8631408 2002-06-21 14:57 -0600 /109 rader/ Dave Ahmad <da@securityfocus.com> Sänt av: joel@lysator.liu.se Importerad: 2002-06-21 23:27 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <22781> Ärende: [slackware-security] new apache/mod_ssl packages available ------------------------------------------------------------ From: Dave Ahmad <da@securityfocus.com> To: bugtraq@securityfocus.com Message-ID: <Pine.LNX.4.43.0206211457230.7738-100000@mail.securityfocus.com> ---------- Forwarded message ---------- Date: Wed, 19 Jun 2002 21:18:39 -0700 (PDT) From: Slackware Security Team <security@bob.slackware.com> To: slackware-security@slackware.com Subject: [slackware-security] new apache/mod_ssl packages available New Apache packages for Slackware are available to fix a security issue. >From the Apache site: "While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability." The complete text of the Apache announcement may be found here: http://httpd.apache.org/info/security_bulletin_20020617.txt The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392 SOLUTION -------- We recommend that sites providing external Apache access upgrade to the fixed Apache package as soon as possible. If you are using mod_ssl, you will also require an updated mod_ssl package. Updated packages have been prepared for Slackware 8.0 and 8.1. WHERE TO FIND THE NEW PACKAGES: ------------------------------- Updated Apache package for Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/apache.tgz Updated Apache package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/apache-1.3.26-i386-1.tgz Updated mod_ssl package for Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mod_ssl.tgz Updated mod_ssl package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/mod_ssl-2.8.9_1.3.26-i386-1.tgz MD5 SIGNATURE: -------------- Here are the md5sums for the packages: Slackware 8.0: 69de43846c84209bc274ff5c1af554d6 apache.tgz ca09ade9fbcd66b2e6e2aa13906140d2 mod_ssl.tgz Slackware 8.1: d92ba4c9a8b4afd589e274f394fa0e3c apache-1.3.26-i386-1.tgz 1ac6cd008bb22db99accacc8648efbf6 mod_ssl-2.8.9_1.3.26-i386-1.tgz INSTALLATION INSTRUCTIONS: -------------------------- First, stop apache: # apachectl stop Next, upgrade the package(s): # upgradepkg apache-1.3.26-i386-1.tgz # upgradepkg mod_ssl-2.8.9_1.3.26-i386-1.tgz Then, restart apache: # apachectl start Remember, it's also a good idea to backup configuration files before upgrading packages. - Slackware Linux Security Team http://www.slackware.com +------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+ (8631408) /Dave Ahmad <da@securityfocus.com>/(Ombruten)