--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated Apache httpd packages fix security issues Advisory ID: FLSA:157701 Issue date: 2005-08-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-1268 CAN-2005-1344 CAN-2005-2088 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated Apache httpd packages to correct security issues are now available. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this issue. A buffer overflow was discovered in htdigest that may allow an attacker to execute arbitrary code. Since htdigest is usually only accessible locally, the impact of this issue is low. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1344 to this issue. Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1268 to this issue. Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157701 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-8.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-8.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-8.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.18.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.18.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.18.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.7.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.7.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.7.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 0e3755cab97683d75987658b7de6ffe9c80a8b62 redhat/7.3/updates/i386/apache-1.3.27-8.legacy.i386.rpm b9b201ebe088409ea9d8b0ea8437351744d8b03e redhat/7.3/updates/i386/apache-devel-1.3.27-8.legacy.i386.rpm 9222e0121f0b39d336d5465967cc5e218a5487de redhat/7.3/updates/i386/apache-manual-1.3.27-8.legacy.i386.rpm 3a6736e526c94f5e253860636a1986f8ca3cc972 redhat/7.3/updates/SRPMS/apache-1.3.27-8.legacy.src.rpm cb1ae0ad7739bf0cd3eb7c56a8ba96a5bc7825e3 redhat/9/updates/i386/httpd-2.0.40-21.18.legacy.i386.rpm 4468f5beed1cd89f0225bc8e253bfd4a73fb7732 redhat/9/updates/i386/httpd-devel-2.0.40-21.18.legacy.i386.rpm cf259929dd2acb5423f611dc5955e801f6bc85fe redhat/9/updates/i386/httpd-manual-2.0.40-21.18.legacy.i386.rpm 40ad84a4a01502aad2bccfbcd7fda81e8b24022b redhat/9/updates/SRPMS/httpd-2.0.40-21.18.legacy.src.rpm f34762e151a8cbbe4dcf926c66dce6392dbac970 redhat/9/updates/i386/mod_ssl-2.0.40-21.18.legacy.i386.rpm b19c5d34da8ef263e5b2f2dcfdd23b02a1a2dd36 fedora/1/updates/i386/httpd-2.0.51-1.7.legacy.i386.rpm 3ca9ea9df6b5c4334909b8cbf63ea858385f81de fedora/1/updates/i386/httpd-devel-2.0.51-1.7.legacy.i386.rpm d2a69419b943944e0d7557a500f86eb470d2c5e9 fedora/1/updates/i386/httpd-manual-2.0.51-1.7.legacy.i386.rpm 3ff73a6a4607f5c7503ec36d9a3e901ab02131c2 fedora/1/updates/SRPMS/httpd-2.0.51-1.7.legacy.src.rpm 2667ac96d7749d32255702430c0d04cf40620972 fedora/1/updates/i386/mod_ssl-2.0.51-1.7.legacy.i386.rpm 6cf82576642dbb991a3253f4c2ef4ca485d7eea4 fedora/2/updates/i386/httpd-2.0.51-2.9.2.legacy.i386.rpm e8ff1c406b0dd81c2e8f987df5b33dd6e56111e9 fedora/2/updates/i386/httpd-devel-2.0.51-2.9.2.legacy.i386.rpm d432195a04f5423c0ca82c4fb99eff2a4efa04ee fedora/2/updates/i386/httpd-manual-2.0.51-2.9.2.legacy.i386.rpm a041a7db3f6840e490c418856f86448b52769364 fedora/2/updates/SRPMS/httpd-2.0.51-2.9.2.legacy.src.rpm a1d6ac70df1a9ac0eefa1d8c16078861cd61b282 fedora/2/updates/i386/mod_ssl-2.0.51-2.9.2.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1344 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature