| Description: | Summary:
The remote host is missing an update for the 'apache' package(s) announced via the SSA:2004-299-01 advisory.
Vulnerability Insight:
New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1,
10.0, and -current to fix security issues. Apache has been upgraded to
version 1.3.32 which fixes a heap-based buffer overflow in mod_proxy.
mod_ssl was upgraded from version mod_ssl-2.8.19-1.3.31 to version
2.8.21-1.3.32 which corrects a flaw allowing a client to use a cipher
which the server does not consider secure enough.
A new PHP package (php-4.3.9) is also available for all of these platforms.
More details about these issues may be found in the Common
Vulnerabilities and Exposures (CVE) database:
[links moved to references]
Here are the details from the Slackware 10.0 ChangeLog:
+--------------------------+
patches/packages/apache-1.3.32-i486-1.tgz: Upgraded to apache-1.3.32.
This addresses a heap-based buffer overflow in mod_proxy by rejecting
responses from a remote server with a negative Content-Length. The
flaw could crash the Apache child process, or possibly allow code to
be executed as the Apache user (but only if mod_proxy is actually in
use on the server).
For more details, see:
[link moved to references]
(* Security fix *)
patches/packages/mod_ssl-2.8.21_1.3.32-i486-1.tgz:
Upgraded to mod_ssl-2.8.21-1.3.32.
Don't allow clients to bypass cipher requirements, possibly negotiating
a connection that the server does not consider secure enough.
For more details, see:
[link moved to references]
(* Security fix *)
patches/packages/php-4.3.9-i486-1.tgz: Upgraded to php-4.3.9.
+--------------------------+
Affected Software/OS:
'apache' package(s) on Slackware 8.1, Slackware 9.0, Slackware 9.1, Slackware 10.0, Slackware current.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
