CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
98.2%
<html>
<head><title>
The Slackware Linux Project: Slackware Security Advisories</title>
</head><body alink=“#000000” background=“/grfx/shared/background.jpg” bgcolor=“#fefefe” link=“#000000” text=“#000000” vlink=“#000000”>
<center>
<table border=“0” width=“85%”>
<tr>
<td colspan=“3”>
<table width=“95%”>
<tr>
<td align=“center” valign=“bottom” width=“55%”>
<table width=“80%”><tr><td>
<table width=“100%”>
<tr><td>
<center><b>
Slackware Security Advisories </b></center>
</td></tr></table>
</td></tr></table> </td>
<td align=“right” valign=“bottom”>
<table><tr><td>
<table><tr><td>
<a href=“/index.html”><img alt=“Slackware Logo” src=“/grfx/shared/slackware_traditional_website_logo.png” /></a> </td></tr></table>
</td></tr></table>
</td>
</tr>
<tr>
<td colspan=“2”><br /></td>
</tr>
</table>
</td>
</tr>
<tr valign=“top”>
<td width=“10%”>
<table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-1”><b>
<a href=“/index.php”>News</a></b><p>
</p></font>
</td></tr></table>
</td></tr></table><table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-1”><b>
<a href=“/security/”>Security Advisories</a></b></font>
</td></tr></table>
</td></tr></table><table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-1”><b>
</b><p><a href=“/faq/”>FAQ</a></p><p><a href=“/book/”>Book</a></p><p><a href=“/info/”>General Info</a></p><p><a href=“/getslack/”>Get Slack</a></p><p><a href=“/install/”>Install Help</a></p><p><a href=“/config/”>Configuration</a></p><p><a href=“/packages/”>Packages</a></p><p><a href=“/changelog/”>ChangeLogs</a></p><p><a href=“/~msimons/slackware/grfx/”>Propaganda</a></p><p><a href=“/ports/”>Ports</a></p><p><a href=“/links/”>Other Sites</a></p><p><a href=“/support/”>Support</a></p><p><a href=“/contact/”>Contact</a></p><p><a href=“/lists/”>Mailing Lists</a></p><p><a href=“/about/”>About</a></p></font>
</td></tr></table>
</td></tr></table><p> </p></td>
<td> </td>
<td>
<table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<b>From the Apache site:</b><br />
<b>From the Apache site:</b><br />
<b>From the Apache site:</b><br />
<b>From the Apache site:</b></td></tr></table>
</td></tr></table><table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-0”><pre>“While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows. Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential a remote exploit vulnerability.”
The complete text of the Apache announcement may be found here:
http://httpd.apache.org/info/security_bulletin_20020617.txt
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0392 to this issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
We recommend that sites providing external Apache access upgrade to the fixed
Apache package as soon as possible. If you are using mod_ssl, you will also
require an updated mod_ssl package. Updated packages have been prepared for
Slackware 8.0 and 8.1.
Updated Apache package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/apache.tgz
Updated Apache package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/apache-1.3.26-i386-1.tgz
Updated mod_ssl package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mod_ssl.tgz
Updated mod_ssl package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/mod_ssl-2.8.9_1.3.26-i386-1.tgz
Here are the md5sums for the packages:
Slackware 8.0:
69de43846c84209bc274ff5c1af554d6 apache.tgz
ca09ade9fbcd66b2e6e2aa13906140d2 mod_ssl.tgz
Slackware 8.1:
d92ba4c9a8b4afd589e274f394fa0e3c apache-1.3.26-i386-1.tgz
1ac6cd008bb22db99accacc8648efbf6 mod_ssl-2.8.9_1.3.26-i386-1.tgz
First, stop apache:
> apachectl stop
Next, upgrade the package(s):
> upgradepkg apache-1.3.26-i386-1.tgz
> upgradepkg mod_ssl-2.8.9_1.3.26-i386-1.tgz
Then, restart apache:
> apachectl start
Remember, it’s also a good idea to backup configuration files before
upgrading packages.http://www.slackware.com
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
| Send an email to [email protected] with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
From [email protected] Wed Jun 26 13:45:49 2002
Received: (from daemon@localhost)
by bob.slackware.com (8.11.6/8.11.6) id g5QKjn631503
for slackware-security-outgoing; Wed, 26 Jun 2002 13:45:49 -0700
Received: from localhost (security@localhost)
by bob.slackware.com (8.11.6/8.11.6) with ESMTP id g5QKjmB31500
for <[email protected]>; Wed, 26 Jun 2002 13:45:48 -0700
Date: Wed, 26 Jun 2002 13:45:48 -0700 (PDT)
From: Slackware Security Team <[email protected]>
To: [email protected]
Subject: [slackware-security] New OpenSSH packages available
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: [email protected]
Precedence: bulk
Reply-To: Slackware Security Team <[email protected]>
Status: RO
New OpenSSH 3.4p1 packages providing privilege separation for improved
security are available for Slackware 7.1, 8.0, and 8.1. Here are the
details from the Slackware 8.1 ChangeLog:
Wed Jun 26 12:03:06 PDT 2002
patches/packages/openssh-3.4p1-i386-1.tgz: Upgraded to openssh-3.4p1.
This version enables privilege separation by default. The
README.privsep file says this about it:
Privilege separation, or privsep, is method in OpenSSH by which
operations that require root privilege are performed by a separate
privileged monitor process. Its purpose is to prevent privilege
escalation by containing corruption to an unprivileged process. More
information is available at:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
Note that ISS has released an advisory on OpenSSH (OpenSSH Remote
Challenge Vulnerability). Slackware is not affected by this issue, as
we have never included AUTH_BSD, S/KEY, or PAM. Unless at least one of
these options is compiled into sshd, it is not vulnerable. Further note
that none of these options are turned on in a default build from source
code, so if you have built sshd yourself you should not be vulnerable
unless you’ve enabled one of these options.
Regardless, the security provided by privsep is unquestionably better.
This time we (Slackware) were lucky, but next time we might not be.
Therefore we recommend that all sites running the OpenSSH daemon (sshd,
enabled by default in Slackware 8.1) upgrade to this new openssh
package. After upgrading the package, restart the daemon like this:
/etc/rc.d/rc.sshd restart
The text of the ISS Advisory may be found here:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
Updated OpenSSH package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.4p1-i386-1.tgz
Updated OpenSSH package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/openssh.tgz
Updated OpenSSH package for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/openssh.tgz
Here are the md5sums for the packages:
Slackware 8.1:
bfd503d88144c62906deef4a1280f583 openssh-3.4p1-i386-1.tgz
Slackware 8.0:
a88c387e5261dd9ac90b113e85d054ed openssh.tgz
Slackware 7.1:
416b8e06b181ab01a975958a893688b3 openssh.tgz
First upgrade the OpenSSH package:
> upgradepkg openssh-3.4p1-i386-1.tgz
Then, check the /etc/ssh/ directory where the new config files will be
installed as ssh_config.new and sshd_config.new. Most sites will want
to move these on top of the existing config files:
> mv ssh_config.new ssh_config
> mv sshd_config.new sshd_config
Finally, restart the sshd daemon:
> . /etc/rc.d/rc.sshd restart
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Slackware | 8.1 | i386 | apache | < 1.3.26 | apache-1.3.26-i386-1.tgz |
Slackware | 8.1 | i386 | mod_ssl | < 2.8.9_1.3.26 | mod_ssl-2.8.9_1.3.26-i386-1.tgz |