Slackware alert SSA:2004-154-01 (mod_ssl)
From: | Slackware Security Team <security@slackware.com> | |
To: | slackware-security@slackware.com | |
Subject: | [slackware-security] mod_ssl (SSA:2004-154-01) | |
Date: | Wed, 2 Jun 2004 12:24:39 -0700 (PDT) |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mod_ssl (SSA:2004-154-01) New mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. The packages were upgraded to mod_ssl-2.8.18-1.3.31 fixing a buffer overflow that may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA. Web sites running mod_ssl should upgrade to the new set of apache and mod_ssl packages. There are new PHP packages as well to fix a Slackware-specific local denial-of-service issue (an additional Slackware advisory SSA:2004-154-02 has been issued for PHP). More details about the mod_ssl issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 Here are the details from the Slackware 9.1 ChangeLog: +--------------------------+ Wed Jun 2 11:28:17 PDT 2004 patches/packages/mod_ssl-2.8.18_1.3.31-i486-1.tgz: Upgraded to mod_ssl-2.8.18-1.3.31. This fixes a buffer overflow that may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA: *) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. For more details, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 (* Security fix *) Other changes: Make the sample keys .new so as not to overwrite existing server keys. However, any existing mod_ssl package will have these listed as non-config files, and will still remove and replace these upon upgrade. You'll have to save your config files one more time... sorry). +--------------------------+ Where to find the new packages: +-----------------------------+ Updated packages for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.31-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.18_1.3.31-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.6-i386-1.tgz Updated packages for Slackware 9.0: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.31-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.18_1.3.31-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.6-i386-1.tgz Updated packages for Slackware 9.1: ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.31-i486-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.18_1.3.31-i486-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.6-i486-1.tgz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.31-i486-2.tgz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.18_1.3.31-i486-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.6-i486-4.tgz MD5 signatures: +-------------+ Slackware 8.1 packages: 5746a612882fb1ba946305e34fc8dd45 apache-1.3.31-i386-1.tgz d4930240294413471df9128dcd1e71ee mod_ssl-2.8.18_1.3.31-i386-1.tgz cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz Slackware 9.0 packages: 6366a8951a42536c99d9f926bd7ed4c9 apache-1.3.31-i386-1.tgz dff6235ef0f46b4ab77aefa989e1b3f7 mod_ssl-2.8.18_1.3.31-i386-1.tgz eaa0c69981f0aa8cc6b2d4ef0269481c php-4.3.6-i386-1.tgz Slackware 9.1 packages: 5fbeac17051bcf7e41446d7b7a7a82be apache-1.3.31-i486-1.tgz 6a96640c9beb79dde305ddb22e36509e mod_ssl-2.8.18_1.3.31-i486-1.tgz 007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz Slackware -current packages: 5d69e97123241842eafc701c8bd6af88 apache-1.3.31-i486-2.tgz 020e5253fdd9f48ed163ad331e7b05fc mod_ssl-2.8.18_1.3.31-i486-1.tgz 07bcba5e37538f16941141c43006cec1 php-4.3.6-i486-4.tgz Installation instructions: +------------------------+ First, stop apache: # apachectl stop IMPORTANT: Backup any keys/certificates you wish to save for mod_ssl (in /etc/apache/ssl.*) Next, upgrade these packages as root: # upgradepkg apache-1.3.31-i486-1.tgz # upgradepkg mod_ssl-2.8.18_1.3.31-i486-1.tgz # upgradepkg php-4.3.6-i486-1.tgz If necessary, restore any mod_ssl config files. Finally, restart apache: # apachectl start Or, if you're running a secure server with mod_ssl: # apachectl startssl +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAviEaakRjwEAQIjMRAs1WAJwPiakCA6g8+4bxqqO8cVxZUxEIbwCfR8NY aCmXEhGPnblNoJ7BJIB6cGA= =sHzy -----END PGP SIGNATURE-----
(Log in to post comments)