lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41B13801.1040302@videotron.ca>
From: marcdeslauriers at videotron.ca (Marc Deslauriers)
Subject: [FLSA-2004:2148] Updated httpd,
 apache and mod_ssl packages fix security issues

-----------------------------------------------------------------------
                Fedora Legacy Update Advisory

Synopsis:          Updated httpd, apache and mod_ssl packages fix
                    security issues
Advisory ID:       FLSA:2148
Issue date:        2004-12-03
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=2148
CVE Names:         CAN-2004-0885 CAN-2004-0940 CAN-2004-0942
-----------------------------------------------------------------------


-----------------------------------------------------------------------
1. Topic:

Updated httpd packages that include fixes for security issues are now
available.

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386

3. Problem description:

An issue has been discovered in the mod_ssl module when configured to
use the "SSLCipherSuite" directive in directory or location context. If
a particular location context has been configured to require a specific
set of cipher suites, then a client will be able to access that location
using any cipher suite allowed by the virtual host configuration. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0885 to this issue.

Problems that apply to Red Hat Linux 7.3 only:

A buffer overflow in mod_include could allow a local user who is
authorised to create server side include (SSI) files to gain the
privileges of a httpd child. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0940 to this
issue.

Problems that apply to Red Hat Linux 9 and Fedora Core 1 only:

An issue has been discovered in the handling of white space in request
header lines using MIME folding. A malicious client could send a
carefully crafted request, forcing the server to consume large amounts
of memory, leading to a denial of service. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0942 to this issue.

Users of the Apache HTTP server should upgrade to these updated
packages, which contain patches that address these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - 2148 - Apache httpd Vulnerabilities

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-6.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-7.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-7.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.17.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.17.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.17.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.17.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.17.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.6.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.6.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.6.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.6.legacy.i386.rpm

7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------------

d40866e11e91598844b054f657856d697449aad0 
7.3/updates/i386/apache-1.3.27-6.legacy.i386.rpm
14463609d71731d2d1a388dae83d03bcbb200eb3 
7.3/updates/i386/apache-devel-1.3.27-6.legacy.i386.rpm
ba4e9892ffe4afbc73d4913c145e2e5dc109751d 
7.3/updates/i386/apache-manual-1.3.27-6.legacy.i386.rpm
a55bac0fa92970caf3e3d8aa611fb80698f90573 
7.3/updates/i386/mod_ssl-2.8.12-7.legacy.i386.rpm
6def62270ae08a9fa7a8fc375bea8eb1e3553ff4 
7.3/updates/SRPMS/apache-1.3.27-6.legacy.src.rpm
079fb1966c98fab1274d44ca5d0c735c9e4b851b 
7.3/updates/SRPMS/mod_ssl-2.8.12-7.legacy.src.rpm
cf4421a5eb0cc960c4ac0e79c5a75af4d0a82caf 
9/updates/i386/httpd-2.0.40-21.17.legacy.i386.rpm
6e74bb9366d1b43462ccc01eb394b8d28fc71008 
9/updates/i386/httpd-devel-2.0.40-21.17.legacy.i386.rpm
fedddfa1d24545b9203c9d4dcd80565f12a68150 
9/updates/i386/httpd-manual-2.0.40-21.17.legacy.i386.rpm
a4d3ec49253f09496284c7b089a539363d8c1ad1 
9/updates/i386/mod_ssl-2.0.40-21.17.legacy.i386.rpm
1e7bca22c9f078a4053eea21db5d04f825a60807 
9/updates/SRPMS/httpd-2.0.40-21.17.legacy.src.rpm
900fab9908fe5655ffaf75e85ddec3766244b095 
1/updates/i386/httpd-2.0.51-1.6.legacy.i386.rpm
92ceef4e0b98ae64df0ae82bdc70fbe19bbc3bff 
1/updates/i386/httpd-devel-2.0.51-1.6.legacy.i386.rpm
76b92621a50c287af6fc54c9bd93555d12bf206b 
1/updates/i386/httpd-manual-2.0.51-1.6.legacy.i386.rpm
e4e38ace9ca2a3ee4c82b4c04fd15dc326fe0004 
1/updates/i386/mod_ssl-2.0.51-1.6.legacy.i386.rpm
7204fb50b3eb48203142201f0f3e6324c327bafe 
1/updates/SRPMS/httpd-2.0.51-1.6.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy org/about/security.php

You can verify each package with the following command:

     rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

     sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
http://www.apacheweek.com/features/security-20
http://www.apacheweek.com/features/security-13

9. Contact:

The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041203/052e0ea5/signature.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ