news 28 Posted December 24, 2016 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2016-358-01) New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.25-i586-1_slack14.2.txz: Upgraded. This update fixes the following security issues: * CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames. * CVE-2016-5387: core: Mitigate [f]cgi "httpoxy" issues. * CVE-2016-2161: mod_auth_digest: Prevent segfaults during client entry allocation when the shared memory space is exhausted. * CVE-2016-0736: mod_session_crypto: Authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack. * CVE-2016-8743: Enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.25-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.25-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.25-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.25-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.25-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.25-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.25-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.25-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: 186e15ba143536daa3314076002c7821 httpd-2.4.25-i486-1_slack14.0.txz Slackware x86_64 14.0 package: f9eb3bf2a68a9bc8637a8d53a26ab6dd httpd-2.4.25-x86_64-1_slack14.0.txz Slackware 14.1 package: e416a15941f2c8c0eaebbd63e69164ff httpd-2.4.25-i486-1_slack14.1.txz Slackware x86_64 14.1 package: f1b4ccd7391b58bf9f78648c8c3c86b4 httpd-2.4.25-x86_64-1_slack14.1.txz Slackware 14.2 package: 18e672179bd4136eea419fbcdf1d587b httpd-2.4.25-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 250aa6c0782aefd28539e3c3f2ddde95 httpd-2.4.25-x86_64-1_slack14.2.txz Slackware -current package: 732e51e650d3287f4f415a0536c9c8fe n/httpd-2.4.25-i586-1.txz Slackware x86_64 -current package: ab4f1612c10531fce830aa1f562a9dd5 n/httpd-2.4.25-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.25-i586-1_slack14.2.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security ( -at -) slackware.com +------------------------------------------------------------------------+ Share this post Link to post
