[FLSA-2005:166941] Updated httpd and mod_ssl packages fix two security issues

From: Marc Deslauriers (marcdeslauriers_at_videotron.ca)
Date: 11/10/05

  • Next message: Martin Pitt: "[USN-215-1] fetchmailconf vulnerability"
    Date: Wed, 09 Nov 2005 18:27:50 -0500
    To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    
    
    

    ---------------------------------------------------------------------
                   Fedora Legacy Update Advisory

    Synopsis: Updated httpd and mod_ssl packages fix two
                       security issues
    Advisory ID: FLSA:166941
    Issue date: 2005-11-09
    Product: Red Hat Linux, Fedora Core
    Keywords: Bugfix
    CVE Names: CVE-2005-2700 CVE-2005-2728
    ---------------------------------------------------------------------

    ---------------------------------------------------------------------
    1. Topic:

    Updated mod_ssl and Apache httpd packages that correct two security
    issues are now available.

    The Apache HTTP Server is a popular and freely-available Web server.

    The mod_ssl module provides strong cryptography for the Apache Web
    server via the Secure Sockets Layer (SSL) and Transport Layer Security
    (TLS) protocols.

    2. Relevant releases/architectures:

    Red Hat Linux 7.3 - i386
    Red Hat Linux 9 - i386
    Fedora Core 1 - i386
    Fedora Core 2 - i386

    3. Problem description:

    A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
    directive. This flaw occurs if a virtual host is configured
    using "SSLVerifyClient optional" and a directive "SSLVerifyClient
    required" is set for a specific location. For servers configured in this
    fashion, an attacker may be able to access resources that should
    otherwise be protected, by not supplying a client certificate when
    connecting. The Common Vulnerabilities and Exposures project assigned
    the name CVE-2005-2700 to this issue.

    A flaw was discovered in Apache httpd where the byterange filter would
    buffer certain responses into memory. If a server has a dynamic
    resource such as a CGI script or PHP script that generates a large
    amount of data, an attacker could send carefully crafted requests in
    order to consume resources, potentially leading to a Denial of Service.
    (CVE-2005-2728)

    Users of mod_ssl and Apache httpd should update to these errata packages
    that contain backported patches to correct these issues.

    4. Solution:

    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.

    To update all RPMs for your particular architecture, run:

    rpm -Fvh [filenames]

    where [filenames] is a list of the RPMs you wish to upgrade. Only those
    RPMs which are currently installed will be updated. Those RPMs which
    are not installed but included in the list will not be updated. Note
    that you can also use wildcards (*.rpm) if your current directory *only*
    contains the desired RPMs.

    Please note that this update is also available via yum and apt. Many
    people find this an easier way to apply updates. To use yum issue:

    yum update

    or to use apt:

    apt-get update; apt-get upgrade

    This will start an interactive process that will result in the
    appropriate RPMs being upgraded on your system. This assumes that you
    have yum or apt-get configured for obtaining Fedora Legacy content.
    Please visit http://www.fedoralegacy.org/docs for directions on how to
    configure yum and apt-get.

    5. Bug IDs fixed:

    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941

    6. RPMs required:

    Red Hat Linux 7.3:
    SRPM:
    http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm

    Red Hat Linux 9:

    SRPM:
    http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm
    http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm

    Fedora Core 1:

    SRPM:
    http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm

    Fedora Core 2:

    SRPM:
    http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm

    i386:
    http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm
    http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm

    7. Verification:

    SHA1 sum Package Name
    ---------------------------------------------------------------------

    670aa135fb5073b29e94f0a3fe2db9e592b40558
    redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm
    3442b014c181d2d1d791e8c743b4e627c87e35dc
    redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm
    2e1f513ec64bc94dd087138282fb0e868a1a3abe
    redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm
    8fbff503cd3bf5ce657dbd977b063437775750f7
    redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm
    b0313b4f0203cd03c84facefb1eebdb4ed928c26
    redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm
    cface2ec6aca89b8c4641055cabd14a7b37a4ebf
    redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm
    54b412d5bb90f1e649f838b41b1dd4c34ea93c90
    redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm
    d5cbd7cfdd31b1a6222727f99366407eb06e53e7
    fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm
    994e4b34b91ae60eb7f632dc50b39c1f5e89aca4
    fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm
    b75c88ba3deda8aed4cb3d6e5d4ea55141554723
    fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm
    465efbcc39ef52325928c2dc8093fc6447c33477
    fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm
    2bd06a4df99b703eea8f882d87b812713e5fa1c2
    fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm
    0f4333e775c1b7b6f5af6e5cf092fa69606766c4
    fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm
    59a54683c490ecfcea66fe0134c9ed6130905602
    fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm
    9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e
    fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm
    a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1
    fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm
    db6c3e2bb4470e592cb74bf3e986ae426010dfaf
    fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm

    These packages are GPG signed by Fedora Legacy for security. Our key is
    available from http://www.fedoralegacy.org/about/security.php

    You can verify each package with the following command:

        rpm --checksig -v <filename>

    If you only wish to verify that each package has not been corrupted or
    tampered with, examine only the sha1sum with the following command:

        sha1sum <filename>

    8. References:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2700
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2728

    9. Contact:

    The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
    project details at http://www.fedoralegacy.org

    ---------------------------------------------------------------------

    
    



  • Next message: Martin Pitt: "[USN-215-1] fetchmailconf vulnerability"

    Relevant Pages