[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-
|
From: |
shiva |
|
Subject: |
Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01) |
|
Date: |
Tue, 26 Oct 2004 20:46:37 +0200 |
Si avvicina il momento in cui non funzionera' nuovamente piu' una
sega?;P
NON AGGIORNATE I PACKAGES su avalon. Va compilato tutto a manella, me ne
occupo appena possibile.
Regards
shiva
Il giorno mar, 26-10-2004 alle 10:57 +0200, address@hidden ha
scritto:
> [slackware-security] apache, mod_ssl, php (SSA:2004-299-01)
>
> New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1,
> 10.0, and -current to fix security issues. Apache has been upgraded to
> version 1.3.32 which fixes a heap-based buffer overflow in mod_proxy.
> mod_ssl was upgraded from version mod_ssl-2.8.19-1.3.31 to version
> 2.8.21-1.3.32 which corrects a flaw allowing a client to use a cipher
> which the server does not consider secure enough.
>
> A new PHP package (php-4.3.9) is also available for all of these platforms.
>
> More details about these issues may be found in the Common
> Vulnerabilities and Exposures (CVE) database:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
>
>
> Here are the details from the Slackware 10.0 ChangeLog:
> +--------------------------+
> patches/packages/apache-1.3.32-i486-1.tgz: Upgraded to apache-1.3.32.
> This addresses a heap-based buffer overflow in mod_proxy by rejecting
> responses from a remote server with a negative Content-Length. The flaw
> could crash the Apache child process, or possibly allow code to be
> executed as the Apache user (but only if mod_proxy is actually in use on
> the server).
> For more details, see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
> (* Security fix *)
> patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz:
> Upgraded to mod_ssl-2.8.21-1.3.32.
> Don't allow clients to bypass cipher requirements, possibly negotiating
> a connection that the server does not consider secure enough.
> For more details, see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
> (* Security fix *)
> patches/packages/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9.
> +--------------------------+
>
>
> Where to find the new packages:
> +-----------------------------+
>
> Updated packages for Slackware 8.1:
> ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.32-i386-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.21_1.3.32-i386-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.9-i386-1.tgz
>
> Updated packages for Slackware 9.0:
> ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.32-i386-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.21_1.3.32-i386-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.9-i386-1.tgz
>
> Updated packages for Slackware 9.1:
> ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.32-i486-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.9-i486-1.tgz
>
> Updated packages for Slackware 10.0:
> ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/apache-1.3.32-i486-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/php-4.3.9-i486-1.tgz
>
> Updated packages for Slackware -current:
> ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.32-i486-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.21_1.3.32-i486-1.tgz
> ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.9-i486-1.tgz
>
>
> MD5 signatures:
> +-------------+
>
> Slackware 8.1 package:
> 0ad0c5a59af7bd002bd0e04e09465a87 apache-1.3.32-i386-1.tgz
> 6742f537496e71a08face2069f57cc12 mod_ssl-2.8.21_1.3.32-i386-1.tgz
> c8b2bdff68c0d7af91ec21abec6cb78f php-4.3.9-i386-1.tgz
>
> Slackware 9.0 package:
> 12e87b210d253053d5d981aa72aa99b1 apache-1.3.32-i386-1.tgz
> 9f5473899d8dec9b0b03e433c1703a96 mod_ssl-2.8.21_1.3.32-i386-1.tgz
> 72e5970d64c4aedcc06f075d81ddf3a9 php-4.3.9-i386-1.tgz
>
> Slackware 9.1 package:
> ad41a73de2fce12ef3190d11ef00da23 apache-1.3.32-i486-1.tgz
> 4465d45ba61cd75c6462aa06887e37f5 mod_ssl-2.8.21_1.3.32-i486-1.tgz
> 86eee944a308e194c1c63f9a1f62114a php-4.3.9-i486-1.tgz
>
> Slackware 10.0 package:
> 40b5706eedd6aecf8af5d03eecf961f9 apache-1.3.32-i486-1.tgz
> ebb1b53eae5803e1f92b226b2513f4ca mod_ssl-2.8.21_1.3.32-i486-1.tgz
> c875421237da2ce50e5e8d3bf0e5de08 php-4.3.9-i486-1.tgz
>
> Slackware -current package:
> 7a2fd071f5c2c8e77b55105245c4e67a apache-1.3.32-i486-1.tgz
> 9e0769c25e977a9fe580aace13fcdd9f mod_ssl-2.8.21_1.3.32-i486-1.tgz
> 5a498e40aeda783241d99825f4a5bd55 php-4.3.9-i486-1.tgz
>
>
> Installation instructions:
> +------------------------+
>
> First, stop apache:
>
> # apachectl stop
>
> Next, upgrade the Apache package as root:
>
> # upgradepkg apache-1.3.32-i486-1.tgz
>
> For mod_ssl users, IMPORTANT: Backup any keys/certificates you wish to
> save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:
>
> # upgradepkg mod_ssl-2.8.21_1.3.32-i486-1.tgz
>
> If necessary, restore any mod_ssl config files.
>
> If your site uses PHP, you may wish to upgrade to the new package
> containing the latest version of PHP4. It wasn't clear to me if
> the biggest bugfix (a GPC input handling flaw) was really a security
> issue, but figured upgrading PHP for all supported versions of
> Slackware couldn't hurt. To upgrade PHP:
>
> # upgradepkg php-4.3.9-i486-1.tgz
>
> Finally, restart apache:
>
> # apachectl start
>
> Or, if you're running a secure server with mod_ssl:
>
> # apachectl startssl
>
>
>
> +-----+
>
> Slackware Linux Security Team
> address@hidden
> Slackware Packages and Security Alerts are always signed
> with this GPG key:
> http://slackware.com/gpg-key
>
>
> _______________________________________________
> Slackit.org mailing list - http://www.slackit.org
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/slackit-ml
--
====================[Linux-ON]====================
Francesco Mormile
Network Engineer ~ System Administrator
Office: Via Pellas, 32 50141 - Firenze
Phone: +39-055-454665
Mobile: +39-328-2229138
E-mail: address@hidden
http://www.linux-on.it
==================================================
- [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), valnir, 2004/10/26
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01),
shiva <=
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), weird, 2004/10/27
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), Giacomo Rizzo, 2004/10/27
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), shiva, 2004/10/27
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), Roberto [khazad-dum], 2004/10/27