Articles / Red Hat: Updated httpd pack…

Red Hat: Updated httpd packages fix a security issue and bugs

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. Updated packages are available from updates.redhat.com.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated httpd packages fix a security issue and bugs
Advisory ID:       RHSA-2004:562-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2004-562.html
Issue date:        2004-11-12
Updated on:        2004-11-12
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0885 CAN-2004-0942
- ---------------------------------------------------------------------

1. Summary:

Updated httpd packages that include fixes for two security issues, as well as
other bugs, are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

An issue has been discovered in the mod_ssl module when configured to use
the "SSLCipherSuite" directive in directory or location context.  If a
particular location context has been configured to require a specific set
of cipher suites, then a client will be able to access that location using
any cipher suite allowed by the virtual host configuration.   The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0885 to this issue.

An issue has been discovered in the handling of white space in request
header lines using MIME folding.  A malicious client could send a carefully
crafted request, forcing the server to consume large amounts of memory,
leading to a denial of service.  The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue.

Several minor bugs were also discovered, including:

- - In the mod_cgi module, problems that arise when CGI scripts are 
  invoked from SSI pages by mod_include using the "#include virtual" 
  syntax have been fixed.

- - In the mod_dav_fs module, problems with the handling of indirect locks
  on the S/390x platform have been fixed.

Users of the Apache HTTP server who are affected by these issues should
upgrade to these updated packages, which contain backported patches.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

132593 - mod_dav_fs: indirect lock refresh broken on s390x
134825 - CAN-2004-0885 SSLCipherSuite bypass
138064 - CAN-2004-0942 Memory consumption DoS

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm
118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

ia64:
731331f101efda7820988a76265d5b29  httpd-2.0.46-44.ent.ia64.rpm
95451f6b0aaffbccffb8e77c88d36cc1  httpd-devel-2.0.46-44.ent.ia64.rpm
badd71a4a010b5b96d854de8b4ab14c5  mod_ssl-2.0.46-44.ent.ia64.rpm

ppc:
d399d5cbffd283d3e155a2e301542e6f  httpd-2.0.46-44.ent.ppc.rpm
ded92081a835c8e53ccbf6e8f47f244d  httpd-devel-2.0.46-44.ent.ppc.rpm
4a2a5d60a34a09550910738fde57f518  mod_ssl-2.0.46-44.ent.ppc.rpm

s390:
806ff06977f721712068a621c3981f7c  httpd-2.0.46-44.ent.s390.rpm
5912d5b3eb7d18071825ef4bfe3b139b  httpd-devel-2.0.46-44.ent.s390.rpm
6d2866cab66c09694ba6c98b39d3e52b  mod_ssl-2.0.46-44.ent.s390.rpm

s390x:
17bd982545f3e25953a4d3aff7d9ea22  httpd-2.0.46-44.ent.s390x.rpm
2299bd3c8d7a0a5ab525840fc453f1e1  httpd-devel-2.0.46-44.ent.s390x.rpm
51cc33598d9d4559f0daf860396e5ae5  mod_ssl-2.0.46-44.ent.s390x.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm
118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm
118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

ia64:
731331f101efda7820988a76265d5b29  httpd-2.0.46-44.ent.ia64.rpm
95451f6b0aaffbccffb8e77c88d36cc1  httpd-devel-2.0.46-44.ent.ia64.rpm
badd71a4a010b5b96d854de8b4ab14c5  mod_ssl-2.0.46-44.ent.ia64.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-44.ent.src.rpm
118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

ia64:
731331f101efda7820988a76265d5b29  httpd-2.0.46-44.ent.ia64.rpm
95451f6b0aaffbccffb8e77c88d36cc1  httpd-devel-2.0.46-44.ent.ia64.rpm
badd71a4a010b5b96d854de8b4ab14c5  mod_ssl-2.0.46-44.ent.ia64.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

7. References:

http://www.apacheweek.com/features/security-20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBlOzSXlSAg2UNWIIRAv86AJ9x979dRjuv17HCCbnwE8bfCqnldwCeIslT
Ti3dLL7B4Y35loJaYQe/yNQ=
=OaFC
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.