Debian has issued an advisory on July 19, 2011: http://www.debian.org/security/2011/dsa-2279 Cauldron is not affected as this code is no longer present. Patched package uploaded for Mageia 1 and Mageia 2. Advisory: ======================== Updated apache-mod_authnz_external package fixes security vulnerability: SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field (CVE-2011-2688). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2688 http://www.debian.org/security/2011/dsa-2279 ======================== Updated packages in core/updates_testing: ======================== apache-mod_authnz_external-3.2.5-3.1.mga1 apache-mod_authnz_external-3.2.5-5.2.mga2 from SRPMS: apache-mod_authnz_external-3.2.5-3.1.mga1.src.rpm apache-mod_authnz_external-3.2.5-5.2.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
CCing dmorgan as the maintainer and guillomovitch since David said you are using this package. See my question at the end of this comment please :) Just testing that the module loads. If you have a better testing procedure I can follow, don't hesitate to give it. In the version in Mageia 1 updates_testing as well as in release, I have to remove the <IfDefine HAVE_AUTHNZ_EXTERNAL> part from the module config file, otherwise httpd -M doesn't show the module loaded. After removing it httpd -M shows it loaded. I'm considering testing OK regarding regressions. (non blocking) Question: why do I have to remove that part from the config file? What is the proper way to do it?
CC: (none) => dmorganec, stormiWhiteboard: MGA1TOO => MGA1TOO has_procedure MGA1-32-OK
Really CCing guillomovitch, see previous comment.
CC: (none) => guillomovitch
In Mageia 2 the module loads correctly without any config file change (in Mageia 1 it doesn't). Testing complete on Mageia 2 x86_64.
Whiteboard: MGA1TOO has_procedure MGA1-32-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK
Testing complete Mageia 2 i586. Update validated. See comment #0 for packages and advisory.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK => MGA1TOO has_procedure MGA1-32-OK MGA2-64-OK MGA1-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0231
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED