Slackware: 'apache' Remote DoS vulnerability
Posted by LinuxSecurity.com Team   
Slackware Slackware has updated apache to fix the recent chunked encoding vulnerability.

Date: Wed, 19 Jun 2002 21:18:39 -0700 (PDT)
From: Slackware Security Team 
To: slackware-security@slackware.com
Subject: [slackware-security] new apache/mod_ssl packages available

New Apache packages for Slackware are available to fix a security issue.

From the Apache site:

"While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows.  Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential a remote exploit vulnerability."

The complete text of the Apache announcement may be found here:
  http://httpd.apache.org/info/security_bulletin_20020617.txt

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0392 to this issue:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392


SOLUTION
--------

We recommend that sites providing external Apache access upgrade to the fixed
Apache package as soon as possible.  If you are using mod_ssl, you will also
require an updated mod_ssl package.  Updated packages have been prepared for
Slackware 8.0 and 8.1.


WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated Apache package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/apache.tgz

Updated Apache package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/apache-1.3.26-i386-1.tgz

Updated mod_ssl package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mod_ssl.tgz

Updated mod_ssl package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/mod_ssl-2.8.9_1.3.26-i386-1.tgz


MD5 SIGNATURE:
--------------

Here are the md5sums for the packages:

Slackware 8.0:
69de43846c84209bc274ff5c1af554d6  apache.tgz
ca09ade9fbcd66b2e6e2aa13906140d2  mod_ssl.tgz

Slackware 8.1:
d92ba4c9a8b4afd589e274f394fa0e3c  apache-1.3.26-i386-1.tgz
1ac6cd008bb22db99accacc8648efbf6  mod_ssl-2.8.9_1.3.26-i386-1.tgz


INSTALLATION INSTRUCTIONS:
--------------------------

First, stop apache:

   # apachectl stop

Next, upgrade the package(s):

   # upgradepkg apache-1.3.26-i386-1.tgz
   # upgradepkg mod_ssl-2.8.9_1.3.26-i386-1.tgz

Then, restart apache:

   # apachectl start


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
  http://www.slackware.com