-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  apache, mod_ssl, php  (SSA:2004-299-01)

New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1,
10.0, and -current to fix security issues.  Apache has been upgraded to
version 1.3.32 which fixes a heap-based buffer overflow in mod_proxy.
mod_ssl was upgraded from version mod_ssl-2.8.19-1.3.31 to version
2.8.21-1.3.32 which corrects a flaw allowing a client to use a cipher
which the server does not consider secure enough.

A new PHP package (php-4.3.9) is also available for all of these platforms.

More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885


Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
patches/packages/apache-1.3.32-i486-1.tgz:  Upgraded to apache-1.3.32.
  This addresses a heap-based buffer overflow in mod_proxy by rejecting
  responses from a remote server with a negative Content-Length.  The
  flaw could crash the Apache child process, or possibly allow code to
  be executed as the Apache user (but only if mod_proxy is actually in
  use on the server).
  For more details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
  (* Security fix *)
patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz:
  Upgraded to mod_ssl-2.8.21-1.3.32.
  Don't allow clients to bypass cipher requirements, possibly negotiating
  a connection that the server does not consider secure enough.
  For more details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
  (* Security fix *)
patches/packages/php-4.3.9-i486-1.tgz:  Upgraded to php-4.3.9.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated packages for Slackware 8.1:

Updated packages for Slackware 9.0:

Updated packages for Slackware 9.1:

Updated packages for Slackware 10.0:

Updated packages for Slackware -current:


MD5 signatures:
+-------------+

Slackware 8.1 package:
0ad0c5a59af7bd002bd0e04e09465a87  apache-1.3.32-i386-1.tgz
6742f537496e71a08face2069f57cc12  mod_ssl-2.8.21_1.3.32-i386-1.tgz
c8b2bdff68c0d7af91ec21abec6cb78f  php-4.3.9-i386-1.tgz

Slackware 9.0 package:
12e87b210d253053d5d981aa72aa99b1  apache-1.3.32-i386-1.tgz
9f5473899d8dec9b0b03e433c1703a96  mod_ssl-2.8.21_1.3.32-i386-1.tgz
72e5970d64c4aedcc06f075d81ddf3a9  php-4.3.9-i386-1.tgz

Slackware 9.1 package:
ad41a73de2fce12ef3190d11ef00da23  apache-1.3.32-i486-1.tgz
4465d45ba61cd75c6462aa06887e37f5  mod_ssl-2.8.21_1.3.32-i486-1.tgz
86eee944a308e194c1c63f9a1f62114a  php-4.3.9-i486-1.tgz

Slackware 10.0 package:
40b5706eedd6aecf8af5d03eecf961f9  apache-1.3.32-i486-1.tgz
ebb1b53eae5803e1f92b226b2513f4ca  mod_ssl-2.8.21_1.3.32-i486-1.tgz
c875421237da2ce50e5e8d3bf0e5de08  php-4.3.9-i486-1.tgz

Slackware -current package:
7a2fd071f5c2c8e77b55105245c4e67a  apache-1.3.32-i486-1.tgz
9e0769c25e977a9fe580aace13fcdd9f  mod_ssl-2.8.21_1.3.32-i486-1.tgz
5a498e40aeda783241d99825f4a5bd55  php-4.3.9-i486-1.tgz


Installation instructions:
+------------------------+

First, stop apache:

# apachectl stop

Next, upgrade the Apache package as root:

# upgradepkg apache-1.3.32-i486-1.tgz

For mod_ssl users, IMPORTANT:  Backup any keys/certificates you wish
to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:

# upgradepkg mod_ssl-2.8.21_1.3.32-i486-1.tgz

If necessary, restore any mod_ssl config files.

If your site uses PHP, you may wish to upgrade to the new package
containing the latest version of PHP4.  It wasn't clear to me if
the biggest bugfix (a GPC input handling flaw) was really a security
issue, but figured upgrading PHP for all supported versions of
Slackware couldn't hurt.  To upgrade PHP:

# upgradepkg php-4.3.9-i486-1.tgz

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl



+-----+

Slackware: 2004-299-01: apache, mod_ssl, php Security Update

October 26, 2004
New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues

Summary

Here are the details from the Slackware 10.0 ChangeLog: patches/packages/apache-1.3.32-i486-1.tgz: Upgraded to apache-1.3.32. This addresses a heap-based buffer overflow in mod_proxy by rejecting responses from a remote server with a negative Content-Length. The flaw could crash the Apache child process, or possibly allow code to be executed as the Apache user (but only if mod_proxy is actually in use on the server). For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 (* Security fix *) patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz: Upgraded to mod_ssl-2.8.21-1.3.32. Don't allow clients to bypass cipher requirements, possibly negotiating a connection that the server does not consider secure enough. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 (* Security fix *) patches/packages/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9.

Where Find New Packages

Updated packages for Slackware 8.1:
Updated packages for Slackware 9.0:
Updated packages for Slackware 9.1:
Updated packages for Slackware 10.0:
Updated packages for Slackware -current:

MD5 Signatures

Slackware 8.1 package: 0ad0c5a59af7bd002bd0e04e09465a87 apache-1.3.32-i386-1.tgz 6742f537496e71a08face2069f57cc12 mod_ssl-2.8.21_1.3.32-i386-1.tgz c8b2bdff68c0d7af91ec21abec6cb78f php-4.3.9-i386-1.tgz
Slackware 9.0 package: 12e87b210d253053d5d981aa72aa99b1 apache-1.3.32-i386-1.tgz 9f5473899d8dec9b0b03e433c1703a96 mod_ssl-2.8.21_1.3.32-i386-1.tgz 72e5970d64c4aedcc06f075d81ddf3a9 php-4.3.9-i386-1.tgz
Slackware 9.1 package: ad41a73de2fce12ef3190d11ef00da23 apache-1.3.32-i486-1.tgz 4465d45ba61cd75c6462aa06887e37f5 mod_ssl-2.8.21_1.3.32-i486-1.tgz 86eee944a308e194c1c63f9a1f62114a php-4.3.9-i486-1.tgz
Slackware 10.0 package: 40b5706eedd6aecf8af5d03eecf961f9 apache-1.3.32-i486-1.tgz ebb1b53eae5803e1f92b226b2513f4ca mod_ssl-2.8.21_1.3.32-i486-1.tgz c875421237da2ce50e5e8d3bf0e5de08 php-4.3.9-i486-1.tgz
Slackware -current package: 7a2fd071f5c2c8e77b55105245c4e67a apache-1.3.32-i486-1.tgz 9e0769c25e977a9fe580aace13fcdd9f mod_ssl-2.8.21_1.3.32-i486-1.tgz 5a498e40aeda783241d99825f4a5bd55 php-4.3.9-i486-1.tgz

Severity
[slackware-security] apache, mod_ssl, php (SSA:2004-299-01)
New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues. Apache has been upgraded to version 1.3.32 which fixes a heap-based buffer overflow in mod_proxy. mod_ssl was upgraded from version mod_ssl-2.8.19-1.3.31 to version 2.8.21-1.3.32 which corrects a flaw allowing a client to use a cipher which the server does not consider secure enough.
A new PHP package (php-4.3.9) is also available for all of these platforms.
More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

Installation Instructions

Installation instructions: First, stop apache: # apachectl stop Next, upgrade the Apache package as root: # upgradepkg apache-1.3.32-i486-1.tgz For mod_ssl users, IMPORTANT: Backup any keys/certificates you wish to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl: # upgradepkg mod_ssl-2.8.21_1.3.32-i486-1.tgz If necessary, restore any mod_ssl config files. If your site uses PHP, you may wish to upgrade to the new package containing the latest version of PHP4. It wasn't clear to me if the biggest bugfix (a GPC input handling flaw) was really a security issue, but figured upgrading PHP for all supported versions of Slackware couldn't hurt. To upgrade PHP: # upgradepkg php-4.3.9-i486-1.tgz Finally, restart apache: # apachectl start Or, if you're running a secure server with mod_ssl: # apachectl startssl

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved