ReadMe: WEBppliance™ 3.1.4 for Linux® Release Date: January 22, 2003 INTRODUCTION ============ This document provides information on the security patch updates released by WEBppliance 3.1.4 for Linux. We recommend that you print this document for your reference. The numbers in parentheses refer to the Ensim® Problem Report. REQUIREMENTS ============ This patch requires WEBppliance 3.1.3 for Linux to be installed on your server. If you have any previous version installed, please upgrade it to WEBppliance 3.1.3 before applying the patch. PATCH SUMMARY ============= 1. Libpng buffer overflow (PR 20837) The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. Earlier versions of libpng do not correctly calculate offsets, which leads to a buffer overflow and the possibility of arbitrary code execution. Advisory details for the security patch are available at the following URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 2. Multiple buffer overflows in PostgreSQL (PR 20900) Buffer overflows in PostgreSQL allow attackers to cause a denial of service attack and possibly execute arbitrary code via long arguments to certain PostgreSQL functions. Advisory details for the security patch are available at the following URL: https://rhn.redhat.com/errata/RHSA-2003-010.html 3. Multiple MySQL vulnerabilities (PR 20944) Multiple security vulnerabilities in MySQL can be exploited to crash the server or allow MySQL users to gain unauthorized privileges. Advisory details for the security patch are available at the following URL: http://security.e-matters.de/advisories/042002.html 4. Future hijacking of a virtual user (PR 18051) Vulnerabilities in Ensim's server management software allow remote authenticated users to receive email for subsequently created users on the hosted domain. Advisory details for the security patch are available at the following URL: http://securitytracker.com/alerts/2003/Jan/1005873.html UPGRADING WEBPPLIANCE FOR LINUX (LS) ==================================== To upgrade WEBppliance for Linux (LS), you need to install the following rpms and restart the WEBppliance. 1. Download the LS-3.1.4-1.tar.gz tarball 2. Untar the tarball: tar -xvzf LS-3.1.4-1.tar.gz 3. Change the current directory to the untarred directory: cd LS-3.1.4-1 4. Install the rpms using the command: rpm -Fvh \ libpng-2:1.0.14-0.7x.4.i386.rpm \ libpng-devel-2:1.0.14-0.7x.4.i386.rpm \ postgresql-jdbc-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-odbc-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-perl-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-tcl-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-tk-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-libs-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-server-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-devel-7.1.3-4ensim4bp.2.i386.rpm \ postgresql-python-7.1.3-4ensim4bp.2.i386.rpm \ webppliance-version-3.1.4-1.i386.rpm \ webppliance-users-3.1.4-1.i386.rpm \ mysql-3.23.54a-3.72.i386.rpm \ mysql-devel-3.23.54a-3.72.i386.rpm \ mysql-server-3.23.54a-3.72.i386.rpm \ ensim-appliance-l-3.1.4-1.i386.rpm 5. Restart WEBppliance using the following command: /sbin/service webppliance restart