Red Hat 8852 Published by

Fedora Legacy Update Advisory

Synopsis: Updated Apache httpd packages fix security issues
Advisory ID: FLSA:175406
Issue date: 2006-02-18
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2970 CVE-2005-3352 CVE-2005-3357
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

Updated Apache httpd packages that correct three security issues are now
available.

The Apache HTTP Server is a popular and freely-available Web server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A memory leak in the worker MPM could allow remote attackers to cause a
denial of service (memory consumption) via aborted connections, which
prevents the memory for the transaction pool from being reused for other
connections. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-2970 to this issue. This vulnerability only affects
users who are using the non-default worker MPM.

A flaw in mod_imap when using the Referer directive with image maps was
discovered. With certain site configurations, a remote attacker could
perform a cross-site scripting attack if a victim can be forced to visit
a malicious URL using certain web browsers. (CVE-2005-3352)

A NULL pointer dereference flaw in mod_ssl was discovered affecting
server configurations where an SSL virtual host is configured with
access control and a custom 400 error document. A remote attacker could
send a carefully crafted request to trigger this issue which would lead
to a crash. This crash would only be a denial of service if using the
non-default worker MPM. (CVE-2005-3357)

Users of httpd should update to these erratum packages which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-9.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-9.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.21.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.21.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.10.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.10.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.10.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.10.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.10.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/httpd-2.0.51-2.9.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-2.0.51-2.9.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mod_ssl-2.0.51-2.9.5.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/httpd-2.0.53-3.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-2.0.53-3.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-devel-2.0.53-3.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-manual-2.0.53-3.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/httpd-suexec-2.0.53-3.4.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/mod_ssl-2.0.53-3.4.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-2.0.53-3.4.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-devel-2.0.53-3.4.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-manual-2.0.53-3.4.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/httpd-suexec-2.0.53-3.4.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/mod_ssl-2.0.53-3.4.legacy.x86_64.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

c55d929dd5acbf4b0191a28b0ad128f1064810f8
redhat/7.3/updates/i386/apache-1.3.27-9.legacy.i386.rpm
aae52f7966d03dd6e81f8b8b5a090bf60fa8e601
redhat/7.3/updates/i386/apache-devel-1.3.27-9.legacy.i386.rpm
fafcea3e68311223b5a814a482927cd645c4356a
redhat/7.3/updates/i386/apache-manual-1.3.27-9.legacy.i386.rpm
db23f5e77a78f78a346104038a564f0197ee9414
redhat/7.3/updates/SRPMS/apache-1.3.27-9.legacy.src.rpm
8e6ca52b5fb88a43322a38966ffeb0285b0699e1
redhat/9/updates/i386/httpd-2.0.40-21.21.legacy.i386.rpm
be601feefd0483b24e3ce5efdfadcef6b5d7d040
redhat/9/updates/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm
8816478ae2287a3d2d4c9ca91d55662efcae2b87
redhat/9/updates/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm
2d565db0d6fa0756c51ca7aef8211b463c5f5348
redhat/9/updates/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm
e05115a5178fbf853dfe8fdc75b962c44a787316
redhat/9/updates/SRPMS/httpd-2.0.40-21.21.legacy.src.rpm
d34d8993fa09ebc2c017c98ac459688a913593f6
fedora/1/updates/i386/httpd-2.0.51-1.10.legacy.i386.rpm
1598bdf136a0ab14195df7d9f4425ab6442ab3f7
fedora/1/updates/i386/httpd-devel-2.0.51-1.10.legacy.i386.rpm
e5d6b42924b9fd81869cbe07f410abd2ecaa106e
fedora/1/updates/i386/httpd-manual-2.0.51-1.10.legacy.i386.rpm
56c59eec43c7d87f9f59f7068f80e2774de1784a
fedora/1/updates/i386/mod_ssl-2.0.51-1.10.legacy.i386.rpm
4294e34c392cc90465d35dbfda88f95aae87c291
fedora/1/updates/SRPMS/httpd-2.0.51-1.10.legacy.src.rpm
3572be6a040d0efe5e71186578b42bb991328254
fedora/2/updates/i386/httpd-2.0.51-2.9.5.legacy.i386.rpm
3d75ef3d7720894c886c4d1a1e52f97f2b4bb345
fedora/2/updates/i386/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm
74c6d5286da4daf697f041d3084cab0a2fda46c6
fedora/2/updates/i386/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm
72050bf7341db26b0d72b8565102bb55eb9be250
fedora/2/updates/i386/mod_ssl-2.0.51-2.9.5.legacy.i386.rpm
32a2bfe031fcbb40ed1db4a84bacc5ad78a7b7a4
fedora/2/updates/SRPMS/httpd-2.0.51-2.9.5.legacy.src.rpm
563dd27fb0e74e13d1b8960e189f05af60926333
fedora/3/updates/i386/httpd-2.0.53-3.4.legacy.i386.rpm
3673bec7d02bd1972c20cbca6d77bccf4c08f516
fedora/3/updates/i386/httpd-devel-2.0.53-3.4.legacy.i386.rpm
d004815e520338f6565e0f18d21847c6439c841f
fedora/3/updates/i386/httpd-manual-2.0.53-3.4.legacy.i386.rpm
48eac837da227883d681aa23e182ebb00174980f
fedora/3/updates/i386/httpd-suexec-2.0.53-3.4.legacy.i386.rpm
ffdb283132cdf0e0de7026709087781a4f2eabb0
fedora/3/updates/i386/mod_ssl-2.0.53-3.4.legacy.i386.rpm
dcf460eadeb704d54a807058d63e69c8a62b49b5
fedora/3/updates/x86_64/httpd-2.0.53-3.4.legacy.x86_64.rpm
eaa6dd54a8b8ad5165f8643ef4e34eef83f587b6
fedora/3/updates/x86_64/httpd-devel-2.0.53-3.4.legacy.x86_64.rpm
088d7acc09d35b63a9a5278575d2797f5202d811
fedora/3/updates/x86_64/httpd-manual-2.0.53-3.4.legacy.x86_64.rpm
332a9afb589537e33d895685bd145230834e77d1
fedora/3/updates/x86_64/httpd-suexec-2.0.53-3.4.legacy.x86_64.rpm
85c1f146a3f8e9af3ad44b5467cfebfb18eeaee5
fedora/3/updates/x86_64/mod_ssl-2.0.53-3.4.legacy.x86_64.rpm
b6698d717f8dd6b028ee32184bcc778724695a83
fedora/3/updates/SRPMS/httpd-2.0.53-3.4.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org