FLSA-2005:157701: Updated Apache httpd packages fix security issues
Posted on: 08/11/2005 05:01 AM

Updated Apache packages are available for Red Hat Linux 7.3/9 and Fedora Core 1/2

---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated Apache httpd packages fix security issues
Advisory ID: FLSA:157701
Issue date: 2005-08-10
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CAN-2005-1268 CAN-2005-1344 CAN-2005-2088
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated Apache httpd packages to correct security issues are now available.

The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this issue.

A buffer overflow was discovered in htdigest that may allow an attacker to execute arbitrary code. Since htdigest is usually only accessible locally, the impact of this issue is low. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1344 to this issue.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1268 to this issue.

Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157701

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-8.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-8.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.18.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.18.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.18.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.7.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.7.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.7.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

0e3755cab97683d75987658b7de6ffe9c80a8b62
redhat/7.3/updates/i386/apache-1.3.27-8.legacy.i386.rpm
b9b201ebe088409ea9d8b0ea8437351744d8b03e
redhat/7.3/updates/i386/apache-devel-1.3.27-8.legacy.i386.rpm
9222e0121f0b39d336d5465967cc5e218a5487de
redhat/7.3/updates/i386/apache-manual-1.3.27-8.legacy.i386.rpm
3a6736e526c94f5e253860636a1986f8ca3cc972
redhat/7.3/updates/SRPMS/apache-1.3.27-8.legacy.src.rpm
cb1ae0ad7739bf0cd3eb7c56a8ba96a5bc7825e3
redhat/9/updates/i386/httpd-2.0.40-21.18.legacy.i386.rpm
4468f5beed1cd89f0225bc8e253bfd4a73fb7732
redhat/9/updates/i386/httpd-devel-2.0.40-21.18.legacy.i386.rpm
cf259929dd2acb5423f611dc5955e801f6bc85fe
redhat/9/updates/i386/httpd-manual-2.0.40-21.18.legacy.i386.rpm
40ad84a4a01502aad2bccfbcd7fda81e8b24022b
redhat/9/updates/SRPMS/httpd-2.0.40-21.18.legacy.src.rpm
f34762e151a8cbbe4dcf926c66dce6392dbac970
redhat/9/updates/i386/mod_ssl-2.0.40-21.18.legacy.i386.rpm
b19c5d34da8ef263e5b2f2dcfdd23b02a1a2dd36
fedora/1/updates/i386/httpd-2.0.51-1.7.legacy.i386.rpm
3ca9ea9df6b5c4334909b8cbf63ea858385f81de
fedora/1/updates/i386/httpd-devel-2.0.51-1.7.legacy.i386.rpm
d2a69419b943944e0d7557a500f86eb470d2c5e9
fedora/1/updates/i386/httpd-manual-2.0.51-1.7.legacy.i386.rpm
3ff73a6a4607f5c7503ec36d9a3e901ab02131c2
fedora/1/updates/SRPMS/httpd-2.0.51-1.7.legacy.src.rpm
2667ac96d7749d32255702430c0d04cf40620972
fedora/1/updates/i386/mod_ssl-2.0.51-1.7.legacy.i386.rpm
6cf82576642dbb991a3253f4c2ef4ca485d7eea4
fedora/2/updates/i386/httpd-2.0.51-2.9.2.legacy.i386.rpm
e8ff1c406b0dd81c2e8f987df5b33dd6e56111e9
fedora/2/updates/i386/httpd-devel-2.0.51-2.9.2.legacy.i386.rpm
d432195a04f5423c0ca82c4fb99eff2a4efa04ee
fedora/2/updates/i386/httpd-manual-2.0.51-2.9.2.legacy.i386.rpm
a041a7db3f6840e490c418856f86448b52769364
fedora/2/updates/SRPMS/httpd-2.0.51-2.9.2.legacy.src.rpm
a1d6ac70df1a9ac0eefa1d8c16078861cd61b282
fedora/2/updates/i386/mod_ssl-2.0.51-2.9.2.legacy.i386.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v lt;filenamegt;

If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:

sha1sum lt;filenamegt;

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1344
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

9. Contact:

The Fedora Legacy security contact is lt;secnotice@fedoralegacy.orggt;. More project details at http://www.fedoralegacy.org



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/flsa_2005157701_updated_apache_httpd_packages_fix_security_issues.html)