LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: July 18th, 2014
Linux Advisory Watch: July 13th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Slackware: apache+mod_ssl security issue fix Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
Slackware New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user.

[slackware-security]  apache+mod_ssl  (SSA:2004-305-01)

New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
and -current to fix a security issue.  Apache has been upgraded to
version 1.3.33 which fixes a buffer overflow which may allow local
users to execute arbitrary code as the apache user.

The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.

More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940


Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
patches/packages/apache-1.3.33-i486-1.tgz:  Upgraded to apache-1.3.33.
  This fixes one new security issue (the first issue, CAN-2004-0492, was fixed
  in apache-1.3.33).  The second bug fixed in 1.3.3 (CAN-2004-0940) allows a
  local user who can create SSI documents to become "nobody".  The amount of
  mischief they could cause as nobody seems low at first glance, but it might
  allow them to use kill or killall as nobody to try to create a DoS.
  Mention PHP's mhash dependency in httpd.conf (thanks to Jakub Jankowski).
  (* Security fix *)
patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz:  Upgraded to
  mod_ssl-2.8.22_1.3.33.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated packages for Slackware 8.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.33-i386-1.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.22_1.3.33-i386-1.tgz

Updated packages for Slackware 9.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.33-i386-1.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.22_1.3.33-i386-1.tgz

Updated packages for Slackware 9.1: 
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.33-i486-1.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz

Updated packages for Slackware 10.0: 
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/apache-1.3.33-i486-1.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mod_ssl-2.8.22_1.3.33-i486-1.tgz

Updated packages for Slackware -current: 
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.33-i486-1.tgz 
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.22_1.3.33-i486-1.tgz


MD5 signatures:
+-------------+

Slackware 8.1 packages:
53a9c132945eb4335aacfcb21d5996e0  apache-1.3.33-i386-1.tgz
b0a95e205d3e88597aa9f1241ca7354f  mod_ssl-2.8.22_1.3.33-i386-1.tgz

Slackware 9.0 packages:
429df7fa01205e5c12d3728f4987609f  apache-1.3.33-i386-1.tgz
af8345a9edf17dbd4e141b46d908990a  mod_ssl-2.8.22_1.3.33-i386-1.tgz

Slackware 9.1 packages:
adb43447a8abcb7a6100343585d762db  apache-1.3.33-i486-1.tgz
00c1338c5c6db89960eb53ac4495ba41  mod_ssl-2.8.22_1.3.33-i486-1.tgz

Slackware 10.0 packages:
22db37b8d3e7a32b75a274520e11e272  apache-1.3.33-i486-1.tgz
1968e2361039e07f69658665dafcf56a  mod_ssl-2.8.22_1.3.33-i486-1.tgz

Slackware -current packages:
c450863cad0ed3771fea628d506b8caf  apache-1.3.33-i486-1.tgz
44fdebabf6130cd2fc4e048f5d619683  mod_ssl-2.8.22_1.3.33-i486-1.tgz


Installation instructions:
+------------------------+

First, stop apache:

# apachectl stop

Next, upgrade the Apache package as root:

# upgradepkg apache-1.3.33-i486-1.tgz

For mod_ssl users, IMPORTANT:  Backup any keys/certificates you wish
to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:

# upgradepkg mod_ssl-2.8.22_1.3.33-i486-1.tgz

If necessary, restore any mod_ssl config files.

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl



+-----+

Slackware Linux Security Team
security@slackware.com
Slackware Packages and Security Alerts are always signed
with this GPG key: 
http://slackware.com/gpg-key

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
How Hackers Hid a Money-Mining Botnet in Amazonís Cloud
Homeland Security gets into software security
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.