FYI (Fw: [CLA-2001:427] Conectiva Linux Security Announcement - mod_auth_pgsql)

I imagine that some here are using mod_auth_pgsql, and thought that I'd
pass this along for those who aren't subscribed to Bugtraq. While this is
a Conective security announcement, it looks like all versions of
mod_auth_pgsql are vulnerable that were downloaded before the 25th or
26th.

steve

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - ----------------------------------------------------------------------
----
> CONECTIVA LINUX SECURITY ANNOUNCEMENT
> - ----------------------------------------------------------------------
----
>
> PACKAGE : mod_auth_pgsql
> SUMMARY : Remote vulnerability allows an attacker to bypass
authentication
> DATE : 2001-09-28 11:26:00
> ID : CLA-2001:427
> RELEVANT
> RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1,
6.0, 7.0
>
> - ----------------------------------------------------------------------
---
>
> DESCRIPTION
> "mod_auth_mysql" is an authentication module for apache which
> authenticates users against a PostgreSQL database.
> RUS-CERT discovered a vulnerability[1][3] in several Apache
> authentication modules which use SQL databases to retrieve user
> information. This vulnerability allows a remote attacker to change
> the query that the module sends to the SQL server and circumvent the
> authentication process.
> This vulnerability is *still* present in the 0.9.6 version in a
> slightly different fashion:
>
> Username: '';; select ''bla
> Password: bla
>
> The author has been notified and released version 0.9.9 on Sep 25th
> to address this problem[2].
> Additionally, this is also a bugfix update for this package, which
> wasn't linked against the PostgreSQL libraries in our previous
> releases.
>
>
> SOLUTION
> It is recommended that all mod_auth_pgsql users upgrade the package.
> All versions released here, even being older, have patches to address
> this problem. The update for the 0.8 version also contains the
> snprintf() patches from Erik Rossen.
>
> IMPORTANT: it is necessary to restart the Apache web server after
> updating these packages.
>
>
> REFERENCES
> 1. http://cert.uni-stuttgart.de/advisories/apache_auth.php
> 2. http://www.giuseppetanzilli.it/mod_auth_pgsql/
> 3. http://www.securityfocus.com/bid/3251
>
>
> DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
>
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/mod_auth_pgsql-0.8-4U40_3cl.
src.rpm
>
ftp://atualizacoes.conectiva.com.br/4.0/i386/mod_auth_pgsql-0.8-4U40_3cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/mod_auth_pgsql-0.8-4U40_3c
l.src.rpm
>
ftp://atualizacoes.conectiva.com.br/4.0es/i386/mod_auth_pgsql-0.8-4U40_3cl
.i386.rpm
>
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/mod_auth_pgsql-0.8-4U41_3cl.
src.rpm
>
ftp://atualizacoes.conectiva.com.br/4.1/i386/mod_auth_pgsql-0.8-4U41_3cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/mod_auth_pgsql-0.8-4U42_3cl.
src.rpm
>
ftp://atualizacoes.conectiva.com.br/4.2/i386/mod_auth_pgsql-0.8-4U42_3cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/mod_auth_pgsql-0.8-4U50_3cl.
src.rpm
>
ftp://atualizacoes.conectiva.com.br/5.0/i386/mod_auth_pgsql-0.8-4U50_3cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/mod_auth_pgsql-0.8-4U51_3cl.
src.rpm
>
ftp://atualizacoes.conectiva.com.br/5.1/i386/mod_auth_pgsql-0.8-4U51_3cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/mod_auth_pgsql-0.8-4U60_3cl.
src.rpm
>
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/mod_auth_pgsql-0.8-4U60_3cl.i
386.rpm
>
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/mod_auth_pgsql-0.9.6-1U70_2c
l.src.rpm
>
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/mod_auth_pgsql-0.9.6-1U70_2cl
.i386.rpm
>
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/mod_auth_p
gsql-0.8-4U50_3cl.src.rpm
>
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mod_auth_pg
sql-0.8-4U50_3cl.i386.rpm
>
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/mod_auth_pg
sql-0.8-4U50_3cl.src.rpm
>
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mod_auth_pgs
ql-0.8-4U50_3cl.i386.rpm
>
>
> ADDITIONAL INSTRUCTIONS
> Users of Conectiva Linux version 6.0 or higher may use apt to perform
> upgrades of RPM packages:
> - add the following line to /etc/apt/sources.list if it is not there
yet
> (you may also use linuxconf to do this):
>
> rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
>
> (replace 6.0 with the correct version number if you are not running
CL6.0)
>
> - run: apt-get update
> - after that, execute: apt-get upgrade
>
> Detailed instructions reagarding the use of apt and upgrade examples
> can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en