---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated httpd packages fix a security issue and bugs
Advisory ID:       RHSA-2004:562-01
Advisory URL:      https://access.redhat.com/errata/RHSA-2004:562.html
Issue date:        2004-11-12
Updated on:        2004-11-12
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2004-0885 CAN-2004-0942
---------------------------------------------------------------------

1. Summary:

Updated httpd packages that include fixes for two security issues, as well as
other bugs, are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

An issue has been discovered in the mod_ssl module when configured to use
the "SSLCipherSuite" directive in directory or location context.  If a
particular location context has been configured to require a specific set
of cipher suites, then a client will be able to access that location using
any cipher suite allowed by the virtual host configuration.   The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0885 to this issue.

An issue has been discovered in the handling of white space in request
header lines using MIME folding.  A malicious client could send a carefully
crafted request, forcing the server to consume large amounts of memory,
leading to a denial of service.  The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue.

Several minor bugs were also discovered, including:

- In the mod_cgi module, problems that arise when CGI scripts are
  invoked from SSI pages by mod_include using the "#include virtual"
  syntax have been fixed.

- In the mod_dav_fs module, problems with the handling of indirect locks
  on the S/390x platform have been fixed.

Users of the Apache HTTP server who are affected by these issues should
upgrade to these updated packages, which contain backported patches.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

     http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed  (http://bugzilla.redhat.com/ for more info):

132593 - mod_dav_fs: indirect lock refresh broken on s390x
134825 - CAN-2004-0885 SSLCipherSuite bypass
138064 - CAN-2004-0942 Memory consumption DoS

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS: 

118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

ia64:
731331f101efda7820988a76265d5b29  httpd-2.0.46-44.ent.ia64.rpm
95451f6b0aaffbccffb8e77c88d36cc1  httpd-devel-2.0.46-44.ent.ia64.rpm
badd71a4a010b5b96d854de8b4ab14c5  mod_ssl-2.0.46-44.ent.ia64.rpm

ppc:
d399d5cbffd283d3e155a2e301542e6f  httpd-2.0.46-44.ent.ppc.rpm
ded92081a835c8e53ccbf6e8f47f244d  httpd-devel-2.0.46-44.ent.ppc.rpm
4a2a5d60a34a09550910738fde57f518  mod_ssl-2.0.46-44.ent.ppc.rpm

s390:
806ff06977f721712068a621c3981f7c  httpd-2.0.46-44.ent.s390.rpm
5912d5b3eb7d18071825ef4bfe3b139b  httpd-devel-2.0.46-44.ent.s390.rpm
6d2866cab66c09694ba6c98b39d3e52b  mod_ssl-2.0.46-44.ent.s390.rpm

s390x:
17bd982545f3e25953a4d3aff7d9ea22  httpd-2.0.46-44.ent.s390x.rpm
2299bd3c8d7a0a5ab525840fc453f1e1  httpd-devel-2.0.46-44.ent.s390x.rpm
51cc33598d9d4559f0daf860396e5ae5  mod_ssl-2.0.46-44.ent.s390x.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

Red Hat Desktop version 3:

SRPMS: 

118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: 

118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

ia64:
731331f101efda7820988a76265d5b29  httpd-2.0.46-44.ent.ia64.rpm
95451f6b0aaffbccffb8e77c88d36cc1  httpd-devel-2.0.46-44.ent.ia64.rpm
badd71a4a010b5b96d854de8b4ab14c5  mod_ssl-2.0.46-44.ent.ia64.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS: 

118f06e0317eb7d5735990049199b354  httpd-2.0.46-44.ent.src.rpm

i386:
07294bc2ae372ae2c033f6c97a425371  httpd-2.0.46-44.ent.i386.rpm
f97f7661878d345e35e49ee5b903ee97  httpd-devel-2.0.46-44.ent.i386.rpm
7ff1d8de6d421d62b5f7c35df785304e  mod_ssl-2.0.46-44.ent.i386.rpm

ia64:
731331f101efda7820988a76265d5b29  httpd-2.0.46-44.ent.ia64.rpm
95451f6b0aaffbccffb8e77c88d36cc1  httpd-devel-2.0.46-44.ent.ia64.rpm
badd71a4a010b5b96d854de8b4ab14c5  mod_ssl-2.0.46-44.ent.ia64.rpm

x86_64:
1b8bce6493ff433f4fe8361b897d841e  httpd-2.0.46-44.ent.x86_64.rpm
7ce1eb8feef44ffdb30563484f214a61  httpd-devel-2.0.46-44.ent.x86_64.rpm
fc576fed7de6149c17d5158e87ec600c  mod_ssl-2.0.46-44.ent.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
 

7. References:
 
Apache HTTP Server 2.0 vulnerabilities - The Apache HTTP Server Project 
CVE -CVE-2004-0885 
CVE -CVE-2004-0942

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at  

Copyright 2004 Red Hat, Inc.

Red Hat: httpd security issue and bugs fix

Updated httpd packages that include fixes for two security issues, as well as other bugs, are now available.

Summary



Summary

The Apache HTTP server is a powerful, full-featured, efficient, andfreely-available Web server.An issue has been discovered in the mod_ssl module when configured to usethe "SSLCipherSuite" directive in directory or location context. If aparticular location context has been configured to require a specific setof cipher suites, then a client will be able to access that location usingany cipher suite allowed by the virtual host configuration. The CommonVulnerabilities and Exposures project (cve.mitre.org) has assigned the nameCAN-2004-0885 to this issue.An issue has been discovered in the handling of white space in requestheader lines using MIME folding. A malicious client could send a carefullycrafted request, forcing the server to consume large amounts of memory,leading to a denial of service. The Common Vulnerabilities and Exposuresproject (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue.Several minor bugs were also discovered, including:- In the mod_cgi module, problems that arise when CGI scripts are invoked from SSI pages by mod_include using the "#include virtual" syntax have been fixed.- In the mod_dav_fs module, problems with the handling of indirect locks on the S/390x platform have been fixed.Users of the Apache HTTP server who are affected by these issues shouldupgrade to these updated packages, which contain backported patches.


Solution

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):
132593 - mod_dav_fs: indirect lock refresh broken on s390x 134825 - CAN-2004-0885 SSLCipherSuite bypass 138064 - CAN-2004-0942 Memory consumption DoS
6. RPMs required:
Red Hat Enterprise Linux AS version 3:
SRPMS:
118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm
i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm
ia64: 731331f101efda7820988a76265d5b29 httpd-2.0.46-44.ent.ia64.rpm 95451f6b0aaffbccffb8e77c88d36cc1 httpd-devel-2.0.46-44.ent.ia64.rpm badd71a4a010b5b96d854de8b4ab14c5 mod_ssl-2.0.46-44.ent.ia64.rpm
ppc: d399d5cbffd283d3e155a2e301542e6f httpd-2.0.46-44.ent.ppc.rpm ded92081a835c8e53ccbf6e8f47f244d httpd-devel-2.0.46-44.ent.ppc.rpm 4a2a5d60a34a09550910738fde57f518 mod_ssl-2.0.46-44.ent.ppc.rpm
s390: 806ff06977f721712068a621c3981f7c httpd-2.0.46-44.ent.s390.rpm 5912d5b3eb7d18071825ef4bfe3b139b httpd-devel-2.0.46-44.ent.s390.rpm 6d2866cab66c09694ba6c98b39d3e52b mod_ssl-2.0.46-44.ent.s390.rpm
s390x: 17bd982545f3e25953a4d3aff7d9ea22 httpd-2.0.46-44.ent.s390x.rpm 2299bd3c8d7a0a5ab525840fc453f1e1 httpd-devel-2.0.46-44.ent.s390x.rpm 51cc33598d9d4559f0daf860396e5ae5 mod_ssl-2.0.46-44.ent.s390x.rpm
x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm
Red Hat Desktop version 3:
SRPMS:
118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm
i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm
x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm
i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm
ia64: 731331f101efda7820988a76265d5b29 httpd-2.0.46-44.ent.ia64.rpm 95451f6b0aaffbccffb8e77c88d36cc1 httpd-devel-2.0.46-44.ent.ia64.rpm badd71a4a010b5b96d854de8b4ab14c5 mod_ssl-2.0.46-44.ent.ia64.rpm
x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
118f06e0317eb7d5735990049199b354 httpd-2.0.46-44.ent.src.rpm
i386: 07294bc2ae372ae2c033f6c97a425371 httpd-2.0.46-44.ent.i386.rpm f97f7661878d345e35e49ee5b903ee97 httpd-devel-2.0.46-44.ent.i386.rpm 7ff1d8de6d421d62b5f7c35df785304e mod_ssl-2.0.46-44.ent.i386.rpm
ia64: 731331f101efda7820988a76265d5b29 httpd-2.0.46-44.ent.ia64.rpm 95451f6b0aaffbccffb8e77c88d36cc1 httpd-devel-2.0.46-44.ent.ia64.rpm badd71a4a010b5b96d854de8b4ab14c5 mod_ssl-2.0.46-44.ent.ia64.rpm
x86_64: 1b8bce6493ff433f4fe8361b897d841e httpd-2.0.46-44.ent.x86_64.rpm 7ce1eb8feef44ffdb30563484f214a61 httpd-devel-2.0.46-44.ent.x86_64.rpm fc576fed7de6149c17d5158e87ec600c mod_ssl-2.0.46-44.ent.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from

References

Apache HTTP Server 2.0 vulnerabilities - The Apache HTTP Server Project CVE -CVE-2004-0885 CVE -CVE-2004-0942

Package List


Severity
Advisory ID: RHSA-2004:562-01
Advisory URL: https://access.redhat.com/errata/RHSA-2004:562.html
Issued Date: : 2004-11-12
Updated on: 2004-11-12
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0885 CAN-2004-0942

Topic

Updated httpd packages that include fixes for two security issues, as well asother bugs, are now available.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64

Red Hat Desktop version 3 - i386, x86_64

Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64

Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64


Bugs Fixed


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved