Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Slackware Linux Advisories: mod_ssl, PHP

Jun 03, 2004, 02:29 (0 Talkback[s])

[slackware-security] mod_ssl (SSA:2004-154-01)

New mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. The packages were upgraded to mod_ssl-2.8.18-1.3.31 fixing a buffer overflow that may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA. Web sites running mod_ssl should upgrade to the new set of apache and mod_ssl packages. There are new PHP packages as well to fix a Slackware-specific local denial-of-service issue (an additional Slackware advisory SSA:2004-154-02 has been issued for PHP).

More details about the mod_ssl issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Wed Jun 2 11:28:17 PDT 2004
patches/packages/mod_ssl-2.8.18_1.3.31-i486-1.tgz: Upgraded to mod_ssl-2.8.18-1.3.31. This fixes a buffer overflow that may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA:
*) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
(* Security fix *)
Other changes: Make the sample keys .new so as not to overwrite existing server keys. However, any existing mod_ssl package will have these listed as non-config files, and will still remove and replace these upon upgrade. You'll have to save your config files one more time... sorry).
+--------------------------+

Where to find the new packages:

Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.18_1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.6-i386-1.tgz

Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.18_1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.6-i386-1.tgz

Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.18_1.3.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.6-i486-1.tgz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.31-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.18_1.3.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.6-i486-4.tgz

MD5 signatures:

Slackware 8.1 packages:
5746a612882fb1ba946305e34fc8dd45 apache-1.3.31-i386-1.tgz
d4930240294413471df9128dcd1e71ee mod_ssl-2.8.18_1.3.31-i386-1.tgz
cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz

Slackware 9.0 packages:
6366a8951a42536c99d9f926bd7ed4c9 apache-1.3.31-i386-1.tgz
dff6235ef0f46b4ab77aefa989e1b3f7 mod_ssl-2.8.18_1.3.31-i386-1.tgz
eaa0c69981f0aa8cc6b2d4ef0269481c php-4.3.6-i386-1.tgz

Slackware 9.1 packages:
5fbeac17051bcf7e41446d7b7a7a82be apache-1.3.31-i486-1.tgz
6a96640c9beb79dde305ddb22e36509e mod_ssl-2.8.18_1.3.31-i486-1.tgz
007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz

Slackware -current packages:
5d69e97123241842eafc701c8bd6af88 apache-1.3.31-i486-2.tgz
020e5253fdd9f48ed163ad331e7b05fc mod_ssl-2.8.18_1.3.31-i486-1.tgz
07bcba5e37538f16941141c43006cec1 php-4.3.6-i486-4.tgz

Installation instructions:

First, stop apache:

# apachectl stop

IMPORTANT: Backup any keys/certificates you wish to save for mod_ssl (in /etc/apache/ssl.*)

Next, upgrade these packages as root:

# upgradepkg apache-1.3.31-i486-1.tgz
# upgradepkg mod_ssl-2.8.18_1.3.31-i486-1.tgz
# upgradepkg php-4.3.6-i486-1.tgz

If necessary, restore any mod_ssl config files.

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

[slackware-security] PHP local security issue (SSA:2004-154-02)

New PHP packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. These fix a problem in previous Slackware php packages where linking PHP against a static library in an insecure path (under /tmp) could allow a local attacker to place shared libraries at this location causing PHP to crash, or to execute arbitrary code as the PHP user (which is by default, "nobody").

Thanks to Bryce Nichols for researching and reporting this issue.

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Wed Jun 2 11:28:17 PDT 2004
patches/packages/php-4.3.6-i486-1.tgz: Upgraded to php-4.3.6. This is compiled with c-client.a in /usr/local/lib/c-client/ to fix a problem in previous php packages where linking against the library in a path under /tmp caused an ELF rpath to this location to be built into the PHP binaries. A local attacker could (by placing shared libraries in this location) either crash PHP or cause arbitrary code to be executed as the PHP user (typically "nobody"). Thanks to Bryce Nichols for discovering this issue and bringing it to my attention.
(* Security fix *)
+--------------------------+

Where to find the new packages:

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.6-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.6-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.6-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/php-4.3.6-i486-4.tgz

MD5 signatures:

Slackware 8.1 package:
cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz

Slackware 9.0 package:
eaa0c69981f0aa8cc6b2d4ef0269481c php-4.3.6-i386-1.tgz

Slackware 9.1 package:
007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz

Slackware -current package:
07bcba5e37538f16941141c43006cec1 php-4.3.6-i486-4.tgz

Installation instructions:

First, stop apache:

# apachectl stop

Next, upgrade the PHP package as root:

# upgradepkg php-4.3.6-i486-1.tgz

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com