[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Seems that SUN woke up :-)
- Subject: [cobalt-security] Seems that SUN woke up :-)
- From: Jan Wildeboer <jan.wildeboer@xxxxxx>
- Date: Tue, 25 Jun 2002 14:33:32 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
From the web-based forum:
The information contained in this Security Bulletin is provided "AS
IS." Sun makes no warranties of any kind whatsoever with respect to the
information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF
NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT
ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL,
INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY
THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE
INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN
MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
If any of the above provisions are held to be in violation of applicable
law, void, or unenforceable in any jurisdiction, then such provisions
are waived to the extent necessary for this disclaimer to be otherwise
enforceable in such jurisdiction.
-------------------
Sun Cobalt is aware of a vulnerability in the Apache webserver installed
on SunCobalt products. This vulnerability could be used to issue a
Denial of Service against an affected machine. Some reports have been
made that some non-Sun Cobalt versions of Apache are can allow a remote
shell exploit.
Please see http://www.cert.org/advisories/CA-2002-17.html for more details.
Sun Cobalt is currently testing a PKG format files for all products
which should be available on 6/28/2002. When available these packages
will be installable via the user interface or through BlueLinq on
products supporting the BlueLinq interface.
Until a PKG format update is available for your product, you can install
the experimental RPM files on your system. These files are the same
files that would be installed if you wait for the PKG format files and
will not interfere with the PKG files when they are released. These
files fix the underlying security vulnerability that could allow a
denial-of-service attack or possibly a remote shell exploit in the
apache server.
The RPM files are available at the following URL:
ftp://ftp-eng.cobalt.com/pub/unsupported/
Each product has a directory. In the product directory you will find an
RPMS directory. For example the RaQ4 product files are as follows:
ftp://ftp-eng.cobalt.com/pub/unsupported/raq4/apache-1.3.20-RaQ4_1C1experimental.i386.rpm
ftp://ftp-eng.cobalt.com/pub/unsupported/raq4/apache-admsrv-1.3.20-RaQ4_1C1experimental.i386.rpm
ftp://ftp-eng.cobalt.com/pub/unsupported/raq4/apache-devel-1.3.20-RaQ4_1C1experimental.i386.rpm
ftp://ftp-eng.cobalt.com/pub/unsupported/raq4/apache-mod_perl-1.3.20-RaQ4_1C1experimental.i386.rpm
ftp://ftp-eng.cobalt.com/pub/unsupported/raq4/apache-openssl-1.3.20-RaQ4_1C1experimental.i386.rpm
RPM files are currently available for the RaQ 4, RaQ 550, RaQ XTR, and
Qube 3. Versions of the RPM files will be made available in these
directories as they become available. Note that for some products there
are only four files.
RPM files can be installed with the following command:
rpm -Uvh rpmfile
Where rpmfile is the name of the apache server file you are installing.
Please monitor the SunCobalt KnowledgeBase at
http://cobalt-knowledge.sun.com and the download site at
http://www.cobalt.com/support/downloads/ for any updated information.
---------------