--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated httpd and mod_ssl packages fix two security issues Advisory ID: FLSA:166941 Issue date: 2005-11-09 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2700 CVE-2005-2728 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated mod_ssl and Apache httpd packages that correct two security issues are now available. The Apache HTTP Server is a popular and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient" directive. This flaw occurs if a virtual host is configured using "SSLVerifyClient optional" and a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2700 to this issue. A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CVE-2005-2728) Users of mod_ssl and Apache httpd should update to these errata packages that contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 670aa135fb5073b29e94f0a3fe2db9e592b40558 redhat/7.3/updates/i386/mod_ssl-2.8.12-8.legacy.i386.rpm 3442b014c181d2d1d791e8c743b4e627c87e35dc redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm 2e1f513ec64bc94dd087138282fb0e868a1a3abe redhat/9/updates/i386/httpd-2.0.40-21.20.legacy.i386.rpm 8fbff503cd3bf5ce657dbd977b063437775750f7 redhat/9/updates/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm b0313b4f0203cd03c84facefb1eebdb4ed928c26 redhat/9/updates/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm cface2ec6aca89b8c4641055cabd14a7b37a4ebf redhat/9/updates/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm 54b412d5bb90f1e649f838b41b1dd4c34ea93c90 redhat/9/updates/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm d5cbd7cfdd31b1a6222727f99366407eb06e53e7 fedora/1/updates/i386/httpd-2.0.51-1.9.legacy.i386.rpm 994e4b34b91ae60eb7f632dc50b39c1f5e89aca4 fedora/1/updates/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm b75c88ba3deda8aed4cb3d6e5d4ea55141554723 fedora/1/updates/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm 465efbcc39ef52325928c2dc8093fc6447c33477 fedora/1/updates/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm 2bd06a4df99b703eea8f882d87b812713e5fa1c2 fedora/1/updates/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm 0f4333e775c1b7b6f5af6e5cf092fa69606766c4 fedora/2/updates/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm 59a54683c490ecfcea66fe0134c9ed6130905602 fedora/2/updates/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm 9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e fedora/2/updates/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1 fedora/2/updates/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm db6c3e2bb4470e592cb74bf3e986ae426010dfaf fedora/2/updates/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2728 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature