LBA-Linux Security Advisory
Subject: Updated httpd package for LBA-Linux R1
Advisory ID: LBASA-2004:34
Date: Wednesday, September 15, 2004
Product: LBA-Linux R1
Problem description:
CAN-2004-0748
mod_ssl in Apache 2.0.50 and earlier allows remote attackers to
cause a denial of service (CPU consumption) by aborting an SSL
connection in a way that causes an Apache child process to enter an
infinite loop.
CAN-2004-0751
The char_buffer_read function in the mod_ssl module for Apache 2.x,
when using reverse proxying to an SSL server, allows remote
attackers to cause a denial of service (segmentation fault).
Updated packages:
LBA-Linux R1:
i386:
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/httpd-2.0.48-16.lba.9.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/httpd-devel-2.0.48-16.lba.9.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/httpd-manual-2.0.48-16.lba.9.i386.rpm
ftp://ftp.sot.com/lba-linux_r1/apt/RPMS.updates/mod_ssl-2.0.48-16.lba.9.i386.rpm
Upgrading your system:
To apply this security update to your LBA-Linux system, run the
Updater tool from the LBA-Linux root desktop:
- Log in to your LBA-Linux desktop as the root user.
- Click on the penguin icon at the lower left of the display, and
select the menu item SYSTEM TOOLS>UPDATER. - Click on the item named httpd to highlight it.
- Click on the PACKAGE menu in the menu bar, and select the
UPGRADE action. - Confirm the upgrade by clicking the APPLY button in Updater’s
main toolbar.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751
Copyright(c) 2001-2004 SOT