[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-
From: |
weird |
Subject: |
Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01) |
Date: |
Wed, 27 Oct 2004 11:21:52 +0200 |
maialooo.....rispondi su staff please..non qui
weird
On Tue, 2004-10-26 at 20:46 +0200, shiva wrote:
> Si avvicina il momento in cui non funzionera' nuovamente piu' una
> sega?;P
> NON AGGIORNATE I PACKAGES su avalon. Va compilato tutto a manella, me ne
> occupo appena possibile.
>
> Regards
>
> shiva
>
> Il giorno mar, 26-10-2004 alle 10:57 +0200, address@hidden ha
> scritto:
> > [slackware-security] apache, mod_ssl, php (SSA:2004-299-01)
> >
> > New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1,
> > 10.0, and -current to fix security issues. Apache has been upgraded to
> > version 1.3.32 which fixes a heap-based buffer overflow in mod_proxy.
> > mod_ssl was upgraded from version mod_ssl-2.8.19-1.3.31 to version
> > 2.8.21-1.3.32 which corrects a flaw allowing a client to use a cipher
> > which the server does not consider secure enough.
> >
> > A new PHP package (php-4.3.9) is also available for all of these platforms.
> >
> > More details about these issues may be found in the Common
> > Vulnerabilities and Exposures (CVE) database:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
> >
> >
> > Here are the details from the Slackware 10.0 ChangeLog:
> > +--------------------------+
> > patches/packages/apache-1.3.32-i486-1.tgz: Upgraded to apache-1.3.32.
> > This addresses a heap-based buffer overflow in mod_proxy by rejecting
> > responses from a remote server with a negative Content-Length. The flaw
> > could crash the Apache child process, or possibly allow code to be
> > executed as the Apache user (but only if mod_proxy is actually in use on
> > the server).
> > For more details, see:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
> > (* Security fix *)
> > patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz:
> > Upgraded to mod_ssl-2.8.21-1.3.32.
> > Don't allow clients to bypass cipher requirements, possibly negotiating
> > a connection that the server does not consider secure enough.
> > For more details, see:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
> > (* Security fix *)
> > patches/packages/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9.
> > +--------------------------+
> >
> >
> > Where to find the new packages:
> > +-----------------------------+
> >
> > Updated packages for Slackware 8.1:
> > ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.32-i386-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.21_1.3.32-i386-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.9-i386-1.tgz
> >
> > Updated packages for Slackware 9.0:
> > ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.32-i386-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.21_1.3.32-i386-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.9-i386-1.tgz
> >
> > Updated packages for Slackware 9.1:
> > ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.32-i486-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.9-i486-1.tgz
> >
> > Updated packages for Slackware 10.0:
> > ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/apache-1.3.32-i486-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/php-4.3.9-i486-1.tgz
> >
> > Updated packages for Slackware -current:
> > ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.32-i486-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.21_1.3.32-i486-1.tgz
> > ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.9-i486-1.tgz
> >
> >
> > MD5 signatures:
> > +-------------+
> >
> > Slackware 8.1 package:
> > 0ad0c5a59af7bd002bd0e04e09465a87 apache-1.3.32-i386-1.tgz
> > 6742f537496e71a08face2069f57cc12 mod_ssl-2.8.21_1.3.32-i386-1.tgz
> > c8b2bdff68c0d7af91ec21abec6cb78f php-4.3.9-i386-1.tgz
> >
> > Slackware 9.0 package:
> > 12e87b210d253053d5d981aa72aa99b1 apache-1.3.32-i386-1.tgz
> > 9f5473899d8dec9b0b03e433c1703a96 mod_ssl-2.8.21_1.3.32-i386-1.tgz
> > 72e5970d64c4aedcc06f075d81ddf3a9 php-4.3.9-i386-1.tgz
> >
> > Slackware 9.1 package:
> > ad41a73de2fce12ef3190d11ef00da23 apache-1.3.32-i486-1.tgz
> > 4465d45ba61cd75c6462aa06887e37f5 mod_ssl-2.8.21_1.3.32-i486-1.tgz
> > 86eee944a308e194c1c63f9a1f62114a php-4.3.9-i486-1.tgz
> >
> > Slackware 10.0 package:
> > 40b5706eedd6aecf8af5d03eecf961f9 apache-1.3.32-i486-1.tgz
> > ebb1b53eae5803e1f92b226b2513f4ca mod_ssl-2.8.21_1.3.32-i486-1.tgz
> > c875421237da2ce50e5e8d3bf0e5de08 php-4.3.9-i486-1.tgz
> >
> > Slackware -current package:
> > 7a2fd071f5c2c8e77b55105245c4e67a apache-1.3.32-i486-1.tgz
> > 9e0769c25e977a9fe580aace13fcdd9f mod_ssl-2.8.21_1.3.32-i486-1.tgz
> > 5a498e40aeda783241d99825f4a5bd55 php-4.3.9-i486-1.tgz
> >
> >
> > Installation instructions:
> > +------------------------+
> >
> > First, stop apache:
> >
> > # apachectl stop
> >
> > Next, upgrade the Apache package as root:
> >
> > # upgradepkg apache-1.3.32-i486-1.tgz
> >
> > For mod_ssl users, IMPORTANT: Backup any keys/certificates you wish to
> > save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:
> >
> > # upgradepkg mod_ssl-2.8.21_1.3.32-i486-1.tgz
> >
> > If necessary, restore any mod_ssl config files.
> >
> > If your site uses PHP, you may wish to upgrade to the new package
> > containing the latest version of PHP4. It wasn't clear to me if
> > the biggest bugfix (a GPC input handling flaw) was really a security
> > issue, but figured upgrading PHP for all supported versions of
> > Slackware couldn't hurt. To upgrade PHP:
> >
> > # upgradepkg php-4.3.9-i486-1.tgz
> >
> > Finally, restart apache:
> >
> > # apachectl start
> >
> > Or, if you're running a secure server with mod_ssl:
> >
> > # apachectl startssl
> >
> >
> >
> > +-----+
> >
> > Slackware Linux Security Team
> > address@hidden
> > Slackware Packages and Security Alerts are always signed
> > with this GPG key:
> > http://slackware.com/gpg-key
> >
> >
> > _______________________________________________
> > Slackit.org mailing list - http://www.slackit.org
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/slackit-ml
> _______________________________________________
> Slackit.org mailing list - http://www.slackit.org
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/slackit-ml
--
signature.asc
Description: This is a digitally signed message part
- [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), valnir, 2004/10/26
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), shiva, 2004/10/26
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01),
weird <=
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), Giacomo Rizzo, 2004/10/27
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), shiva, 2004/10/27
- Re: [Slackit.org] [slackware-security] apache, mod_ssl, php (SSA:2004-299-01), Roberto [khazad-dum], 2004/10/27