--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated Apache httpd packages fix security issues Advisory ID: FLSA:175406 Issue date: 2006-02-18 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-2970 CVE-2005-3352 CVE-2005-3357 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated Apache httpd packages that correct three security issues are now available. The Apache HTTP Server is a popular and freely-available Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: A memory leak in the worker MPM could allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2970 to this issue. This vulnerability only affects users who are using the non-default worker MPM. A flaw in mod_imap when using the Referer directive with image maps was discovered. With certain site configurations, a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers. (CVE-2005-3352) A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the non-default worker MPM. (CVE-2005-3357) Users of httpd should update to these erratum packages which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-9.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-9.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-9.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-9.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.21.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.21.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.10.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.10.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.10.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.10.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.10.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.5.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.5.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/httpd-2.0.53-3.4.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-2.0.53-3.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-devel-2.0.53-3.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-manual-2.0.53-3.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-suexec-2.0.53-3.4.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/mod_ssl-2.0.53-3.4.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-2.0.53-3.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-devel-2.0.53-3.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-manual-2.0.53-3.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-suexec-2.0.53-3.4.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/mod_ssl-2.0.53-3.4.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- c55d929dd5acbf4b0191a28b0ad128f1064810f8 redhat/7.3/updates/i386/apache-1.3.27-9.legacy.i386.rpm aae52f7966d03dd6e81f8b8b5a090bf60fa8e601 redhat/7.3/updates/i386/apache-devel-1.3.27-9.legacy.i386.rpm fafcea3e68311223b5a814a482927cd645c4356a redhat/7.3/updates/i386/apache-manual-1.3.27-9.legacy.i386.rpm db23f5e77a78f78a346104038a564f0197ee9414 redhat/7.3/updates/SRPMS/apache-1.3.27-9.legacy.src.rpm 8e6ca52b5fb88a43322a38966ffeb0285b0699e1 redhat/9/updates/i386/httpd-2.0.40-21.21.legacy.i386.rpm be601feefd0483b24e3ce5efdfadcef6b5d7d040 redhat/9/updates/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm 8816478ae2287a3d2d4c9ca91d55662efcae2b87 redhat/9/updates/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm 2d565db0d6fa0756c51ca7aef8211b463c5f5348 redhat/9/updates/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm e05115a5178fbf853dfe8fdc75b962c44a787316 redhat/9/updates/SRPMS/httpd-2.0.40-21.21.legacy.src.rpm d34d8993fa09ebc2c017c98ac459688a913593f6 fedora/1/updates/i386/httpd-2.0.51-1.10.legacy.i386.rpm 1598bdf136a0ab14195df7d9f4425ab6442ab3f7 fedora/1/updates/i386/httpd-devel-2.0.51-1.10.legacy.i386.rpm e5d6b42924b9fd81869cbe07f410abd2ecaa106e fedora/1/updates/i386/httpd-manual-2.0.51-1.10.legacy.i386.rpm 56c59eec43c7d87f9f59f7068f80e2774de1784a fedora/1/updates/i386/mod_ssl-2.0.51-1.10.legacy.i386.rpm 4294e34c392cc90465d35dbfda88f95aae87c291 fedora/1/updates/SRPMS/httpd-2.0.51-1.10.legacy.src.rpm 3572be6a040d0efe5e71186578b42bb991328254 fedora/2/updates/i386/httpd-2.0.51-2.9.5.legacy.i386.rpm 3d75ef3d7720894c886c4d1a1e52f97f2b4bb345 fedora/2/updates/i386/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm 74c6d5286da4daf697f041d3084cab0a2fda46c6 fedora/2/updates/i386/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm 72050bf7341db26b0d72b8565102bb55eb9be250 fedora/2/updates/i386/mod_ssl-2.0.51-2.9.5.legacy.i386.rpm 32a2bfe031fcbb40ed1db4a84bacc5ad78a7b7a4 fedora/2/updates/SRPMS/httpd-2.0.51-2.9.5.legacy.src.rpm 563dd27fb0e74e13d1b8960e189f05af60926333 fedora/3/updates/i386/httpd-2.0.53-3.4.legacy.i386.rpm 3673bec7d02bd1972c20cbca6d77bccf4c08f516 fedora/3/updates/i386/httpd-devel-2.0.53-3.4.legacy.i386.rpm d004815e520338f6565e0f18d21847c6439c841f fedora/3/updates/i386/httpd-manual-2.0.53-3.4.legacy.i386.rpm 48eac837da227883d681aa23e182ebb00174980f fedora/3/updates/i386/httpd-suexec-2.0.53-3.4.legacy.i386.rpm ffdb283132cdf0e0de7026709087781a4f2eabb0 fedora/3/updates/i386/mod_ssl-2.0.53-3.4.legacy.i386.rpm dcf460eadeb704d54a807058d63e69c8a62b49b5 fedora/3/updates/x86_64/httpd-2.0.53-3.4.legacy.x86_64.rpm eaa6dd54a8b8ad5165f8643ef4e34eef83f587b6 fedora/3/updates/x86_64/httpd-devel-2.0.53-3.4.legacy.x86_64.rpm 088d7acc09d35b63a9a5278575d2797f5202d811 fedora/3/updates/x86_64/httpd-manual-2.0.53-3.4.legacy.x86_64.rpm 332a9afb589537e33d895685bd145230834e77d1 fedora/3/updates/x86_64/httpd-suexec-2.0.53-3.4.legacy.x86_64.rpm 85c1f146a3f8e9af3ad44b5467cfebfb18eeaee5 fedora/3/updates/x86_64/mod_ssl-2.0.53-3.4.legacy.x86_64.rpm b6698d717f8dd6b028ee32184bcc778724695a83 fedora/3/updates/SRPMS/httpd-2.0.53-3.4.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature