ID

VAR-201108-0132

CVE

CVE-2011-3192

TITLE

Apache HTTPD 1.3/2.x Range header DoS vulnerability

DESCRIPTION

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Both the 'Range' header and the 'Range-Request' header are vulnerable. The attack tool causes a significant increase in CPU and memory usage on the server. Apache HTTPD The server has a service disruption (DoS) Vulnerabilities exist. Apache HTTPD The server Range Header and Request-Range There is a problem with header processing, and service operation is interrupted. (DoS) Vulnerabilities exist. Attacks using this vulnerability have been observed. Also, "Apache Killer" The attack tool called is released. Apache The advisory states that: "Background and the 2007 report There are two aspects to this vulnerability. One is new, is Apache specific; and resolved with this server side fix. The other issue is fundamentally a protocol design issue dating back to 2007: http://seclists.org/bugtraq/2007/Jan/83 The contemporary interpretation of the HTTP protocol (currently) requires a server to return multiple (overlapping) ranges; in the order requested. This means that one can request a very large range (e.g. from byte 0- to the end) 100's of times in a single request. Being able to do so is an issue for (probably all) webservers and currently subject of an IETF discussion to change the protocol: http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311 This advisory details a problem with how Apache httpd and its so called internal 'bucket brigades' deal with serving such "valid" request. The problem is that currently such requests internally explode into 100's of large fetches, all of which are kept in memory in an inefficient way. This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy."Service disruption by a remote third party (DoS) There is a possibility of being attacked. ========================================================================== Ubuntu Security Notice USN-1199-1 September 01, 2011 apache2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: A remote attacker could send crafted input to Apache and cause it to crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: apache2.2-bin 2.2.17-1ubuntu1.2 Ubuntu 10.10: apache2.2-bin 2.2.16-1ubuntu3.3 Ubuntu 10.04 LTS: apache2.2-bin 2.2.14-5ubuntu8.6 Ubuntu 8.04 LTS: apache2-mpm-event 2.2.8-1ubuntu0.21 apache2-mpm-perchild 2.2.8-1ubuntu0.21 apache2-mpm-prefork 2.2.8-1ubuntu0.21 apache2-mpm-worker 2.2.8-1ubuntu0.21 In general, a standard system update will make all the necessary changes. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Hitachi Web Server ByteRange Filter Denial of Service Vulnerability SECUNIA ADVISORY ID: SA45865 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45865/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45865 RELEASE DATE: 2011-09-05 DISCUSS ADVISORY: http://secunia.com/advisories/45865/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45865/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45865 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged a vulnerability in Hitachi Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). ORIGINAL ADVISORY: Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-019/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. A local attacker could gain escalated privileges. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache HTTP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.22-r1" References ========== [ 1 ] CVE-2010-0408 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408 [ 2 ] CVE-2010-0434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434 [ 3 ] CVE-2010-1452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452 [ 4 ] CVE-2010-2791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791 [ 5 ] CVE-2011-3192 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192 [ 6 ] CVE-2011-3348 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348 [ 7 ] CVE-2011-3368 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368 [ 8 ] CVE-2011-3607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607 [ 9 ] CVE-2011-4317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4317 [ 10 ] CVE-2012-0021 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021 [ 11 ] CVE-2012-0031 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031 [ 12 ] CVE-2012-0053 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053 [ 13 ] CVE-2012-0883 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-25.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Packages for 2009.0 are provided as of the Extended Maintenance Program. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFOY4ZemqjQ0CJFipgRAqbCAJ9v2n0eNDDc2DYK3WqOifUDtsN+JACgkx4s 4pin0XPWifvtN+m/Z38bY+U= =IhYU -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02997184 Version: 2 HPSBUX02702 SSRT100606 rev.2 - HP-UX Apache Web Server, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-09-08 Last Updated: 2011-09-08 ------------------------------------------------------------------------------ Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX Apache Web Server. References: CVE-2011-3192, CVE-2011-0419 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.17 containing Apache v2.2.15.07 or earlier HP-UX B.11.11 running HP-UX Apache Web Server Suite v2.33 containing Apache v2.0.64.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION This bulletin will be revised when additional information becomes available. HP has provided the following software update to resolve these vulnerabilities. The update is available for download from the following location ftp://srt10606:P2xg=AD5@ftp.usa.hp.com or https://ftp.usa.hp.com/hprc/home with username srt10606 and password P2xg=AD5 HP-UX Web Server Suite (WSS) v.3.18 containing Apache v2.2.15.08 HP-UX 11i Release / Apache Depot name B.11.23 (32-bit) / Apache-CVE-2011-3192-Fix-IA-PA-32.depot B.11.23 (64-bit) / Apache-CVE-2011-3192-Fix-IA-PA-64.depot B.11.31 (32-bit) / Apache-CVE-2011-3192-Fix-IA-PA-32.depot B.11.31 (64-bit) / Apache-CVE-2011-3192-Fix-IA-PA-64.depot HP-UX Web Server Suite (WSS) v.2.33 containing Apache v2.0.64.01 and earlier HP-UX 11i Release / Apache Depot name B.11.11 / Use work around suggested below B.11.23 (32 & 64-bit) / No longer supported. Upgrade to WSS v 3.18 B.11.31 (32 & 64-bit) / No longer supported. Upgrade to WSS v 3.18 Alternatives to Installing the Preliminary Patch The Apache Software Foundation has documented work arounds. For customers not wanting to install the preliminary patch, the following are recommended. Note: that no patch is available for Apache 2.0.64.01. 2) Limit the size of the request field to a few hundred bytes. 3) Use mod_headers to completely disallow the use of Range headers. Please refer to the Apache advisory for details. http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3c20110826103531.998348F82@minotaur.apache.org%3e MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v3.18 or subsequent. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX Web Server Suite v3.18 HP-UX B.11.23 HP-UX B.11.31 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 action: install revision B.2.2.15.08 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 8 September 2011 Initial release Version:2 (rev.2) - 8 September 2011 Updated affectivity, recommendations, typos Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk5pPZoACgkQ4B86/C0qfVn5nwCg/w2MOkbP7d5Xp4fAyX4zAOdp aWQAoJoKZs8qDHYIVa41KgH1ANkNQI3C =MTc6 -----END PGP SIGNATURE----- . For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Summary: Updated httpd and httpd22 packages that fix one security issue are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. (CVE-2011-3192) All users of JBoss Enterprise Web Server 1.0.2 should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, Red Hat Enterprise Linux 4 users must restart the httpd22 service, and Red Hat Enterprise Linux 5 and 6 users must restart the httpd service, for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 732928 - CVE-2011-3192 httpd: multiple ranges DoS 6. Package List: JBoss Enterprise Web Server 1.0 for RHEL 4 AS: Source: httpd22-2.2.17-16.ep5.el4.src.rpm i386: httpd22-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-devel-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-util-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.17-16.ep5.el4.i386.rpm httpd22-debuginfo-2.2.17-16.ep5.el4.i386.rpm httpd22-devel-2.2.17-16.ep5.el4.i386.rpm httpd22-manual-2.2.17-16.ep5.el4.i386.rpm mod_ssl22-2.2.17-16.ep5.el4.i386.rpm x86_64: httpd22-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.17-16.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.17-16.ep5.el4.x86_64.rpm httpd22-devel-2.2.17-16.ep5.el4.x86_64.rpm httpd22-manual-2.2.17-16.ep5.el4.x86_64.rpm mod_ssl22-2.2.17-16.ep5.el4.x86_64.rpm JBoss Enterprise Web Server 1.0 for RHEL 4 ES: Source: httpd22-2.2.17-16.ep5.el4.src.rpm i386: httpd22-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-devel-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-util-2.2.17-16.ep5.el4.i386.rpm httpd22-apr-util-devel-2.2.17-16.ep5.el4.i386.rpm httpd22-debuginfo-2.2.17-16.ep5.el4.i386.rpm httpd22-devel-2.2.17-16.ep5.el4.i386.rpm httpd22-manual-2.2.17-16.ep5.el4.i386.rpm mod_ssl22-2.2.17-16.ep5.el4.i386.rpm x86_64: httpd22-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-devel-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-util-2.2.17-16.ep5.el4.x86_64.rpm httpd22-apr-util-devel-2.2.17-16.ep5.el4.x86_64.rpm httpd22-debuginfo-2.2.17-16.ep5.el4.x86_64.rpm httpd22-devel-2.2.17-16.ep5.el4.x86_64.rpm httpd22-manual-2.2.17-16.ep5.el4.x86_64.rpm mod_ssl22-2.2.17-16.ep5.el4.x86_64.rpm JBoss Enterprise Web Server 1.0 for RHEL 5 Server: Source: httpd-2.2.17-14.1.ep5.el5.src.rpm i386: httpd-2.2.17-14.1.ep5.el5.i386.rpm httpd-debuginfo-2.2.17-14.1.ep5.el5.i386.rpm httpd-devel-2.2.17-14.1.ep5.el5.i386.rpm httpd-manual-2.2.17-14.1.ep5.el5.i386.rpm mod_ssl-2.2.17-14.1.ep5.el5.i386.rpm x86_64: httpd-2.2.17-14.1.ep5.el5.x86_64.rpm httpd-debuginfo-2.2.17-14.1.ep5.el5.x86_64.rpm httpd-devel-2.2.17-14.1.ep5.el5.x86_64.rpm httpd-manual-2.2.17-14.1.ep5.el5.x86_64.rpm mod_ssl-2.2.17-14.1.ep5.el5.x86_64.rpm JBoss Enterprise Web Server 1.0 for RHEL 6 Server: Source: httpd-2.2.17-13.2.ep5.el6.src.rpm i386: httpd-2.2.17-13.2.ep5.el6.i386.rpm httpd-debuginfo-2.2.17-13.2.ep5.el6.i386.rpm httpd-devel-2.2.17-13.2.ep5.el6.i386.rpm httpd-manual-2.2.17-13.2.ep5.el6.i386.rpm httpd-tools-2.2.17-13.2.ep5.el6.i386.rpm mod_ssl-2.2.17-13.2.ep5.el6.i386.rpm x86_64: httpd-2.2.17-13.2.ep5.el6.x86_64.rpm httpd-debuginfo-2.2.17-13.2.ep5.el6.x86_64.rpm httpd-devel-2.2.17-13.2.ep5.el6.x86_64.rpm httpd-manual-2.2.17-13.2.ep5.el6.x86_64.rpm httpd-tools-2.2.17-13.2.ep5.el6.x86_64.rpm mod_ssl-2.2.17-13.2.ep5.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3192.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. New packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current. Here are the details from the Slackware 13.37 ChangeLog: +--------------------------+ patches/packages/httpd-2.2.20-i486-1_slack13.37.txz: Upgraded. SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests to use less memory, to avoid denial of service. PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.20-i486-1_slack12.0.tgz Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.20-i486-1_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.20-i486-1_slack12.2.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/httpd-2.2.20-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/httpd-2.2.20-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/httpd-2.2.20-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/httpd-2.2.20-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/httpd-2.2.20-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/httpd-2.2.20-x86_64-1_slack13.37.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.2.20-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.2.20-x86_64-1.txz MD5 signatures: +-------------+ Slackware 12.0 package: 1c5d2923bf5ee56ea5b26a14f4bef750 httpd-2.2.20-i486-1_slack12.0.tgz Slackware 12.1 package: 1afa27da8d2d897f871fb5fe91832f04 httpd-2.2.20-i486-1_slack12.1.tgz Slackware 12.2 package: 883d978f2eb2fa09e0094096860995ef httpd-2.2.20-i486-1_slack12.2.tgz Slackware 13.0 package: db6935f7ce78acd0cf63bfed97497334 httpd-2.2.20-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 8c976a586a885b33c910c71a4cb655c9 httpd-2.2.20-x86_64-1_slack13.0.txz Slackware 13.1 package: eab2ada5def61d8734a80e887b10edc7 httpd-2.2.20-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 378da86cc706426c68cb3404bceb146c httpd-2.2.20-x86_64-1_slack13.1.txz Slackware 13.37 package: ac06dfbefebd419d7bebf3f18ddd1304 httpd-2.2.20-i486-1_slack13.37.txz Slackware x86_64 13.37 package: c650ee26fde72c7e6524784fa63ff8b8 httpd-2.2.20-x86_64-1_slack13.37.txz Slackware -current package: 7afbbaae7ed7605620ad76dc9ae1146b n/httpd-2.2.20-i486-1.txz Slackware x86_64 -current package: 5ef29bd575c49645496cbfc4fe657c84 n/httpd-2.2.20-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.2.20-i486-1_slack13.37.txz Then, restart the httpd daemon. +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

HP

SOURCES

LAST UPDATE DATE

2026-04-18T20:07:30.492000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE