New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1,
10.0, and -current to fix security issues. Apache has been upgraded to
version 1.3.32 which fixes a heap-based buffer overflow in mod_proxy.
mod_ssl was upgraded from version mod_ssl-2.8.19-1.3.31 to version
2.8.21-1.3.32 which corrects a flaw allowing a client to use a cipher
which the server does not consider secure enough.
A new PHP package (php-4.3.9) is also available for all of these platforms.
More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:
Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
patches/packages/apache-1.3.32-i486-1.tgz: Upgraded to apache-1.3.32.
This addresses a heap-based buffer overflow in mod_proxy by rejecting
responses from a remote server with a negative Content-Length. The
flaw could crash the Apache child process, or possibly allow code to
be executed as the Apache user (but only if mod_proxy is actually in
use on the server).
For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492
(* Security fix *)
patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz:
Upgraded to mod_ssl-2.8.21-1.3.32.
Don't allow clients to bypass cipher requirements, possibly negotiating
a connection that the server does not consider secure enough.
For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
(* Security fix *)
patches/packages/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9.
+--------------------------+
For mod_ssl users, IMPORTANT: Backup any keys/certificates you wish
to save for mod_ssl (in /etc/apache/ssl.*), then upgrade mod_ssl:
# upgradepkg mod_ssl-2.8.21_1.3.32-i486-1.tgz
If necessary, restore any mod_ssl config files.
If your site uses PHP, you may wish to upgrade to the new package
containing the latest version of PHP4. It wasn't clear to me if
the biggest bugfix (a GPC input handling flaw) was really a security
issue, but figured upgrading PHP for all supported versions of
Slackware couldn't hurt. To upgrade PHP:
# upgradepkg php-4.3.9-i486-1.tgz
Finally, restart apache:
# apachectl start
Or, if you're running a secure server with mod_ssl:
