|
|
|
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] Apache httpd (SSA:2006-209-01)
Date: Fri, 28 Jul 2006 17:21:45 -0700 (PDT) |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] Apache httpd (SSA:2006-209-01)
New Apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,
10.2, and -current to fix a security issue with mod_rewrite.
More details about the issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
In addition, new mod_ssl packages for Apache 1.3.37 are available for
all of these versions of Slackware. This additional package does not
fix a security issue, but may be required on your system depending on
your Apache setup.
Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/apache-1.3.37-i486-1_slack10.2.tgz:
Upgraded to apache-1.3.37.
From the announcement on httpd.apache.org:
This version of Apache is security fix release only. An off-by-one flaw
exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3
since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
The Slackware Security Team feels that the vast majority of installations
will not be configured in a vulnerable way but still suggests upgrading to
the new apache and mod_ssl packages for maximum security.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747
And see Apache's announcement here:
http://www.apache.org/dist/httpd/Announcement1.3.html
(* Security fix *)
patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz:
Upgraded to mod_ssl-2.8.28-1.3.37.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.37-i386-1_slack8.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.28_1.3.37-i386-1_slack8.1.tgz
Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.37-i386-1_slack9.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.28_1.3.37-i386-1_slack9.0.tgz
Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.37-i486-1_slack9.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack9.1.tgz
Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/apache-1.3.37-i486-1_slack10.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.0.tgz
Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/apache-1.3.37-i486-1_slack10.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.1.tgz
Updated packages for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/apache-1.3.37-i486-1_slack10.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.37-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.28_1.3.37-i486-1.tgz
MD5 signatures:
+-------------+
Slackware 8.1 packages:
55d47a6b97a9d7a22c7a763516efcea8 apache-1.3.37-i386-1_slack8.1.tgz
1368c7ae40208b163f3206f3e22048ff mod_ssl-2.8.28_1.3.37-i386-1_slack8.1.tgz
Slackware 9.0 packages:
99ce9375d240afd31b9106adec400815 apache-1.3.37-i386-1_slack9.0.tgz
5a61caaf9f4165212907e6a296356c43 mod_ssl-2.8.28_1.3.37-i386-1_slack9.0.tgz
Slackware 9.1 packages:
25a4d00152a314a0725d911042e96401 apache-1.3.37-i486-1_slack9.1.tgz
7cc5b41158adf19a069897add2700afa mod_ssl-2.8.28_1.3.37-i486-1_slack9.1.tgz
Slackware 10.0 packages:
84542fd4e9b31a5607810ccf4a37a103 apache-1.3.37-i486-1_slack10.0.tgz
dc47b69b0609f94a68196d07c42d563f mod_ssl-2.8.28_1.3.37-i486-1_slack10.0.tgz
Slackware 10.1 packages:
d442b2fa446eb41592ad2b0b8f9bf836 apache-1.3.37-i486-1_slack10.1.tgz
fc5dc2154b3d906a91745761a9511276 mod_ssl-2.8.28_1.3.37-i486-1_slack10.1.tgz
Slackware 10.2 packages:
289a0160cce32539318b6155e112905d apache-1.3.37-i486-1_slack10.2.tgz
f115fb6e615f2688e182a7696b63f76e mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz
Slackware -current packages:
8031dea830403ed012b6cf12795dd219 apache-1.3.37-i486-1.tgz
fb24b42306a8731b1fcce93c90f99ded mod_ssl-2.8.28_1.3.37-i486-1.tgz
Installation instructions:
+------------------------+
First, stop apache:
# apachectl stop
Then, upgrade the apache package:
# upgradepkg apache-1.3.37-i486-1_slack10.2.tgz mod_ssl-2.8.28_1.3.37-i486-1_slack10.2.tgz
Finally, restart apache:
# apachectl start
Or, if you use mod_ssl:
# apachectl startssl
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
iD8DBQFEypX4akRjwEAQIjMRAsGoAKCKEIXGmmj8mVMXaH34Dn5lTqvqtQCcCJx5
jk39xxMkaGiJ/nmima9WMMs=
=GZk2
-----END PGP SIGNATURE-----
|
|
|
