-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  apache+mod_ssl  (SSA:2004-305-01)

New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
and -current to fix a security issue.  Apache has been upgraded to
version 1.3.33 which fixes a buffer overflow which may allow local
users to execute arbitrary code as the apache user.

The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.

More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940


Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
patches/packages/apache-1.3.33-i486-1.tgz:  Upgraded to apache-1.3.33.
  This fixes one new security issue (the first issue, CAN-2004-0492, was fixed
  in apache-1.3.33).  The second bug fixed in 1.3.3 (CAN-2004-0940) allows a
  local user who can create SSI documents to become "nobody".  The amount of
  mischief they could cause as nobody seems low at first glance, but it might
  allow them to use kill or killall as nobody to try to create a DoS.
  Mention PHP's mhash dependency in httpd.conf (thanks to Jakub Jankowski).
  (* Security fix *)
patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz:  Upgraded to
  mod_ssl-2.8.22_1.3.33.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated packages for Slackware 8.1:

Updated packages for Slackware 9.0:

Updated packages for Slackware 9.1:

Updated packages for Slackware 10.0:

Updated packages for Slackware -current:


MD5 signatures:
+-------------+

Slackware 8.1 packages:
53a9c132945eb4335aacfcb21d5996e0  apache-1.3.33-i386-1.tgz
b0a95e205d3e88597aa9f1241ca7354f  mod_ssl-2.8.22_1.3.33-i386-1.tgz

Slackware 9.0 packages:
429df7fa01205e5c12d3728f4987609f  apache-1.3.33-i386-1.tgz
af8345a9edf17dbd4e141b46d908990a  mod_ssl-2.8.22_1.3.33-i386-1.tgz

Slackware 9.1 packages:
adb43447a8abcb7a6100343585d762db  apache-1.3.33-i486-1.tgz
00c1338c5c6db89960eb53ac4495ba41  mod_ssl-2.8.22_1.3.33-i486-1.tgz

Slackware 10.0 packages:
22db37b8d3e7a32b75a274520e11e272  apache-1.3.33-i486-1.tgz
1968e2361039e07f69658665dafcf56a  mod_ssl-2.8.22_1.3.33-i486-1.tgz

Slackware -current packages:
c450863cad0ed3771fea628d506b8caf  apache-1.3.33-i486-1.tgz
44fdebabf6130cd2fc4e048f5d619683  mod_ssl-2.8.22_1.3.33-i486-1.tgz


Installation instructions:
+------------------------+

First, stop apache:

# apachectl stop

Next, upgrade the Apache package as root:

# upgradepkg apache-1.3.33-i486-1.tgz

For mod_ssl users, IMPORTANT:  Backup any keys/certificates you wish
to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:

# upgradepkg mod_ssl-2.8.22_1.3.33-i486-1.tgz

If necessary, restore any mod_ssl config files.

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl



+-----+

Slackware: 2004-305-01: apache+mod_ssl Security Update

November 1, 2004
New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue

Summary

Here are the details from the Slackware 10.0 ChangeLog: patches/packages/apache-1.3.33-i486-1.tgz: Upgraded to apache-1.3.33. This fixes one new security issue (the first issue, CAN-2004-0492, was fixed in apache-1.3.33). The second bug fixed in 1.3.3 (CAN-2004-0940) allows a local user who can create SSI documents to become "nobody". The amount of mischief they could cause as nobody seems low at first glance, but it might allow them to use kill or killall as nobody to try to create a DoS. Mention PHP's mhash dependency in httpd.conf (thanks to Jakub Jankowski). (* Security fix *) patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz: Upgraded to mod_ssl-2.8.22_1.3.33.

Where Find New Packages

Updated packages for Slackware 8.1:
Updated packages for Slackware 9.0:
Updated packages for Slackware 9.1:
Updated packages for Slackware 10.0:
Updated packages for Slackware -current:

MD5 Signatures

Slackware 8.1 packages: 53a9c132945eb4335aacfcb21d5996e0 apache-1.3.33-i386-1.tgz b0a95e205d3e88597aa9f1241ca7354f mod_ssl-2.8.22_1.3.33-i386-1.tgz
Slackware 9.0 packages: 429df7fa01205e5c12d3728f4987609f apache-1.3.33-i386-1.tgz af8345a9edf17dbd4e141b46d908990a mod_ssl-2.8.22_1.3.33-i386-1.tgz
Slackware 9.1 packages: adb43447a8abcb7a6100343585d762db apache-1.3.33-i486-1.tgz 00c1338c5c6db89960eb53ac4495ba41 mod_ssl-2.8.22_1.3.33-i486-1.tgz
Slackware 10.0 packages: 22db37b8d3e7a32b75a274520e11e272 apache-1.3.33-i486-1.tgz 1968e2361039e07f69658665dafcf56a mod_ssl-2.8.22_1.3.33-i486-1.tgz
Slackware -current packages: c450863cad0ed3771fea628d506b8caf apache-1.3.33-i486-1.tgz 44fdebabf6130cd2fc4e048f5d619683 mod_ssl-2.8.22_1.3.33-i486-1.tgz

Severity
[slackware-security] apache+mod_ssl (SSA:2004-305-01)
New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user.
The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.
More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940

Installation Instructions

Installation instructions: First, stop apache: # apachectl stop Next, upgrade the Apache package as root: # upgradepkg apache-1.3.33-i486-1.tgz For mod_ssl users, IMPORTANT: Backup any keys/certificates you wish to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl: # upgradepkg mod_ssl-2.8.22_1.3.33-i486-1.tgz If necessary, restore any mod_ssl config files. Finally, restart apache: # apachectl start Or, if you're running a secure server with mod_ssl: # apachectl startssl

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved