Slackware Linux Advisory: apache, mod_ssl, php

[slackware-security] apache, mod_ssl, php (SSA:2004-299-01)

New apache and mod_ssl packages are available for Slackware 8.1,
9.0, 9.1, 10.0, and -current to fix security issues. Apache has
been upgraded to version 1.3.32 which fixes a heap-based buffer
overflow in mod_proxy. mod_ssl was upgraded from version
mod_ssl-2.8.19-1.3.31 to version 2.8.21-1.3.32 which corrects a
flaw allowing a client to use a cipher which the server does not
consider secure enough.

A new PHP package (php-4.3.9) is also available for all of these
platforms.

More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

Here are the details from the Slackware 10.0 ChangeLog:
+————————–+
patches/packages/apache-1.3.32-i486-1.tgz: Upgraded to
apache-1.3.32. This addresses a heap-based buffer overflow in
mod_proxy by rejecting responses from a remote server with a
negative Content-Length. The flaw could crash the Apache child
process, or possibly allow code to be executed as the Apache user
(but only if mod_proxy is actually in use on the server).
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492

(* Security fix *)
patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz:
Upgraded to mod_ssl-2.8.21-1.3.32.
Don’t allow clients to bypass cipher requirements, possibly
negotiating a connection that the server does not consider secure
enough. For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

(* Security fix *)
patches/packages/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9.
+————————–+

Where to find the new packages:

Updated packages for Slackware 8.1:

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.32-i386-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.21_1.3.32-i386-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.9-i386-1.tgz

Updated packages for Slackware 9.0:

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.32-i386-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.21_1.3.32-i386-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.9-i386-1.tgz

Updated packages for Slackware 9.1:

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.32-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.9-i486-1.tgz

Updated packages for Slackware 10.0:

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/apache-1.3.32-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/php-4.3.9-i486-1.tgz

Updated packages for Slackware -current:

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.32-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.21_1.3.32-i486-1.tgz

ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.9-i486-1.tgz

MD5 signatures:

Slackware 8.1 package:
0ad0c5a59af7bd002bd0e04e09465a87 apache-1.3.32-i386-1.tgz
6742f537496e71a08face2069f57cc12
mod_ssl-2.8.21_1.3.32-i386-1.tgz
c8b2bdff68c0d7af91ec21abec6cb78f php-4.3.9-i386-1.tgz

Slackware 9.0 package:
12e87b210d253053d5d981aa72aa99b1 apache-1.3.32-i386-1.tgz
9f5473899d8dec9b0b03e433c1703a96
mod_ssl-2.8.21_1.3.32-i386-1.tgz
72e5970d64c4aedcc06f075d81ddf3a9 php-4.3.9-i386-1.tgz

Slackware 9.1 package:
ad41a73de2fce12ef3190d11ef00da23 apache-1.3.32-i486-1.tgz
4465d45ba61cd75c6462aa06887e37f5
mod_ssl-2.8.21_1.3.32-i486-1.tgz
86eee944a308e194c1c63f9a1f62114a php-4.3.9-i486-1.tgz

Slackware 10.0 package:
40b5706eedd6aecf8af5d03eecf961f9 apache-1.3.32-i486-1.tgz
ebb1b53eae5803e1f92b226b2513f4ca
mod_ssl-2.8.21_1.3.32-i486-1.tgz
c875421237da2ce50e5e8d3bf0e5de08 php-4.3.9-i486-1.tgz

Slackware -current package:
7a2fd071f5c2c8e77b55105245c4e67a apache-1.3.32-i486-1.tgz
9e0769c25e977a9fe580aace13fcdd9f
mod_ssl-2.8.21_1.3.32-i486-1.tgz
5a498e40aeda783241d99825f4a5bd55 php-4.3.9-i486-1.tgz

Installation instructions:

First, stop apache:

# apachectl stop

Next, upgrade the Apache package as root:

# upgradepkg >apache-1.3.32-i486-1.tgz

For mod_ssl users, IMPORTANT: Backup any keys/certificates you
wish to save for mod_ssl (in /etc/apache/ssl.*), then upgrade
mod_ssl:

# upgradepkg mod_ssl-2.8.21_1.3.32-i486-1.tgz

If necessary, restore any mod_ssl config files.

If your site uses PHP, you may wish to upgrade to the new
package containing the latest version of PHP4. It wasn’t clear to
me if the biggest bugfix (a GPC input handling flaw) was really a
security issue, but figured upgrading PHP for all supported
versions of Slackware couldn’t hurt. To upgrade PHP:

# upgradepkg php-4.3.9-i486-1.tgz

Finally, restart apache:

# apachectl start

Or, if you’re running a secure server with mod_ssl:

# apachectl startssl

+—–+

Slackware Linux Security Team
security@slackware.com
Slackware Packages and Security Alerts are always signed with this
GPG key:
http://slackware.com/gpg-key