SSA-2002-0731201128

<html>
<head><title>
The Slackware Linux Project: Slackware Security Advisories</title>
</head><body alink=“#000000” background=“/grfx/shared/background.jpg” bgcolor=“#fefefe” link=“#000000” text=“#000000” vlink=“#000000”>
<center>
<table border=“0” width=“85%”>
<tr>
<td colspan=“3”>
<table width=“95%”>
<tr>
<td align=“center” valign=“bottom” width=“55%”>
<table width=“80%”><tr><td>
<table width=“100%”>
<tr><td>
<center><b>
Slackware Security Advisories </b></center>
</td></tr></table>
</td></tr></table> </td>
<td align=“right” valign=“bottom”>
<table><tr><td>
<table><tr><td>
<a href=“/index.html”><img alt=“Slackware Logo” src=“/grfx/shared/slackware_traditional_website_logo.png” /></a> </td></tr></table>
</td></tr></table>
</td>
</tr>
<tr>
<td colspan=“2”><br /></td>
</tr>
</table>
</td>
</tr>
<tr valign=“top”>
<td width=“10%”>
<table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-1”><b>
<a href=“/index.php”>News</a></b><p>
</p></font>
</td></tr></table>
</td></tr></table><table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-1”><b>
<a href=“/security/”>Security Advisories</a></b></font>
</td></tr></table>
</td></tr></table><table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-1”><b>
</b><p><a href=“/faq/”>FAQ</a></p><p><a href=“/book/”>Book</a></p><p><a href=“/info/”>General Info</a></p><p><a href=“/getslack/”>Get Slack</a></p><p><a href=“/install/”>Install Help</a></p><p><a href=“/config/”>Configuration</a></p><p><a href=“/packages/”>Packages</a></p><p><a href=“/changelog/”>ChangeLogs</a></p><p><a href=“/~msimons/slackware/grfx/”>Propaganda</a></p><p><a href=“/ports/”>Ports</a></p><p><a href=“/links/”>Other Sites</a></p><p><a href=“/support/”>Support</a></p><p><a href=“/contact/”>Contact</a></p><p><a href=“/lists/”>Mailing Lists</a></p><p><a href=“/about/”>About</a></p></font>
</td></tr></table>
</td></tr></table><p> </p></td>
<td>   </td>
<td>
<table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<b>From:</b> Slackware Security Team <[email protected]><br />
<b>To:</b> [email protected]<br />
<b><b>Subject:</b> [slackware-security] Security updates for Slackware 8.1<br /></b>
<b>Date:</b> Wed, 31 Jul 2002 13:11:28 -0700 (PDT)</td></tr></table>
</td></tr></table><table width=“100%”><tr><td>
<table width=“100%”>
<tr><td>
<font size=“-0”><pre>
Several security updates are now available for Slackware 8.1, including
updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php.

Here are the details from the Slackware 8.1 ChangeLog:

Tue Jul 30 19:45:52 PDT 2002
patches/packages/apache-1.3.26-i386-2.tgz: Upgraded the included libmm
to version 1.2.1. Versions of libmm earlier than 1.2.0 contain a tmp file
vulnerability which may allow the local Apache user to gain privileges via
temporary files or symlinks. For details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658
This was also recompiled using EAPI patch from mod_ssl-2.8.10_1.3.26.
(* Security fix )
patches/packages/glibc-2.2.5-i386-3.tgz: Patched to fix a buffer overflow
in glibc’s DNS resolver functions that look up network addresses.
Another workaround for this problem is to edit /etc/nsswtich.conf changing:
networks: files dns
to:
networks: files
( Security fix )
patches/packages/glibc-solibs-2.2.5-i386-3.tgz: Patched to fix a buffer
overflow in glibc’s DNS resolver functions that look up network addresses.
( Security fix )
patches/packages/mod_ssl-2.8.10_1.3.26-i386-1.tgz: This update fixes an
off-by-one error in earlier versions of mod_ssl that may allow local users to
execute code as the Apache user. For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653
( Security fix )
patches/packages/openssh-3.4p1-i386-2.tgz: Recompiled against openssl-0.9.6e.
This update also contains a fix to the installation script to ensure that the
sshd privsep user is correctly created.
patches/packages/openssl-0.9.6e-i386-1.tgz: Upgraded to openssl-0.9.6e, which
fixes 4 potentially remotely exploitable bugs. For details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
( Security fix )
patches/packages/openssl-solibs-0.9.6e-i386-1.tgz: Upgraded to openssl-0.9.6e,
which fixes 4 potentially remotely exploitable bugs. For details, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
( Security fix )
patches/packages/php-4.2.2-i386-1.tgz: Upgraded to php-4.2.2. Earlier versions
of PHP 4.2.x contain a security vulnerability, which although not currently
considered exploitable on the x86 architecture is probably still a good to
patch. For details, see: http://www.cert.org/advisories/CA-2002-21.html
( Security fix *)

WHERE TO FIND THE NEW PACKAGES:

ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/apache-1.3.26-i386-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-2.2.5-i386-3.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-solibs-2.2.5-i386-3.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/mod_ssl-2.8.10_1.3.26-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssh-3.4p1-i386-2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssl-0.9.6e-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssl-solibs-0.9.6e-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.2.2-i386-1.tgz

MD5 SIGNATURES:

Here are the md5sums for the packages:
9af3e989fb581fbb29cf6b2d91b1a921 apache-1.3.26-i386-2.tgz
d159bf51306def68f9d28ef5bed06e52 glibc-2.2.5-i386-3.tgz
0b5414fbecbb7aace3593cdfeecba907 glibc-solibs-2.2.5-i386-3.tgz
aaa5a61ff4600d415cf583dab9fbd0a0 mod_ssl-2.8.10_1.3.26-i386-1.tgz
ea0ee4aac4b28ab3f8ed2190e7b3a7d8 openssh-3.4p1-i386-2.tgz
88f32f01ce855d4363bc71899404e2db openssl-0.9.6e-i386-1.tgz
c20073efd9e3847bfa28da9d614e1dcd openssl-solibs-0.9.6e-i386-1.tgz
032bc53692b721ecec80d69944112ea1 php-4.2.2-i386-1.tgz

INSTALLATION INSTRUCTIONS:

Upgrade existing packages using the upgradepkg command:

 > upgradepkg apache-1.3.26-i386-2.tgz glibc-2.2.5-i386-3.tgz \
 glibc-solibs-2.2.5-i386-3.tgz mod_ssl-2.8.10_1.3.26-i386-1.tgz \
 openssh-3.4p1-i386-2.tgz openssl-0.9.6e-i386-1.tgz \
 openssl-solibs-0.9.6e-i386-1.tgz php-4.2.2-i386-1.tgz

If the packages have not been previously installed, either use the
installpkg command, or the --install-new option with upgradepkg.

Finally, if your site runs Apache it will need to be restarted:

 > apachectl restart