当关闭usecanonicalname并启用通配符dns时,mod_ssl Apache模块2.8.9及更早版本中的跨站点脚本漏洞允许远程攻击者通过ssl端口上的https响应中的服务器名以其他网站访问者的身份执行脚本,该服务器名用 self-referencing URL,这与can-2002-0840不同。
MandrakeSoft------------MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:072)以及相应补丁:MDKSA-2002:072:mod_ssl链接:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-072.php补丁下载:Updated Packages:Linux-Mandrake 7.2:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/mod_ssl-2.8.5-3.2mdk.i586.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/SRPMS/mod_ssl-2.8.5-3.2mdk.src.rpmMandrake Linux 8.0:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/mod_ssl-2.8.5-3.2mdk.i586.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/SRPMS/mod_ssl-2.8.5-3.2mdk.src.rpmMandrake Linux 8.0/ppc:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/mod_ssl-2.8.5-3.2mdk.ppc.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/SRPMS/mod_ssl-2.8.5-3.2mdk.src.rpmMandrake Linux 8.1:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/mod_ssl-2.8.5-3.2mdk.i586.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/SRPMS/mod_ssl-2.8.5-3.2mdk.src.rpmMandrake Linux 8.1/ia64:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/mod_ssl-2.8.5-3.2mdk.ia64.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/SRPMS/mod_ssl-2.8.5-3.2mdk.src.rpmMandrake Linux 8.2:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/mod_ssl-2.8.7-3.2mdk.i586.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/mod_ssl-2.8.7-3.2mdk.src.rpmMandrake Linux 8.2/ppc:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/mod_ssl-2.8.7-3.2mdk.ppc.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/mod_ssl-2.8.7-3.2mdk.src.rpmMandrake Linux 9.0:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/mod_ssl-2.8.10-5.1mdk.i586.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/mod_ssl-2.8.10-5.1mdk.src.rpmSingle Network Firewall 7.2:ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/RPMS/mod_ssl-2.8.4-5.2mdk.i586.rpmftp://download.sourceforge.net/pub/mirrors/mandrake/updates/snf7.2/SRPMS/mod_ssl-2.8.4-5.2mdk.src.rpm上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:http://www.mandrakesecure.net/en/ftp.phpDebian------Debian已经为此发布了一个安全公告(DSA-181-1)以及相应补丁:DSA-181-1:New mod_ssl packages fix cross site scripting链接:http://www.debian.org/security/2002/dsa-181补丁下载:Source archives:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4.dscSize/MD5 checksum: 705 db7c60ce194c218b07b79968585a3065http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4.diff.gzSize/MD5 checksum: 20194 4c9fd112ca2a50ccbb21f76917012b88http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gzSize/MD5 checksum: 695247 cb0f2e07065438396f0d5df403dd2c16Architecture independent components:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato4_all.debSize/MD5 checksum: 278090 12bc6e09fb5ec76f4b37ed5c295470ebAlpha architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_alpha.debSize/MD5 checksum: 211734 c4d690aed7c335ceeb204dd913e36a39ARM architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_arm.debSize/MD5 checksum: 203106 5847b3d90d092dfa6e806a6d9ee8fe90Intel IA-32 architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_i386.debSize/MD5 checksum: 199266 6c89113c7cf5d0e82c436fe967c7b2f3Motorola 680x0 architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_m68k.debSize/MD5 checksum: 203612 0631d1e03e921c5a10ff2f4f6e0093f8PowerPC architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_powerpc.debSize/MD5 checksum: 201282 98666b5d76aa20e5a5e1b5ee331a9b71Sun Sparc architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_sparc.debSize/MD5 checksum: 202150 9f9df58c9cf85683d65ddd92f2c8551eDebian GNU/Linux 3.0 alias woody--------------------------------Source archives:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1.dscSize/MD5 checksum: 678 8326399384a276295ed312f3314f8b2ahttp://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1.diff.gzSize/MD5 checksum: 21672 3c6e87aad1113d19c04e2824e7fc6345http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9.orig.tar.gzSize/MD5 checksum: 752613 aad438a4eaeeee29ae74483f7afe9db0Architecture independent components:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.9-2.1_all.debSize/MD5 checksum: 287898 7c5f6a20d23ec97bd7d0f8ec5bd14172Alpha architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_alpha.debSize/MD5 checksum: 247800 0e6312d4ce0a5acd4f0291aff658f8eeARM architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_arm.debSize/MD5 checksum: 240094 9bf9083652950cc47033d4774de9737fIntel IA-32 architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_i386.debSize/MD5 checksum: 238156 9756a3701103f8779c65455c968898c3Intel IA-64 architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_ia64.debSize/MD5 checksum: 268682 b00a8b74ecda50dea58ab8ab199f8f33HP Precision architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_hppa.debSize/MD5 checksum: 248092 102048ee2fa63c33d8076fc3a44b8305Motorola 680x0 architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_m68k.debSize/MD5 checksum: 240990 4a8853fadd213fca4057dee5897f3225Big endian MIPS architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_mips.debSize/MD5 checksum: 236080 53a779235110dff18ecaf8806ac8b3f8Little endian MIPS architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_mipsel.debSize/MD5 checksum: 236018 3e1ed4ecc89de7cd2acdf21138ddf8edPowerPC architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_powerpc.debSize/MD5 checksum: 241870 e6fd0818db87cd255ce49109a334f01cIBM S/390 architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_s390.debSize/MD5 checksum: 241976 15ce16daec984b8414e544b67e970920Sun Sparc architecture:http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_sparc.debSize/MD5 checksum: 244152 b5fc2de1d7552c528262989c5983b63f补丁安装方法:1. 手工安装补丁包:首先,使用下面的命令来下载补丁软件:# wget url (url是补丁下载链接地址然后,使用下面的命令来安装补丁:# dpkg -i file.deb (file是相应的补丁名2. 使用apt-get自动安装补丁包:首先,使用下面的命令更新内部数据库:# apt-get update然后,使用下面的命令安装更新软件包:# apt-get upgradeOpenPKG-------目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:OpenPKG OpenPKG Current:OpenPKG Upgrade apache-1.3.27-20021023.src.rpmftp://ftp.openpkg.org/current/SRC/apache-1.3.27-20021023.src.rpmOpenPKG OpenPKG 1.0:OpenPKG Upgrade apache-1.3.22-1.0.6.src.rpmftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.6.src.rpmOpenPKG OpenPKG 1.1:OpenPKG Upgrade apache-1.3.26-1.1.2.src.rpmftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.2.src.rpm