| Description: | Summary:
The remote host is missing an update for the 'httpd' package(s) announced via the SSA:2015-198-01 advisory.
Vulnerability Insight:
New httpd packages are available for Slackware 14.0, 14.1, and -current to
fix security issues.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/httpd-2.4.16-i486-1_slack14.1.txz: Upgraded.
This update fixes the following security issues:
* CVE-2015-0253: Fix a crash with ErrorDocument 400 pointing to a local
URL-path with the INCLUDES filter active, introduced in 2.4.11.
* CVE-2015-0228: mod_lua: A maliciously crafted websockets PING after a
script calls r:wsupgrade() can cause a child process crash.
* CVE-2015-3183: core: Fix chunk header parsing defect. Remove
apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN
filter, parse chunks in a single pass with zero copy. Limit accepted
chunk-size to 2^63-1 and be strict about chunk-ext authorized characters.
* CVE-2015-3185: Replacement of ap_some_auth_required (unusable in Apache
httpd 2.4) with new ap_some_authn_required and ap_force_authn hook.
For more information, see:
[links moved to references]
(* Security fix *)
+--------------------------+
Affected Software/OS:
'httpd' package(s) on Slackware 14.0, Slackware 14.1, Slackware current.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
