[25908] in bugtraq
[slackware-security] new apache/mod_ssl packages available
daemon@ATHENA.MIT.EDU (Dave Ahmad)
Fri Jun 21 17:28:34 2002
Date: Fri, 21 Jun 2002 14:57:54 -0600 (MDT)
From: Dave Ahmad <da@securityfocus.com>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.43.0206211457230.7738-100000@mail.securityfocus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
---------- Forwarded message ----------
Date: Wed, 19 Jun 2002 21:18:39 -0700 (PDT)
From: Slackware Security Team <security@bob.slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] new apache/mod_ssl packages available
New Apache packages for Slackware are available to fix a security issue.
>From the Apache site:
"While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows. Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential a remote exploit vulnerability."
The complete text of the Apache announcement may be found here:
http://httpd.apache.org/info/security_bulletin_20020617.txt
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0392 to this issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
SOLUTION
--------
We recommend that sites providing external Apache access upgrade to the fixed
Apache package as soon as possible. If you are using mod_ssl, you will also
require an updated mod_ssl package. Updated packages have been prepared for
Slackware 8.0 and 8.1.
WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated Apache package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/apache.tgz
Updated Apache package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/apache-1.3.26-i386-1.tgz
Updated mod_ssl package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mod_ssl.tgz
Updated mod_ssl package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/mod_ssl-2.8.9_1.3.26-i386-1.tgz
MD5 SIGNATURE:
--------------
Here are the md5sums for the packages:
Slackware 8.0:
69de43846c84209bc274ff5c1af554d6 apache.tgz
ca09ade9fbcd66b2e6e2aa13906140d2 mod_ssl.tgz
Slackware 8.1:
d92ba4c9a8b4afd589e274f394fa0e3c apache-1.3.26-i386-1.tgz
1ac6cd008bb22db99accacc8648efbf6 mod_ssl-2.8.9_1.3.26-i386-1.tgz
INSTALLATION INSTRUCTIONS:
--------------------------
First, stop apache:
# apachectl stop
Next, upgrade the package(s):
# upgradepkg apache-1.3.26-i386-1.tgz
# upgradepkg mod_ssl-2.8.9_1.3.26-i386-1.tgz
Then, restart apache:
# apachectl start
Remember, it's also a good idea to backup configuration files before
upgrading packages.
- Slackware Linux Security Team
http://www.slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
