Monday, August 3, 2009

Security Update: httpd

One security update on the first day of this week: httpd. It fixes so many security updates, so it's definitely a must upgrade package. Also an updated package for linuxdoc-tools which has solved the jade problem.

Here's the latest -Current changelog:
Sun Aug 2 16:25:44 CDT 2009
ap/linuxdoc-tools-0.9.56-i486-5.txz: Rebuilt. Added a symlink to isogrk4.ent that fixes the problems that we mentioned earlier.
Thanks to Niels Horn for the help!

d/git-1.6.4-i486-1.txz: Upgraded.

n/httpd-2.2.12-i486-1.txz: Upgraded.
This update fixes some security issues (from the CHANGES file):
*) SECURITY: CVE-2009-1891 (
Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. PR 39605.
[Joe Orton, Ruediger Pluem]
*) SECURITY: CVE-2009-1195 (
Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it.
[Jonathan Peatfield , Joe Orton, Ruediger Pluem, Jeff Trawick]
*) SECURITY: CVE-2009-1890 (
Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. [Nick Kew, Joe Orton]
*) SECURITY: CVE-2009-1191 (
mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. PR 46949 [Ruediger Pluem]
*) SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (
The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules.
These last three CVEs were addressed in Slackware previously with an update to new system apr and apr-util packages.
For more information, see:
(* Security fix *)

n/irssi-0.8.14-i486-1.txz: Upgraded.