WEBppliance for Linux 3.1.12 (LS)
Ensim today announces a maintenance release, that resolves key issues
You can upgrade to WEBppliance for Linux 3.1.12 (LS) from WEBppliance for Linux 3.1.11 (LS).
IMPORTANT: This patch can be installed on WEBppliance 3.1.11 for Linux ONLY. This upgrade could take several hours depending on the number of domains. It is recommended that you schedule the upgrade at a time of relatively low activity and inform the Resellers and the Site Administrators about the domain downtime.
This patch fixes the security vulnerabilities mentioned below:
MySQL buffer overflow vulnerability
Under this bug, a Password field with a value greater than 16 characters can cause a buffer overflow. It may be possible for an attacker with the ability to modify the user table to exploit this buffer overflow to execute arbitrary code as the MySQL user.
For more details on this please refer to http://rhn.redhat.com/errata/RHSA-2003-281.html
Perl safe.pm vulnerability
When safe.pm versions 2.0.7 and earlier are used with Perl 5.8.0 and earlier, it is possible for an attacker to break out of safe compartments within Safe::reval and Safe::rdo by using a redefined @_ variable.
For more details on this please refer to http://rhn.redhat.com/errata/RHSA-2003-256.html
Several minor bugs in Apache and mod_ssl.
A bug in the optional renegotiation code in mod_ssl which can cause cipher suite restrictions to be ignored. For more details on this please refer to http://rhn.redhat.com/errata/RHSA-2003-301.html
Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. For more details on this please refer to http://rhn.redhat.com/errata/RHSA-2003-083.html
The sucessful exploitation of a bug present in the prescan() function of unpatched Sendmail versions prior to 8.12.10 can lead to heap and stack structure overflows. Although no exploit currently exists, this issue is locally exploitable and may also be remotely exploitable. For more details on this please refer to http://rhn.redhat.com/errata/RHSA-2003-283.html
X-Force Research at ISS has discovered a remote exploit in ProFTPD's handling of ASCII translations that an attacker, by downloading a carefully crafted file, can exploit and gain a root shell.
In addition to these the quota compatibility bug has also been resolved in this release. For details on this bug refer to Knowledge Base Article 732.
Download Location: http://download.swsoft.com/ensim/download/webppliance/linux/patches/3.1.12/
To install the patch, please follow the instructions below:
- Download the file LS-3.1.12-7.tar.gz from the download location mentioned above.
- Uncompress the file:
tar -xvzf LS-3.1.12-7.tar.gz
- Change the current directory to the directory where you have uncompressed the file:
- Run the following command
# sh ./patch-install-3.1.12-7.sh
The install script verifies the current installation of WEBppliance to ensure that it complies with the patch requirements and then upgrades the required RPMs (requires root access).
This install script will restart the Apache, MySQL, and Proftpd services automatically.
Also, refer to the Errata page for new additional fixes for this release.