447552d758bc3565450f08b79bfe 9.1/RPMS/apache2-common-2.0.45-4.2mdk.i586.rpm
3060613a3a072d9fffc9bbfd0a994581 9.1/RPMS/apache2-devel-2.0.45-4.2mdk.i586.rpm
36504391b61565e9607a70c2d42a3b6a 9.1/RPMS/apache2-manual-2.0.45-4.2mdk.i586.rpm
b1778fe2310da4c8c94fcdefb6856ccd 9.1/RPMS/apache2-mod_dav-2.0.45-4.2mdk.i586.rpm
f7b614162bad34d2778b8621d7878641 9.1/RPMS/apache2-mod_ldap-2.0.45-4.2mdk.i586.rpm
e8c3e2db532f8c2c94b5ef05bab0ce85 9.1/RPMS/apache2-mod_ssl-2.0.45-4.2mdk.i586.rpm
2f56e31ce758a96a1c9fd8060eba4d1a 9.1/RPMS/apache2-modules-2.0.45-4.2mdk.i586.rpm
69029f8e2bda1254c6f469df9eace7f7 9.1/RPMS/apache2-source-2.0.45-4.2mdk.i586.rpm
43999a817273e73e901f8bf8ff05389f 9.1/RPMS/libapr0-2.0.45-4.2mdk.i586.rpm
ab454d8e8e1d9c3f51a98ad2aaa4cffc 9.1/SRPMS/apache-conf-2.0.45-2.1mdk.src.rpm
c11d11afb80fba23925632089a70bc00 9.1/SRPMS/apache2-2.0.45-4.2mdk.src.rpm Mandrake Linux 9.1/PPC: b9db2f91c7937244acb2d32f34ae9241 ppc/9.1/RPMS/apache2-2.0.45-4.2mdk.ppc.rpm
3bc96cd24d6bd3b307222d81fce9f4ca ppc/9.1/RPMS/apache2-common-2.0.45-4.2mdk.ppc.rpm
60e4187ec0b293f25a9008c13c527c1a ppc/9.1/RPMS/apache2-devel-2.0.45-4.2mdk.ppc.rpm
a3c3322b834790fc1da3c8e7f0901168 ppc/9.1/RPMS/apache2-manual-2.0.45-4.2mdk.ppc.rpm
352b82414ec0362eaa9c7ea451261a60 ppc/9.1/RPMS/apache2-mod_dav-2.0.45-4.2mdk.ppc.rpm
a537dc5489a82099cb87b24f3718e11c ppc/9.1/RPMS/apache2-mod_ldap-2.0.45-4.2mdk.ppc.rpm
e6736e2c450bc76382cceaf7116e1616 ppc/9.1/RPMS/apache2-mod_ssl-2.0.45-4.2mdk.ppc.rpm
f5b6f2d90cb73845987624c7ffd514a3 ppc/9.1/RPMS/apache2-modules-2.0.45-4.2mdk.ppc.rpm
dca30abc0adead3a22c5fd3a82df8d20 ppc/9.1/RPMS/apache2-source-2.0.45-4.2mdk.ppc.rpm
f33cdee67bd82884bd6d77c551320961 ppc/9.1/RPMS/libapr0-2.0.45-4.2mdk.ppc.rpm
ab454d8e8e1d9c3f51a98ad2aaa4cffc ppc/9.1/SRPMS/apache-conf-2.0.45-2.1mdk.src.rpm
c11d11afb80fba23925632089a70bc00 ppc/9.1/SRPMS/apache2-2.0.45-4.2mdk.src.rpm Bug IDs fixed (see https://qa.mandrakesoft.com for more information): To upgrade automatically, use MandrakeUpdate. The verification of md5
checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of
FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command: rpm --checksig
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 10, 2003
Affected
Red Hat Linux 8.0 and Red Hat Linux 9 ship with a httpd package that includes Apache 2 and are therefore vulnerable to this issue. Updated httpd packages are available along with our advisory at the URL below. Users of the Red Hat Network can update their systems using the 'up2date' tool. http://rhn.redhat.com/errata/RHSA-2003-139.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: September 18, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- SGI Security Advisory Title : Security Vulnerabilities in MediaBase Apache and PHP
Number : 20030502-01-I
Date : May 19, 2003
Reference: Kasenna Support Issue # 1095 and # 1330
Fixed in : Patches from Kasenna Support Website - --- Issue Specifics --- It's been reported that Kasenna Mediabase has insecure versions of
Apache and PHP. SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures
be implemented on ALL vulnerable SGI systems. These issues have been corrected with patches and in future releases of
MediaBase. - --- Impact --- MediaBase is an optional product from Kasenna, and is not installed by
default on IRIX 6.5 systems. To determine the version of IRIX you are running, execute the following
command: # /bin/uname -R That will return a result similar to the following: # 6.5 6.5.16f The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name. The extended release name is the
"version" we refer to throughout this document. To see if mediabase is installed, execute the following command: % versions -b | grep mbase
I mbase_client 06/01/2000 WebFORCE MediaBase 2.1 - Client
I mbase_players 10/06/2000 SGI MediaBase 4.0.1 - Players packaged
for installation on server
I mbase_root 12/24/2000 SGI MediaBase 4.0.1 - Development ROOT
Files
I mbase_server 10/06/2000 SGI MediaBase 4.0.1 - MediaBase Server
Execution Environment
I mbase_server_spk1 12/24/2000 SGI MediaBase 4.0.1 - MediaBase Server
Service Pack 1 To determine if the version of Apache installed as part of MediaBase is
vulnerable, execute the following command: % /usr/kasenna/apache/bin/httpd -v
Server version: Apache/1.3.14 (Unix)
Server built: Dec 20 2000 15:52:52 If the version shown (in this case 1.3.14) is lower than 1.3.27, then the
system is vulnerable. To determine if the version of PHP installed as part of MediaBase is
vulnerable, execute the following commands: %/usr/bin/elfdump -L /usr/mbase/asset_gateway/php_apache.so | grep TIMSTAMP
[46] TIMSTAMP Jan 13 14:50:39 2003 %/usr/bin/elfdump -L /usr/mbase/asset_gateway/php_mediabase.so | grep TIMSTAMP
[45] TIMSTAMP Jan 10 14:02:48 2003 If the value shown for "TIMSTAMP" is earlier than the ones shown, then the
system is vulnerable. - --- Temporary Workaround --- There is no effective workaround available for these problems if MediaBase
is needed. SGI and Kasenna recommend installing the patches shown below
from the Kasenna website. - --- Solution --- Kasenna MediaBase is an optional product, the system is vulnerable if
a vulnerable version of MediaBase and its associated Apache and PHP
components are installed. Please run the commands shown in the "Impact"
section above and install the patches if those commands show
the system to be vulnerable. Kasenna has provided patches for these vulnerabilities. Our recommendation
is to install the patches provided by Kasenna. To obtain the Kasenna MediaBase patches, go to http://support.kasenna.com/
and install the patches shown in support issue 1095 (apache) and 1033 (PHP). - --- Acknowledgments ---- SGI wishes to thank FIRST and the users of the Internet Community at large
for their assistance in this matter. - --- Links --- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/ SGI Security Patches can be found at: http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/ SGI patches for IRIX can be found at the following patch servers: http://support.sgi.com/ and ftp://patches.sgi.com/ SGI freeware updates for IRIX can be found at: http://freeware.sgi.com/ SGI fixes for SGI open sourced code can be found on: http://oss.sgi.com/projects/ SGI patches and RPMs for Linux can be found at: http://support.sgi.com/ SGI patches for Windows NT or 2000 can be found at: http://support.sgi.com/ IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/ IRIX 6.5 Maintenance Release Streams can be found at: http://support.sgi.com/ IRIX 6.5 Software Update CDs can be obtained from: http://support.sgi.com/ The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com. Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/ For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update. - --- SGI Security Information/Contacts --- If there are questions about this document, email can be sent to
security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com. Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com. For assistance obtaining or working with security patches, please
contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below. % mail wiretap-request@sgi.com
subscribe wiretap
Notified: April 08, 2003 Updated: July 24, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 08, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: May 30, 2003
Not Affected
A response to this vulnerability is available from our web site: http://www.xerox.com/security.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 08, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.