<<< Date Index >>>     <<< Thread Index >>>

[FLSA-2005:166941] Updated httpd and mod_ssl packages fix two security issues

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated httpd and mod_ssl packages fix two
                   security issues
Advisory ID:       FLSA:166941
Issue date:        2005-11-09
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CVE-2005-2700 CVE-2005-2728
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated mod_ssl and Apache httpd packages that correct two security
issues are now available.

The Apache HTTP Server is a popular and freely-available Web server.

The mod_ssl module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
directive. This flaw occurs if a virtual host is configured
using "SSLVerifyClient optional" and a directive "SSLVerifyClient
required" is set for a specific location. For servers configured in this
fashion, an attacker may be able to access resources that should
otherwise be protected, by not supplying a client certificate when
connecting. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-2700 to this issue.

A flaw was discovered in Apache httpd where the byterange filter would
buffer certain responses into memory. If a server has a dynamic
resource such as a CGI script or PHP script that generates a large
amount of data, an attacker could send carefully crafted requests in
order to consume resources, potentially leading to a Denial of Service.
(CVE-2005-2728)

Users of mod_ssl and Apache httpd should update to these errata packages
that contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

670aa135fb5073b29e94f0a3fe2db9e592b40558
redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm
3442b014c181d2d1d791e8c743b4e627c87e35dc
redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm
2e1f513ec64bc94dd087138282fb0e868a1a3abe
redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm
8fbff503cd3bf5ce657dbd977b063437775750f7
redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm
b0313b4f0203cd03c84facefb1eebdb4ed928c26
redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm
cface2ec6aca89b8c4641055cabd14a7b37a4ebf
redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm
54b412d5bb90f1e649f838b41b1dd4c34ea93c90
redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm
d5cbd7cfdd31b1a6222727f99366407eb06e53e7
fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm
994e4b34b91ae60eb7f632dc50b39c1f5e89aca4
fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm
b75c88ba3deda8aed4cb3d6e5d4ea55141554723
fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm
465efbcc39ef52325928c2dc8093fc6447c33477
fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm
2bd06a4df99b703eea8f882d87b812713e5fa1c2
fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm
0f4333e775c1b7b6f5af6e5cf092fa69606766c4
fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm
59a54683c490ecfcea66fe0134c9ed6130905602
fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm
9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e
fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm
a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1
fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm
db6c3e2bb4470e592cb74bf3e986ae426010dfaf
fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2728

9. Contact:

The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

Attachment: signature.asc
Description: OpenPGP digital signature