New mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, and -current
to fix a security issue. The packages were upgraded to mod_ssl-2.8.18-1.3.31
fixing a buffer overflow that may allow remote attackers to execute arbitrary
code via a client certificate with a long subject DN, if mod_ssl is
configured to trust the issuing CA. Web sites running mod_ssl should upgrade
to the new set of apache and mod_ssl packages. There are new PHP packages as
well to fix a Slackware-specific local denial-of-service issue (an additional
Slackware advisory SSA:2004-154-02 has been issued for PHP).
More details about the mod_ssl issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
Here are the details from the Slackware 9.1 ChangeLog:
Wed Jun 2 11:28:17 PDT 2004
patches/packages/mod_ssl-2.8.18_1.3.31-i486-1.tgz: Upgraded to
mod_ssl-2.8.18-1.3.31. This fixes a buffer overflow that may allow remote
attackers to execute arbitrary code via a client certificate with a long
subject DN, if mod_ssl is configured to trust the issuing CA:
) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation
if the Subject-DN in the client certificate exceeds 6KB in length.
For more details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
( Security fix *)
Other changes: Make the sample keys .new so as not to overwrite existing
server keys. However, any existing mod_ssl package will have these listed
as non-config files, and will still remove and replace these upon upgrade.
You’ll have to save your config files one more time… sorry).
Where to find the new packages:
Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.18_1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.6-i386-1.tgz
Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.18_1.3.31-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.6-i386-1.tgz
Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.18_1.3.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.6-i486-1.tgz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.31-i486-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.18_1.3.31-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.6-i486-4.tgz
MD5 signatures:
Slackware 8.1 packages:
5746a612882fb1ba946305e34fc8dd45 apache-1.3.31-i386-1.tgz
d4930240294413471df9128dcd1e71ee mod_ssl-2.8.18_1.3.31-i386-1.tgz
cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz
Slackware 9.0 packages:
6366a8951a42536c99d9f926bd7ed4c9 apache-1.3.31-i386-1.tgz
dff6235ef0f46b4ab77aefa989e1b3f7 mod_ssl-2.8.18_1.3.31-i386-1.tgz
eaa0c69981f0aa8cc6b2d4ef0269481c php-4.3.6-i386-1.tgz
Slackware 9.1 packages:
5fbeac17051bcf7e41446d7b7a7a82be apache-1.3.31-i486-1.tgz
6a96640c9beb79dde305ddb22e36509e mod_ssl-2.8.18_1.3.31-i486-1.tgz
007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz
Slackware -current packages:
5d69e97123241842eafc701c8bd6af88 apache-1.3.31-i486-2.tgz
020e5253fdd9f48ed163ad331e7b05fc mod_ssl-2.8.18_1.3.31-i486-1.tgz
07bcba5e37538f16941141c43006cec1 php-4.3.6-i486-4.tgz
Installation instructions:
First, stop apache:
> apachectl stop
IMPORTANT: Backup any keys/certificates you wish to save for
mod_ssl (in /etc/apache/ssl.*)
Next, upgrade these packages as root:
> upgradepkg apache-1.3.31-i486-1.tgz
> upgradepkg mod_ssl-2.8.18_1.3.31-i486-1.tgz
> upgradepkg php-4.3.6-i486-1.tgz
If necessary, restore any mod_ssl config files.
Finally, restart apache:
> apachectl start
Or, if you’re running a secure server with mod_ssl:
> apachectl startssl
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Slackware | 9.1 | i486 | mod_ssl | < 2.8.18_1.3.31 | mod_ssl-2.8.18_1.3.31-i486-1.tgz |
Slackware | 9.1 | i486 | php | < 4.3.6 | php-4.3.6-i486-1.tgz |
Slackware | 8.1 | i386 | apache | < 1.3.31 | apache-1.3.31-i386-1.tgz |
Slackware | 9.0 | i386 | mod_ssl | < 2.8.18_1.3.31 | mod_ssl-2.8.18_1.3.31-i386-1.tgz |
Slackware | 8.1 | i386 | php | < 4.3.6 | php-4.3.6-i386-1.tgz |
Slackware | 9.0 | i386 | php | < 4.3.6 | php-4.3.6-i386-1.tgz |
Slackware | 9.0 | i386 | apache | < 1.3.31 | apache-1.3.31-i386-1.tgz |
Slackware | 8.1 | i386 | mod_ssl | < 2.8.18_1.3.31 | mod_ssl-2.8.18_1.3.31-i386-1.tgz |
Slackware | 9.1 | i486 | apache | < 1.3.31 | apache-1.3.31-i486-1.tgz |