OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Ahmad (dasecurityfocus.com)
Date: Fri Jun 21 2002 - 15:57:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ---------- Forwarded message ----------
    Date: Wed, 19 Jun 2002 21:18:39 -0700 (PDT)
    From: Slackware Security Team <securitybob.slackware.com>
    To: slackware-securityslackware.com
    Subject: [slackware-security] new apache/mod_ssl packages available

    New Apache packages for Slackware are available to fix a security issue.

    >From the Apache site:

    "While testing for Oracle vulnerabilities, Mark Litchfield discovered a
    denial of service attack for Apache on Windows. Investigation by the
    Apache Software Foundation showed that this issue has a wider scope, which
    on some platforms results in a denial of service vulnerability, while on
    some other platforms presents a potential a remote exploit vulnerability."

    The complete text of the Apache announcement may be found here:
      http://httpd.apache.org/info/security_bulletin_20020617.txt

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2002-0392 to this issue:
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392

    SOLUTION
    --------

    We recommend that sites providing external Apache access upgrade to the fixed
    Apache package as soon as possible. If you are using mod_ssl, you will also
    require an updated mod_ssl package. Updated packages have been prepared for
    Slackware 8.0 and 8.1.

    WHERE TO FIND THE NEW PACKAGES:
    -------------------------------
    Updated Apache package for Slackware 8.0:
    ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/apache.tgz

    Updated Apache package for Slackware 8.1:
    ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/apache-1.3.26-i386-1.tgz

    Updated mod_ssl package for Slackware 8.0:
    ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mod_ssl.tgz

    Updated mod_ssl package for Slackware 8.1:
    ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/mod_ssl-2.8.9_1.3.26-i386-1.tgz

    MD5 SIGNATURE:
    --------------

    Here are the md5sums for the packages:

    Slackware 8.0:
    69de43846c84209bc274ff5c1af554d6 apache.tgz
    ca09ade9fbcd66b2e6e2aa13906140d2 mod_ssl.tgz

    Slackware 8.1:
    d92ba4c9a8b4afd589e274f394fa0e3c apache-1.3.26-i386-1.tgz
    1ac6cd008bb22db99accacc8648efbf6 mod_ssl-2.8.9_1.3.26-i386-1.tgz

    INSTALLATION INSTRUCTIONS:
    --------------------------

    First, stop apache:

       # apachectl stop

    Next, upgrade the package(s):

       # upgradepkg apache-1.3.26-i386-1.tgz
       # upgradepkg mod_ssl-2.8.9_1.3.26-i386-1.tgz

    Then, restart apache:

       # apachectl start

    Remember, it's also a good idea to backup configuration files before
    upgrading packages.

    - Slackware Linux Security Team
      http://www.slackware.com

    +------------------------------------------------------------------------+
    | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
    +------------------------------------------------------------------------+
    | Send an email to majordomoslackware.com with this text in the body of |
    | the email message: |
    | |
    | unsubscribe slackware-security |
    | |
    | You will get a confirmation message back. Follow the instructions to |
    | complete the unsubscription. Do not reply to this message to |
    | unsubscribe! |
    +------------------------------------------------------------------------+