[Full-Disclosure] [FLSA-2004:2068] Updated httpd packages fix security issues
From: Marc Deslauriers (marcdeslauriers_at_videotron.ca)
Date: 10/09/04
- Previous message: Thierry Carrez: "[Full-Disclosure] [ GLSA 200410-08 ] ncompress: Buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>, "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com> Date: Sat, 09 Oct 2004 16:05:15 -0400
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated httpd packages fix security issues
Advisory ID: FLSA:2068
Issue date: 2004-10-09
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2068
CVE Names: CAN-2004-0488 CAN-2004-0493 CAN-2004-0747
CVE Names: CAN-2004-0748 CAN-2004-0751 CAN-2004-0786
CVE Names: CAN-2004-0809 CAN-2004-0811
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated httpd packages that include fixes for security issues are now
available.
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
2. Relevant releases/architectures:
Red Hat Linux 9 - i386
Fedora Core 1 - i386
3. Problem description:
Problems that apply to Red Hat Linux 9 only:
A stack buffer overflow was discovered in mod_ssl that could be
triggered if using the FakeBasicAuth option. If mod_ssl was sent a
client certificate with a subject DN field longer than 6000 characters,
a stack overflow occured if FakeBasicAuth had been enabled. In order to
exploit this issue the carefully crafted malicious certificate would
have had to be signed by a Certificate Authority which mod_ssl is
configured to trust. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0488 to this issue.
A remotely triggered memory leak in the Apache HTTP Server earlier than
version 2.0.50 was also discovered. This allowed a remote attacker to
perform a denial of service attack against the server by forcing it to
consume large amounts of memory. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0493 to
this issue.
Problems that apply to Fedora Core 1 only:
An input filter bug in mod_ssl was discovered in Apache httpd version
2.0.50 and earlier. A remote attacker could force an SSL connection to
be aborted in a particular state and cause an Apache child process to
enter an infinite loop, consuming CPU resources. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0748 to this issue.
Testing using the Codenomicon HTTP Test Tool performed by the Apache
Software Foundation security group and Red Hat uncovered an input
validation issue in the IPv6 URI parsing routines in the apr-util
library. If a remote attacker sent a request including a carefully
crafted URI, an httpd child process could be made to crash. This issue
is not believed to allow arbitrary code execution on this version of
Linux. This issue also does not represent a significant denial of
service attack as requests will continue to be handled by other Apache
child processes. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0786 to this issue.
Note that these packages do also contain the fix for a regression in
Satisfy handling in the 2.0.51 release (CAN-2004-0811).
Problems that apply to both Red Hat Linux 9 and Fedora Core 1:
The Swedish IT Incident Centre (SITIC) reported a buffer overflow in the
expansion of environment variables during configuration file parsing.
This issue could allow a local user to gain 'apache' privileges if an
httpd process can be forced to parse a carefully crafted .htaccess file
written by a local user. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0747 to this
issue.
An issue was discovered in the mod_ssl module which could be triggered
if the server is configured to allow proxying to a remote SSL server. A
malicious remote SSL server could force an httpd child process to crash
by sending a carefully crafted response header. This issue is not
believed to allow execution of arbitrary code. This issue also does not
represent a significant Denial of Service attack as requests will
continue to be handled by other Apache child processes. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0751 to this issue.
An issue was discovered in the mod_dav module which could be triggered
for a location where WebDAV authoring access has been configured. A
malicious remote client which is authorized to use the LOCK method could
force an httpd child process to crash by sending a particular sequence
of LOCK requests. This issue does not allow execution of arbitrary code.
This issue also does not represent a significant Denial of Service
attack as requests will continue to be handled by other Apache child
processes. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0809 to this issue.
Users of the Apache HTTP server should upgrade to these updated
packages, which contain patches that address these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
5. Bug IDs fixed:
http://bugzilla.fedora.us - 2068 - CAN-2004-0747,0786,0809 - httpd
multiple vulnerabilities
http://bugzilla.fedora.us - 1708 - CAN-2004-0488 - remote attack in
mod_ssl
http://bugzilla.fedora.us - 1805 - CAN-2004-0493 - denial of service in
ap_get_mime_headers_core function in Apache
6. RPMs required:
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.16.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.16.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.16.legacy.i386.rpm
Fedora Core 1:
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.4.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------------
24afb48553b515210d3169791dcdd7d39a5d48d6
redhat/9/updates/i386/httpd-2.0.40-21.16.legacy.i386.rpm
6e331ab50f8ddfc5674941a624cb9964863e5375
redhat/9/updates/i386/httpd-devel-2.0.40-21.16.legacy.i386.rpm
0f173510cd129e3705bfaef42e29ff0534ceb4a3
redhat/9/updates/i386/httpd-manual-2.0.40-21.16.legacy.i386.rpm
3983d36be504848260d839f9da54987fd6ec5bc6
redhat/9/updates/i386/mod_ssl-2.0.40-21.16.legacy.i386.rpm
985775546a6372e6593735521e1729baefde46ba
redhat/9/updates/SRPMS/httpd-2.0.40-21.16.legacy.src.rpm
4e087267eecc22511da946cfa48bbc323eca06c9
fedora/1/updates/i386/httpd-2.0.51-1.4.legacy.i386.rpm
6e93aa37526472d11a8c2f31e58e89b920dac08c
fedora/1/updates/i386/httpd-devel-2.0.51-1.4.legacy.i386.rpm
09af35f59d8bfd42a4b2988af5ce869e0daf4fcc
fedora/1/updates/i386/httpd-manual-2.0.51-1.4.legacy.i386.rpm
2c125be93507e8ed0e672f0459b06b719678264b
fedora/1/updates/i386/mod_ssl-2.0.51-1.4.legacy.i386.rpm
5629ec56b7b4935f8540c5884ec3d03a4d5e09cd
fedora/1/updates/SRPMS/httpd-2.0.51-1.4.legacy.src.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://www.apacheweek.com/features/security-20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0811
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Thierry Carrez: "[Full-Disclosure] [ GLSA 200410-08 ] ncompress: Buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
