-----------------------------------------------------------------------
Fedora Legacy Update AdvisorySynopsis: Updated httpd, apache and mod_ssl packages fix
security issues
Advisory ID: FLSA:2148
Issue date: 2004-12-03
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2148
CVE Names: CAN-2004-0885 CAN-2004-0940 CAN-2004-0942
-----------------------------------------------------------------------
----------------------------------------------------------------------- 1. Topic:
Updated httpd packages that include fixes for security issues are now available.
The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.
Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386
An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0885 to this issue.
A buffer overflow in mod_include could allow a local user who is authorised to create server side include (SSI) files to gain the privileges of a httpd child. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0940 to this issue.
An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue.
Users of the Apache HTTP server should upgrade to these updated packages, which contain patches that address these issues.
Before applying this update, make sure all previously released errata relevant to your system have been applied.
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue:
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get.
SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-6.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-7.legacy.src.rpm
i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-7.legacy.i386.rpm
SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.17.legacy.src.rpm
i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.17.legacy.i386.rpm
SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.6.legacy.src.rpm
i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.6.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.6.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.6.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.6.legacy.i386.rpm
SHA1 sum Package Name ---------------------------------------------------------------------------
These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy org/about/security.php
If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942 http://www.apacheweek.com/features/security-20 http://www.apacheweek.com/features/security-13
The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org
Attachment:
signature.asc
Description: OpenPGP digital signature