Skip to navigation

Security Advisory Moderate: mod_auth_mysql security update

Advisory: RHSA-2010:1002-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-12-21
Last updated on: 2010-12-21
Affected Products: Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.0.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2008-2384

Details

An updated mod_auth_mysql package that fixes one security issue is now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The mod_auth_mysql package includes an extension module for the Apache HTTP
Server, which can be used to implement web user authentication against a
MySQL database.

A flaw was found in the way mod_auth_mysql escaped certain
multibyte-encoded strings. If mod_auth_mysql was configured to use a
multibyte character set that allowed a backslash ("\") as part of the
character encodings, a remote attacker could inject arbitrary SQL commands
into a login request. (CVE-2008-2384)

Note: This flaw only affected non-default installations where
AuthMySQLCharacterSet is configured to use one of the affected multibyte
character sets. Installations that did not use the AuthMySQLCharacterSet
configuration option were not vulnerable to this flaw.

All mod_auth_mysql users are advised to upgrade to this updated package,
which contains a backported patch to correct this issue. After installing
the updated package, the httpd daemon must be restarted for the update to
take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux Server (v. 6)

SRPMS:
mod_auth_mysql-3.0.0-11.el6_0.1.src.rpm     MD5: cefd22d6ebc80ec0c4291f427d44bf62
SHA-256: 4833ed9bce4098ccaf5c5e96e764457aa05416dcb0357310b1c70d049857e620
 
IA-32:
mod_auth_mysql-3.0.0-11.el6_0.1.i686.rpm     MD5: 9bff699468a90433d73ec6875ecba104
SHA-256: 9880adbd2bebf6356d260d74e97e85fa3840eeb8ed763eed5859c8b38867b721
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.i686.rpm     MD5: 4ff4b76859f3b657bdbd47aad9b4cf42
SHA-256: c5d2b0e65a41141612cd93133a0296188bb7e90446447b74aa6c08cb84d3f214
 
PPC:
mod_auth_mysql-3.0.0-11.el6_0.1.ppc64.rpm     MD5: 9403016e46740aa515e204d3b2663ba4
SHA-256: e773e7ee71cd99cb6235e0bb454f026322824f6f831c4a6d74f0757784a654dc
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.ppc64.rpm     MD5: b096301fa8c0f4b5ae316aa549c5a0c2
SHA-256: 23a24e98d0f9c35527bab67d96bc989c3e57b727fbda01051022b633d659c8b9
 
s390x:
mod_auth_mysql-3.0.0-11.el6_0.1.s390x.rpm     MD5: b37edaeb26b926958385d6a7145e80ef
SHA-256: 3ddc2ecab72b76a61e40803e36a138a397cd39b9df6a325b01ad5ae95238d1c0
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.s390x.rpm     MD5: 5ab1f7fcfc32f31d8ec35f074016a178
SHA-256: 313a8aa57e71cfd589ac82d9cd060ffc2c967292d19da5bc5b2f37ceae576e68
 
x86_64:
mod_auth_mysql-3.0.0-11.el6_0.1.x86_64.rpm     MD5: b1fb0ffcc447e1e0ba2f0232c6de107d
SHA-256: d691940a6cf3312eed6558df893d42d6d3df85bdb544d6edd5ab6c9200642868
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.x86_64.rpm     MD5: 529401f4869a513ed459d9a8fefa747a
SHA-256: 0b8f34543cfe6443e9f11fe1bcfb6699443b469218eabe0ac6230c43eed72817
 
Red Hat Enterprise Linux Server EUS (v. 6.0.z)

SRPMS:
mod_auth_mysql-3.0.0-11.el6_0.1.src.rpm     MD5: cefd22d6ebc80ec0c4291f427d44bf62
SHA-256: 4833ed9bce4098ccaf5c5e96e764457aa05416dcb0357310b1c70d049857e620
 
IA-32:
mod_auth_mysql-3.0.0-11.el6_0.1.i686.rpm     MD5: 9bff699468a90433d73ec6875ecba104
SHA-256: 9880adbd2bebf6356d260d74e97e85fa3840eeb8ed763eed5859c8b38867b721
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.i686.rpm     MD5: 4ff4b76859f3b657bdbd47aad9b4cf42
SHA-256: c5d2b0e65a41141612cd93133a0296188bb7e90446447b74aa6c08cb84d3f214
 
PPC:
mod_auth_mysql-3.0.0-11.el6_0.1.ppc64.rpm     MD5: 9403016e46740aa515e204d3b2663ba4
SHA-256: e773e7ee71cd99cb6235e0bb454f026322824f6f831c4a6d74f0757784a654dc
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.ppc64.rpm     MD5: b096301fa8c0f4b5ae316aa549c5a0c2
SHA-256: 23a24e98d0f9c35527bab67d96bc989c3e57b727fbda01051022b633d659c8b9
 
s390x:
mod_auth_mysql-3.0.0-11.el6_0.1.s390x.rpm     MD5: b37edaeb26b926958385d6a7145e80ef
SHA-256: 3ddc2ecab72b76a61e40803e36a138a397cd39b9df6a325b01ad5ae95238d1c0
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.s390x.rpm     MD5: 5ab1f7fcfc32f31d8ec35f074016a178
SHA-256: 313a8aa57e71cfd589ac82d9cd060ffc2c967292d19da5bc5b2f37ceae576e68
 
x86_64:
mod_auth_mysql-3.0.0-11.el6_0.1.x86_64.rpm     MD5: b1fb0ffcc447e1e0ba2f0232c6de107d
SHA-256: d691940a6cf3312eed6558df893d42d6d3df85bdb544d6edd5ab6c9200642868
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.x86_64.rpm     MD5: 529401f4869a513ed459d9a8fefa747a
SHA-256: 0b8f34543cfe6443e9f11fe1bcfb6699443b469218eabe0ac6230c43eed72817
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
mod_auth_mysql-3.0.0-11.el6_0.1.src.rpm     MD5: cefd22d6ebc80ec0c4291f427d44bf62
SHA-256: 4833ed9bce4098ccaf5c5e96e764457aa05416dcb0357310b1c70d049857e620
 
IA-32:
mod_auth_mysql-3.0.0-11.el6_0.1.i686.rpm     MD5: 9bff699468a90433d73ec6875ecba104
SHA-256: 9880adbd2bebf6356d260d74e97e85fa3840eeb8ed763eed5859c8b38867b721
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.i686.rpm     MD5: 4ff4b76859f3b657bdbd47aad9b4cf42
SHA-256: c5d2b0e65a41141612cd93133a0296188bb7e90446447b74aa6c08cb84d3f214
 
x86_64:
mod_auth_mysql-3.0.0-11.el6_0.1.x86_64.rpm     MD5: b1fb0ffcc447e1e0ba2f0232c6de107d
SHA-256: d691940a6cf3312eed6558df893d42d6d3df85bdb544d6edd5ab6c9200642868
mod_auth_mysql-debuginfo-3.0.0-11.el6_0.1.x86_64.rpm     MD5: 529401f4869a513ed459d9a8fefa747a
SHA-256: 0b8f34543cfe6443e9f11fe1bcfb6699443b469218eabe0ac6230c43eed72817
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

480238 - CVE-2008-2384 mod_auth_mysql: character encoding SQL injection flaw


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/