-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  Apache httpd (SSA:2006-129-01)

New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
10.2, and -current to fix security issues.

More details about the issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352

In addition, new mod_ssl packages for Apache 1.3.35 are available for
all of these versions of Slackware, and new versions of PHP are
available for Slackware -current.  These additional packages do not
fix security issues, but may be required on your system depending on
your Apache setup.

One more note about this round of updates:  the packages have been given
build versions that indicate which version of Slackware they are meant
to patch, such as -1_slack8.1, or -1_slack9.0, etc.  This should help to
avoid some of the issues with automatic upgrade tools by providing a
unique package name when the same fix is deployed across multiple
Slackware versions.  Only patches applied to -current will have the
simple build number, such as -1.


Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/apache-1.3.35-i486-1_slack10.2.tgz:
  Upgraded to apache-1.3.35.
  From the official announcement:
    Of particular note is that 1.3.35 addresses and fixes 1 potential
    security issue: CVE-2005-3352 (cve.mitre.org)
       mod_imap: Escape untrusted referer header before outputting in HTML
       to avoid potential cross-site scripting.  Change also made to
       ap_escape_html so we escape quotes.  Reported by JPCERT
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352
  (* Security fix *)
patches/packages/mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz:
  Upgraded to mod_ssl-2.8.26-1.3.35.
  This is an updated version designed for Apache 1.3.35.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated package for Slackware 8.1:

Updated package for Slackware 9.0:

Updated package for Slackware 9.1:

Updated package for Slackware 10.0:

Updated package for Slackware 10.1:

Updated package for Slackware 10.2:

Updated package for Slackware -current:


MD5 signatures:
+-------------+

Slackware 8.1 packages:
208bbe94a46f8d05e15f1ccdb38f9a91  apache-1.3.35-i386-1_slack8.1.tgz
9172a6d347df033d024a7ba786c47bfe  mod_ssl-2.8.26_1.3.35-i386-1_slack8.1.tgz

Slackware 9.0 packages:
0482ca192a7b94c254421c717634e628  apache-1.3.35-i386-1_slack9.0.tgz
913763c2e12d6d2a101ce4a539f060f3  mod_ssl-2.8.26_1.3.35-i386-1_slack9.0.tgz

Slackware 9.1 packages:
d96044932ab33623425c328862a3750f  apache-1.3.35-i486-1_slack9.1.tgz
ae58ab559c60a475330514dca689d735  mod_ssl-2.8.26_1.3.35-i486-1_slack9.1.tgz

Slackware 10.0 packages:
2beb7c88f4f28adbe61e13d79889a27e  apache-1.3.35-i486-1_slack10.0.tgz
403f1297bcc9cff0df3f9afcb16d69b6  mod_ssl-2.8.26_1.3.35-i486-1_slack10.0.tgz

Slackware 10.1 packages:
4a0b68ddf002a300e536e584c3eb2923  apache-1.3.35-i486-1_slack10.1.tgz
f24d6776f221cc61f2b0b98cd1fc1ae9  mod_ssl-2.8.26_1.3.35-i486-1_slack10.1.tgz

Slackware 10.2 packages:
bbaed7e942e5f1c7380b3def44d54d74  apache-1.3.35-i486-1_slack10.2.tgz
e70a300f5c4333ae1d31e8d852b89dc3  mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz

Slackware -current packages:
b662f564f048ace17eaafc7e50bed7b2  apache-1.3.35-i486-1.tgz
c7d403fc891e210d1f1a71c559939cd5  mod_ssl-2.8.26_1.3.35-i486-1.tgz
fb78ce30aece8d8718ed722be319dd2b  php-4.4.2-i486-4.tgz


Installation instructions:
+------------------------+

First, stop apache:

# apachectl stop

Then, upgrade the apache package:

# upgradepkg apache-1.3.35-i486-1_slack10.2.tgz

If you use mod_ssl, you'll also need to upgrade that package.  The
upgrade should save the important config files for mod_ssl,
nevertheless it's a good idea to backup any keys/certificates you wish
to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:

# upgradepkg mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz

If necessary, restore any mod_ssl config files.

If you are using PHP on Slackware -current, upgrade the PHP package.

Finally, restart apache:

# apachectl start

Or, if you use mod_ssl:

# apachectl startssl


+-----+

Slackware: 2006-129-01: Apache httpd Security Update

May 9, 2006
New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues

Summary

Here are the details from the Slackware 10.2 ChangeLog: patches/packages/apache-1.3.35-i486-1_slack10.2.tgz: Upgraded to apache-1.3.35. From the official announcement: Of particular note is that 1.3.35 addresses and fixes 1 potential security issue: CVE-2005-3352 (cve.mitre.org) mod_imap: Escape untrusted referer header before outputting in HTML to avoid potential cross-site scripting. Change also made to ap_escape_html so we escape quotes. Reported by JPCERT For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352 (* Security fix *) patches/packages/mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz: Upgraded to mod_ssl-2.8.26-1.3.35. This is an updated version designed for Apache 1.3.35.

Where Find New Packages

Updated package for Slackware 8.1:
Updated package for Slackware 9.0:
Updated package for Slackware 9.1:
Updated package for Slackware 10.0:
Updated package for Slackware 10.1:
Updated package for Slackware 10.2:
Updated package for Slackware -current:

MD5 Signatures

Slackware 8.1 packages: 208bbe94a46f8d05e15f1ccdb38f9a91 apache-1.3.35-i386-1_slack8.1.tgz 9172a6d347df033d024a7ba786c47bfe mod_ssl-2.8.26_1.3.35-i386-1_slack8.1.tgz
Slackware 9.0 packages: 0482ca192a7b94c254421c717634e628 apache-1.3.35-i386-1_slack9.0.tgz 913763c2e12d6d2a101ce4a539f060f3 mod_ssl-2.8.26_1.3.35-i386-1_slack9.0.tgz
Slackware 9.1 packages: d96044932ab33623425c328862a3750f apache-1.3.35-i486-1_slack9.1.tgz ae58ab559c60a475330514dca689d735 mod_ssl-2.8.26_1.3.35-i486-1_slack9.1.tgz
Slackware 10.0 packages: 2beb7c88f4f28adbe61e13d79889a27e apache-1.3.35-i486-1_slack10.0.tgz 403f1297bcc9cff0df3f9afcb16d69b6 mod_ssl-2.8.26_1.3.35-i486-1_slack10.0.tgz
Slackware 10.1 packages: 4a0b68ddf002a300e536e584c3eb2923 apache-1.3.35-i486-1_slack10.1.tgz f24d6776f221cc61f2b0b98cd1fc1ae9 mod_ssl-2.8.26_1.3.35-i486-1_slack10.1.tgz
Slackware 10.2 packages: bbaed7e942e5f1c7380b3def44d54d74 apache-1.3.35-i486-1_slack10.2.tgz e70a300f5c4333ae1d31e8d852b89dc3 mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz
Slackware -current packages: b662f564f048ace17eaafc7e50bed7b2 apache-1.3.35-i486-1.tgz c7d403fc891e210d1f1a71c559939cd5 mod_ssl-2.8.26_1.3.35-i486-1.tgz fb78ce30aece8d8718ed722be319dd2b php-4.4.2-i486-4.tgz

Severity
[slackware-security] Apache httpd (SSA:2006-129-01)
New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.
More details about the issues may be found in the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352
In addition, new mod_ssl packages for Apache 1.3.35 are available for all of these versions of Slackware, and new versions of PHP are available for Slackware -current. These additional packages do not fix security issues, but may be required on your system depending on your Apache setup.
One more note about this round of updates: the packages have been given build versions that indicate which version of Slackware they are meant to patch, such as -1_slack8.1, or -1_slack9.0, etc. This should help to avoid some of the issues with automatic upgrade tools by providing a unique package name when the same fix is deployed across multiple Slackware versions. Only patches applied to -current will have the simple build number, such as -1.

Installation Instructions

Installation instructions: First, stop apache: # apachectl stop Then, upgrade the apache package: # upgradepkg apache-1.3.35-i486-1_slack10.2.tgz If you use mod_ssl, you'll also need to upgrade that package. The upgrade should save the important config files for mod_ssl, nevertheless it's a good idea to backup any keys/certificates you wish to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl: # upgradepkg mod_ssl-2.8.26_1.3.35-i486-1_slack10.2.tgz If necessary, restore any mod_ssl config files. If you are using PHP on Slackware -current, upgrade the PHP package. Finally, restart apache: # apachectl start Or, if you use mod_ssl: # apachectl startssl

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved