Login
Newsletter
Werbung
Sicherheit: Pufferüberlauf in mod_ssl
Aktuelle Meldungen Distributionen
Name: Pufferüberlauf in mod_ssl
ID: SSA:2004-154-01
Distribution: Slackware
Plattformen: Slackware -current, Slackware 8.1, Slackware 9.0, Slackware 9.1
Datum: Do, 3. Juni 2004, 13:00
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0488
Applikationen: mod_ssl

Originalnachricht

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  mod_ssl (SSA:2004-154-01)

New mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, and -current
to fix a security issue.  The packages were upgraded to mod_ssl-2.8.18-1.3.31
fixing a buffer overflow that may allow remote attackers to execute arbitrary
code via a client certificate with a long subject DN, if mod_ssl is
configured to trust the issuing CA.  Web sites running mod_ssl should upgrade
to the new set of apache and mod_ssl packages.  There are new PHP packages as
well to fix a Slackware-specific local denial-of-service issue (an additional
Slackware advisory SSA:2004-154-02 has been issued for PHP).

More details about the mod_ssl issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488

Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Wed Jun  2 11:28:17 PDT 2004
patches/packages/mod_ssl-2.8.18_1.3.31-i486-1.tgz:  Upgraded to
  mod_ssl-2.8.18-1.3.31.  This fixes a buffer overflow that may allow remote
  attackers to execute arbitrary code via a client certificate with a long
  subject DN, if mod_ssl is configured to trust the issuing CA:
    *) Fix buffer overflow in "SSLOptions +FakeBasicAuth"
 implementation
      if the Subject-DN in the client certificate exceeds 6KB in length.
  For more details, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
  (* Security fix *)
  Other changes:  Make the sample keys .new so as not to overwrite existing
  server keys.  However, any existing mod_ssl package will have these listed
  as non-config files, and will still remove and replace these upon upgrade.
  You'll have to save your config files one more time... sorry).
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated packages for Slackware 8.1:
apache-1.3.31-i386-1.tgz
mod_ssl-2.8.18_1.3.31-i386-1.tgz
php-4.3.6-i386-1.tgz

Updated packages for Slackware 9.0:
apache-1.3.31-i386-1.tgz
mod_ssl-2.8.18_1.3.31-i386-1.tgz
php-4.3.6-i386-1.tgz

Updated packages for Slackware 9.1:
apache-1.3.31-i486-1.tgz
mod_ssl-2.8.18_1.3.31-i486-1.tgz
php-4.3.6-i486-1.tgz

Updated packages for Slackware -current:
apache-1.3.31-i486-2.tgz
mod_ssl-2.8.18_1.3.31-i486-1.tgz
php-4.3.6-i486-4.tgz


MD5 signatures:
+-------------+

Slackware 8.1 packages:
5746a612882fb1ba946305e34fc8dd45  apache-1.3.31-i386-1.tgz
d4930240294413471df9128dcd1e71ee  mod_ssl-2.8.18_1.3.31-i386-1.tgz
cee32e839211a37b0081615b4112b87f  php-4.3.6-i386-1.tgz

Slackware 9.0 packages:
6366a8951a42536c99d9f926bd7ed4c9  apache-1.3.31-i386-1.tgz
dff6235ef0f46b4ab77aefa989e1b3f7  mod_ssl-2.8.18_1.3.31-i386-1.tgz
eaa0c69981f0aa8cc6b2d4ef0269481c  php-4.3.6-i386-1.tgz

Slackware 9.1 packages:
5fbeac17051bcf7e41446d7b7a7a82be  apache-1.3.31-i486-1.tgz
6a96640c9beb79dde305ddb22e36509e  mod_ssl-2.8.18_1.3.31-i486-1.tgz
007c48e42d292819b6cdc66e2e8334e0  php-4.3.6-i486-1.tgz

Slackware -current packages:
5d69e97123241842eafc701c8bd6af88  apache-1.3.31-i486-2.tgz
020e5253fdd9f48ed163ad331e7b05fc  mod_ssl-2.8.18_1.3.31-i486-1.tgz
07bcba5e37538f16941141c43006cec1  php-4.3.6-i486-4.tgz


Installation instructions:
+------------------------+

First, stop apache:

# apachectl stop

IMPORTANT:  Backup any keys/certificates you wish to save for
mod_ssl (in /etc/apache/ssl.*)

Next, upgrade these packages as root:

# upgradepkg apache-1.3.31-i486-1.tgz
# upgradepkg mod_ssl-2.8.18_1.3.31-i486-1.tgz
# upgradepkg php-4.3.6-i486-1.tgz

If necessary, restore any mod_ssl config files.

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAviEaakRjwEAQIjMRAs1WAJwPiakCA6g8+4bxqqO8cVxZUxEIbwCfR8NY
aCmXEhGPnblNoJ7BJIB6cGA=
=sHzy
-----END PGP SIGNATURE-----
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung