Red Hat Product Errata RHSA-2009:0259 - Security Advisory

Issued:: 2009-02-11
Updated:: 2009-02-11

RHSA-2009:0259 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: mod_auth_mysql security update

Type/Severity

Security Advisory: Moderate

Topic

An updated mod_auth_mysql package to correct a security issue is now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

The mod_auth_mysql package includes an extension module for the Apache HTTP
Server which can be used to implement web user authentication against a
MySQL database.

A flaw was found in the way mod_auth_mysql escaped certain
multibyte-encoded strings. If mod_auth_mysql was configured to use a
multibyte character set that allowed a backslash '\' as part of the
character encodings, a remote attacker could inject arbitrary SQL commands
into a login request. (CVE-2008-2384)

Note: This flaw only affected non-default installations where
AuthMySQLCharacterSet is configured to use one of the affected multibyte
character sets. Installations that did not use the AuthMySQLCharacterSet
configuration option were not vulnerable to this flaw.

All mod_auth_mysql users are advised to upgrade to the updated package,
which contains a backported patch to resolve this issue. After installing
the update, the httpd daemon must be restarted for the fix to take effect.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server - Extended Update Support 5.3 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 5.3 ia64
Red Hat Enterprise Linux Server - Extended Update Support 5.3 i386
Red Hat Enterprise Linux Server - AUS 5.3 x86_64
Red Hat Enterprise Linux Server - AUS 5.3 ia64
Red Hat Enterprise Linux Server - AUS 5.3 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.3 s390x
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.3 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 480238 - CVE-2008-2384 mod_auth_mysql: character encoding SQL injection flaw

CVEs

CVE-2008-2384

References

http://www.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
mod_auth_mysql-3.0.0-3.2.el5_3.src.rpm	SHA-256: 7eaf39cd18a2285a08dd02c21c7c642f10d74a78c729dbce8a4e15fe4e53277e
x86_64
mod_auth_mysql-3.0.0-3.2.el5_3.x86_64.rpm	SHA-256: 887e36ec415a89b09c6b02a78e0d73d839be878f1e069224d2225f96f66bd54f
ia64
mod_auth_mysql-3.0.0-3.2.el5_3.ia64.rpm	SHA-256: 2a07d327b9ebd282485d57079dbbac8b25d1e8a48ffbd1a08d8f9dbae2ac82f8
i386
mod_auth_mysql-3.0.0-3.2.el5_3.i386.rpm	SHA-256: 177cc4ee5413ce1b37e59d8630c93a14379156cfab48cff7c67aed7dab3b711e

Red Hat Enterprise Linux Workstation 5

SRPM
mod_auth_mysql-3.0.0-3.2.el5_3.src.rpm	SHA-256: 7eaf39cd18a2285a08dd02c21c7c642f10d74a78c729dbce8a4e15fe4e53277e
x86_64
mod_auth_mysql-3.0.0-3.2.el5_3.x86_64.rpm	SHA-256: 887e36ec415a89b09c6b02a78e0d73d839be878f1e069224d2225f96f66bd54f
i386
mod_auth_mysql-3.0.0-3.2.el5_3.i386.rpm	SHA-256: 177cc4ee5413ce1b37e59d8630c93a14379156cfab48cff7c67aed7dab3b711e

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
mod_auth_mysql-3.0.0-3.2.el5_3.src.rpm	SHA-256: 7eaf39cd18a2285a08dd02c21c7c642f10d74a78c729dbce8a4e15fe4e53277e
s390x
mod_auth_mysql-3.0.0-3.2.el5_3.s390x.rpm	SHA-256: 184314d255eaa7b95a9e52be27c6adcd0e22a8ee359b1ce3ada353302a30bf56

Red Hat Enterprise Linux for Power, big endian 5

SRPM
mod_auth_mysql-3.0.0-3.2.el5_3.src.rpm	SHA-256: 7eaf39cd18a2285a08dd02c21c7c642f10d74a78c729dbce8a4e15fe4e53277e
ppc
mod_auth_mysql-3.0.0-3.2.el5_3.ppc.rpm	SHA-256: 4d536fcc88bab30b5d083e78f360376ba0cffff59984c8d72eb168a4a2bed4fb

Red Hat Enterprise Linux Server from RHUI 5

SRPM
mod_auth_mysql-3.0.0-3.2.el5_3.src.rpm	SHA-256: 7eaf39cd18a2285a08dd02c21c7c642f10d74a78c729dbce8a4e15fe4e53277e
x86_64
mod_auth_mysql-3.0.0-3.2.el5_3.x86_64.rpm	SHA-256: 887e36ec415a89b09c6b02a78e0d73d839be878f1e069224d2225f96f66bd54f
i386
mod_auth_mysql-3.0.0-3.2.el5_3.i386.rpm	SHA-256: 177cc4ee5413ce1b37e59d8630c93a14379156cfab48cff7c67aed7dab3b711e

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories