Tuesday, March 9, 2010

Security Update: HTTPD

Apache has just released a security update for httpd package and Slackware-Current has included the fix on the latest batch. It fixed three problems described on the Changelog.

Other news is that cupsddk is now being part of the main CUPS package, so we don't need separate package, thus cupsddk package is now removed. OpenSSH is also upgraded to the latest version, which is a major upgrade.

Here's the latest -Current changelog:
Mon Mar 8 20:49:02 UTC 2010
ap/cupsddk-1.2.3-i486-2.txz: Removed.
The CUPS Driver Development Kit (DDK) is part of the main CUPS package now.

ap/hplip-3.10.2-i486-1.txz: Upgraded.

n/httpd-2.2.15-i486-1.txz: Upgraded.
This update addresses a few security issues.
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations.
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR.
mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers.
[This is the most serious flaw, but does not affect Linux systems]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425
(* Security fix *)

n/openssh-5.4p1-i486-1.txz: Upgraded.