Apache Software Foundation Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Apache Software Foundation has released versions 1.3.29 and 2.0.48 of the Apache httpd server in response to this issue. These patched versions of the software are available at: Because this software is commonly repackaged by third-party vendors, users are encouraged to review the Systems Affected section of VU#434566 first to determine whether their vendor has produced an update for their systems. Users who compile the Apache httpd software from source code are encouraged to upgrade to one of the patched versions listed above (or newer). Users are also encouraged to verify the PGP signatures on the software distribution before compiling and installing it on their systems.

Conectiva Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CONECTIVA LINUX SECURITY ANNOUNCEMENT PACKAGE : apache SUMMARY : Fix for some vulnerabilities DATE : 2003-11-05 19:18:00 ID : CLA-2003:775 RELEVANT RELEASES : 7.0, 8, 9 DESCRIPTION Apache[1] is the most popular webserver in use today. New versions of the Apache web server have been made available[2][3] with the following security fixes: 1. Buffer overflow in mod_alias and mod_rewrite (CAN-2003-0542) [4] A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. Users who can create or modify configuration files (httpd.conf or .htaccess, for example) could trigger this. This vulnerability affects Apache 1.3.x and Apache 2.0.x. 2. mod_cgid mishandling of CGI redirect paths (CAN-2003-0789) [5] mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. The packages provided with Conectiva Linux 9 are not vulnerable to this issue because they are not compiled with that MPM, but the fix has been included because new packages for Conectiva Linux 9 were already being built for the suexec problem (see below). In addition to the above security fixes, "suexec" has been correctly built in the Conectiva Linux 9 packages, fixing[6] the problem where CGI scripts could not be run from the user's home directory. SOLUTION It is recommended that all Apache users upgrade their packages. IMPORTANT: it is necessary to manually restart the httpd server after upgrading the packages. In order to do this, execute the following as root: service httpd stop (wait a few seconds and check with "pidof httpd" if there are any httpd processes running. On a busy webserver this could take a little longer) service httpd start REFERENCES 1. http://apache.httpd.org/ 2. http://www.apache.org/dist/httpd/Announcement2.html 3. http://www.apache.org/dist/httpd/Announcement.html 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789 6. http://bugzilla.conectiva.com.br/show_bug.cgi?id=8754 (pt_BR only) UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/apache-1.3.28-1U70_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-1.3.28-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-devel-1.3.28-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/apache-doc-1.3.28-1U70_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/apache-1.3.28-1U80_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-1.3.28-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-devel-1.3.28-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/apache-doc-1.3.28-1U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_5cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_5cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_5cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en Copyright (c) 2003 Conectiva Inc. http://www.conectiva.com subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/qWk/42jd0JmAcZARAkF2AJsGfA3n7v7l8f4A8ik+Ao6uqB9NYACfZnQ4 qf3SjmMxGkqRYyXuBBragEE= =zsxK -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Gentoo Linux Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GENTOO LINUX SECURITY ANNOUNCEMENT 200310-03 PACKAGE : net-www/apache SUMMARY : buffer overflow DATE : Tue Oct 28 16:43:46 UTC 2003 EXPLOIT : local VERSIONS AFFECTED : =apache-1.3.29 CVE : CAN-2003-0542 (under review at time of GLSA) Quote from : This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.29 addresses and fixes 1 potential security issue: o CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. We consider Apache 1.3.29 to be the best version of Apache 1.3 available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. SOLUTION It is recommended that all Gentoo Linux users who are running net-misc/apache 1.x upgrade: emerge sync emerge -pv apache emerge '>=net-www/apache-1.3.29' emerge clean /etc/init.d/apache restart // end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/vGZWnt0v0zAqOHYRAnnUAKCf7j5ZciPl2A/lfT2G6re9L0ZjugCfQGYk RyV+5R/BFsdAzsMYZp9dT8A= =ym4e -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Guardian Digital Inc. Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Guardian Digital, Inc. has released Guardian Digital Security Advisory ESA-20031105-030 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

Hewlett-Packard Company Affected

Updated:  March 08, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 **REVISED 01** Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0311-301 Originally issued: 18 November 2003 Last revised: 19 November 2003 SSRT3663 Apache HTTP Server mod_cgid, mod_alias, mod_rewrite NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. PROBLEM: 1. mod_cgid mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. More details are available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0789 2. A buffer overflow could occur in mod_alias and mod_rewrite when a regular expression with more than 9 captures is configured. More details are available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 IMPACT: Potential Denial of Service or execute arbitrary code. PLATFORM: HP9000 Servers running HP-UX release B.11.00, B.11.11, B.11.20, B.11.22, and B.11.23 with versions of the following products are affected, and represented as: product-name, version (product-tag/bundle-tag) product-name, version (product-tag/bundle-tag) - hp apache-based web server, 2.0.43.04 or earlier (HPApache/B9416AA) This product includes Apache 2.0.43. - hp-ux apache-based web server, v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.47. - hp apache-based web server (with IPv6 support), 2.0.43.04 or earlier (HPApache/B9416BA) This product includes Apache 2.0.43. - hp-ux apache-based web server(with IPv6 support), v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.47. SOLUTION: For HP-UX releases B.11.00, B.11.11, B.11.20, B.11.22 and B.11.23 download new HP Apache product from http://www.software.hp.com/: For HPApache/B9416AA, HPApache/B9416BA and hpuxwsAPACHE/hpuxwsApache download the following: - hp-ux apache-based web server (with IPv4) v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.48. http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/ cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE - hp-ux apache-based web server(with IPv6 support), v.1.0.10.01 or later (hpuxwsAPACHE/hpuxwsApache) This product includes Apache 2.0.48. http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/ cgi/displayProductInfo.pl?productNumber=HPUXWSSUITE MANUAL ACTIONS: Yes - Non-Update Install the product containing the fix. For customers with HPApache/B9416AA HPApache/B9416BA installed, the fix requires migration to hpuxwsAPACHE/hpuxwsApache and removing the affected products from the system. AVAILABILITY: Complete product bundles are available now on CHANGE SUMMARY: Rev. 01 Corrected typo in version number **REVISED 01** A. Background The Common Vulnerabilities and Exposures project has identified potential vulnerabilities in the Apache HTTP Server (CAN-2003-0789, and CAN-2003-0542). It affects the following HP product numbers/versions on HP-UX releases B.11.00, B.11.11, B.11.20, B.11.22, and B.11.23: - hp apache-based web server, 2.0.43.04 or earlier (HPApache/B9416AA) - hp-ux apache-based web server, v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache) - hp apache-based web server, 2.0.43.04 (with IPv6 support) or earlier (HPApache/B9416BA) - hp-ux apache-based web server (with IPv6 support), v.1.0.09.01 or earlier (hpuxwsAPACHE/hpuxwsApache) AFFECTED VERSIONS The following is a list of affected filesets or patches and fix information. To determine if a system has an affected version, search the output of "swlist -a revision -l fileset" for an affected fileset or patch, then determine if a fixed revision or applicable patch is installed. HP-UX B.11.00 HP-UX B.11.11 HP-UX B.11.20 HP-UX B.11.22 HP-UX B.11.23 HPApache.APACHE2 hpuxwsAPACHE.APACHE2 --->> fix: install hp-ux apache-based web server, v.1.0.10.01 or later. END AFFECTED VERSIONS B. Recommended solution The Apache Software Foundation has released Apache 2.0.48 as the best known version that fixes the problems identified in the above mentioned issues. For customers using HPApache/B9416AA HPApache/B9416BA and hpuxwsAPACHE/hpuxwsApache, HP has incorporated Apache 2.0.48 in the following product: - hp-ux apache-based web server v.1.0.10.01 or later http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=HPUXWSSUITE Check for Apache Installation To determine if the Apache web server from HP is installed on your system, use Software Distributor's swlist command. All three versions products may co-exist on a single system. For example, the results of the command swlist -l product | grep -i apache HPApache 2.0.39.01.02 HP Apache-based Web Server hpuxwsAPACHE A.1.0.09.01 HP-UX Apache-based Web Server Stop Apache Before updating, make sure to stop any previous Apache binary. Otherwise, the previous binary will continue running, preventing the new one from starting, although the installation would be successful. After determining which Apache is installed, stop Apache with the following commands: for HPApache: /opt/hpapache2/bin/apachectl stop for hpuxwsAPACHE: /opt/hpws/apache/bin/apachectl stop Download and Install Apache - Download Apache from Software Depot using the previously mentioned links. - Verify successful download by comparing the cksum with the value specified on the installation web page. - Use SD to swinstall the depot. - For customers with HPApache/B9416BA installed, migrate to hpuxwsAPACHE/hpuxwsApache and remove the affected products from the system. Installation of this new version of HP Apache over an existing HP Apache installation is supported, while installation over a non-HP Apache is NOT supported. Removing Apache Installation If you rather remove Apache from your system than install a newer version to resolve the security problem, use both Software Distributor's "swremove" command and also "rm -rf" the home location as specified in the rc.config.d file "HOME" variables. To find the files containing HOME variables in the /etc/rc.config.d directory: %ls /etc/rc.config.d | grep apache hpapache2conf hpws_apacheconf C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to get to the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password. In the left most frame select "Maintenance and Support". Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. or To -review- bulletins already released, select the link (in the middle column) for the appropriate digest. NOTE: Using your itrc account security bulletins can be found here: http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems. Please note that installing the patches listed in the Security Patch Matrix will completely implement a security bulletin _only_ if the MANUAL ACTIONS field specifies "No." The Security Patch Check tool can verify that a security bulletin has been implemented on HP-UX 11.XX systems providing that the fix is completely implemented in a patch with no manual actions required. The Security Patch Check tool cannot verify fixes implemented via a product upgrade. For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA The security patch matrix is also available via anonymous ftp: ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/ On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive". The PGP key used to sign this bulletin is available from several PGP Public Key servers. The key identification information is: 2D2A7D59 HP Security Response Team (Security Bulletin signing only) Fingerprint = 6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59 If you have problems locating the key please write to security-alert@hp.com. Please note that this key is for signing bulletins only and is not the key returned by sending 'get key' to security-alert@hp.com. D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. (c) Copyright 2003 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP7wcI+AfOvwtKn1ZEQLrYACg57hw7CsQg63mHb936Iv7mb4ZB1cAoNi5 S6ApYHc0R0qvXKQTDOvx0K2X =Iijo -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2003:103 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

OpenPKG Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The OpenPKG development team has release OpenPKG Security Advisory OpenPKG-SA-2003.046 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

Red Hat Inc. Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat, Inc. has published the following Red Hat Security Advisories in response to this issue: RHSA-2003:320 RHSA-2003:360 RHSA-2003:405 RHSA-2004:015 Users are encouraged to review the information provided in these advisories and apply the patches they refer to.

SCO Affected

Updated:  March 08, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SCO Group has published SCO Security Advisory CSSA-2003-SCO.28 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

SGI Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has published SGI Advanced Linux Environment security update #7 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

Slackware Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] apache security update (SSA:2003-308-01) Apache httpd is a hypertext transfer protocol server, and is used by over two thirds of the Internet's web sites. Upgraded Apache packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix local vulnerabilities that could allow users who can create or edit Apache config files to gain additional privileges. Sites running Apache should upgrade to the new packages. In addition, new mod_ssl packages have been prepared for all platforms, and new PHP packages have been prepared for Slackware 8.1, 9.0, and - -current (9.1 already uses PHP 4.3.3). In -current, these packages also move the Apache module directory from /usr/libexec to /usr/libexec/apache. Links for all of these related packages are provided below. More details about the Apache issue may be found in the Common Vulnerabilities and Exposures (CVE) database: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 Here are the details from the Slackware 9.1 ChangeLog: Mon Nov 3 20:06:29 PST 2003 patches/packages/apache-1.3.29-i486-1.tgz: Upgraded to apache-1.3.29. This fixes the following local security issue: o CAN-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. This vulnerability requires the attacker to create or modify certain Apache configuration files, and is not a remote hole. However, it could possibly be used to gain additional privileges if access to the Apache administrator account can be gained through some other means. All sites running Apache should upgrade. (* Security fix *) WHERE TO FIND THE NEW PACKAGES: Updated packages for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.29-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.3-i386-1.tgz Updated packages for Slackware 9.0: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/apache-1.3.29-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/mod_ssl-2.8.16_1.3.29-i386-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.3-i386-1.tgz Updated packages for Slackware 9.1: ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/apache-1.3.29-i486-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/mod_ssl-2.8.16_1.3.29-i486-1.tgz Updated packages for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/apache-1.3.29-i486-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/mod_ssl-2.8.16_1.3.29-i486-1.tgz ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-4.3.3-i486-3.tgz MD5 SIGNATURES: Slackware 8.1 packages: 1a8190a214c052f0707bd5a6b005a7cd apache-1.3.29-i386-1.tgz eb74afbc99295c01d418b576e92e83bb mod_ssl-2.8.16_1.3.29-i386-1.tgz b41a44c3ce2a3a09873b5d0930faf4c1 php-4.3.3-i386-1.tgz Slackware 9.0 packages: bb34ae622245f57bdca747ac5d8f73cf apache-1.3.29-i386-1.tgz c84af5778a5667a06a60a274f2fe1edb mod_ssl-2.8.16_1.3.29-i386-1.tgz 7660e36f2cfb30cc339734369cca7719 php-4.3.3-i386-1.tgz Slackware 9.1 packages: 9b494bb3f03cb4a4cb8c28f4fcc76666 apache-1.3.29-i486-1.tgz 938412e01daf55fee37293a5790d907f mod_ssl-2.8.16_1.3.29-i486-1.tgz Slackware -current packages: 091c22d398c51fee820dd0d0b7d514e3 apache-1.3.29-i486-1.tgz cd260439c9f1373329ba2224ace0451d mod_ssl-2.8.16_1.3.29-i486-1.tgz cc90540cc07e840e5a0513ffbb308102 php-4.3.3-i486-3.tgz INSTALLATION INSTRUCTIONS: First, stop apache: # apachectl stop Next, upgrade these packages as root: # upgradepkg apache-1.3.29-i486-1.tgz # upgradepkg mod_ssl-2.8.16_1.3.29-i486-1.tgz # upgradepkg php-4.3.3-i486-3.tgz Finally, restart apache: # apachectl start Or, if you're running a secure server with mod_ssl: # apachectl startssl Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | unsubscribe slackware-security | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/qEKrakRjwEAQIjMRArvcAKCMB2tJJVmHitflS/Rc0yG9kksiPACeP0Dd 7HXUeO3O/cg1yufkh2Zvrqg= =YQdI -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc. Affected

Updated:  March 08, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Microsystems, Inc. has published Sun Security Alert #57496 in response to this issue. Users are encouraged to review this alert and apply the patches it refers to.

Trustix Affected

Updated:  February 02, 2004

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Trustix development team has published Trustix Secure Linux Security Advisory #2003-0041 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

View all 13 vendors View less vendors