LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Important: httpd security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated Apache httpd packages that correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team.
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Important: httpd security update
Advisory ID:       RHSA-2005:608-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-608.html
Issue date:        2005-09-06
Updated on:        2005-09-06
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2005-2700 CAN-2005-2728
- ---------------------------------------------------------------------

1. Summary:

Updated Apache httpd packages that correct two security issues are now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The Apache HTTP Server is a popular and freely-available Web server.

A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
directive.  This flaw occurs if a virtual host is configured
using "SSLVerifyClient optional" and a directive "SSLVerifyClient
required" is set for a specific location.  For servers configured in this
fashion, an attacker may be able to access resources that should otherwise
be protected, by not supplying a client certificate when connecting.  The
Common Vulnerabilities and Exposures project assigned the name
CAN-2005-2700 to this issue.

A flaw was discovered in Apache httpd where the byterange filter would
buffer certain responses into memory.  If a server has a dynamic
resource such as a CGI script or PHP script that generates a large amount
of data, an attacker could send carefully crafted requests in order to
consume resources, potentially leading to a Denial of Service.  (CAN-2005-2728)

Users of Apache httpd should update to these errata packages that contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

167102 - CAN-2005-2728 byterange memory DoS
167194 - CAN-2005-2700 SSLVerifyClient flaw


6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f  httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de  httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c  httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c  mod_ssl-2.0.46-46.3.ent.i386.rpm

ia64:
5f9c92619f6a7e60409aeef7b92f5056  httpd-2.0.46-46.3.ent.ia64.rpm
cba1acc27a9904ea4988159c81e96a97  httpd-devel-2.0.46-46.3.ent.ia64.rpm
15b4dba781df66f9cbcfc0230b96d261  mod_ssl-2.0.46-46.3.ent.ia64.rpm

ppc:
2ae362a59d4c95ef58879a9f74ec6c30  httpd-2.0.46-46.3.ent.ppc.rpm
2b61fbe228b61e5d113abd012e9bf619  httpd-devel-2.0.46-46.3.ent.ppc.rpm
6f653931571bfaebb519aecdbb7150c8  mod_ssl-2.0.46-46.3.ent.ppc.rpm

s390:
c59a7c3908fa71b8b7ba36d07cd0d0d4  httpd-2.0.46-46.3.ent.s390.rpm
2d3f8bf4a5745ba5b87d188f18d04a75  httpd-devel-2.0.46-46.3.ent.s390.rpm
e1bc611d1e4eaecffbc58ff669d16b39  mod_ssl-2.0.46-46.3.ent.s390.rpm

s390x:
ba883d990a3fc34d2c6d20b6329372c1  httpd-2.0.46-46.3.ent.s390x.rpm
57c48448f06e2444d285440a6e43631c  httpd-devel-2.0.46-46.3.ent.s390x.rpm
2f44730013c2c1aef58d4c81e9ae613b  mod_ssl-2.0.46-46.3.ent.s390x.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e  httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101  httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc  mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f  httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de  httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c  httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c  mod_ssl-2.0.46-46.3.ent.i386.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e  httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101  httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc  mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f  httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de  httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c  httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c  mod_ssl-2.0.46-46.3.ent.i386.rpm

ia64:
5f9c92619f6a7e60409aeef7b92f5056  httpd-2.0.46-46.3.ent.ia64.rpm
cba1acc27a9904ea4988159c81e96a97  httpd-devel-2.0.46-46.3.ent.ia64.rpm
15b4dba781df66f9cbcfc0230b96d261  mod_ssl-2.0.46-46.3.ent.ia64.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e  httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101  httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc  mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f  httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de  httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c  httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c  mod_ssl-2.0.46-46.3.ent.i386.rpm

ia64:
5f9c92619f6a7e60409aeef7b92f5056  httpd-2.0.46-46.3.ent.ia64.rpm
cba1acc27a9904ea4988159c81e96a97  httpd-devel-2.0.46-46.3.ent.ia64.rpm
15b4dba781df66f9cbcfc0230b96d261  mod_ssl-2.0.46-46.3.ent.ia64.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e  httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101  httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc  mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c  httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0  httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29  httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63  httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637  httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209  mod_ssl-2.0.52-12.2.ent.i386.rpm

ia64:
2c03808a9cf8081f395259ae21730af0  httpd-2.0.52-12.2.ent.ia64.rpm
99fcf9f0c7ea2b8a4248cd3a0d25da89  httpd-devel-2.0.52-12.2.ent.ia64.rpm
856092d56cc712997901f534a76f568c  httpd-manual-2.0.52-12.2.ent.ia64.rpm
92ac8b5beb4e12b1ead63f7027d07cfb  httpd-suexec-2.0.52-12.2.ent.ia64.rpm
a44cc800809c368c7455c1af306b8e7d  mod_ssl-2.0.52-12.2.ent.ia64.rpm

ppc:
7f49f8989dd2261c2d137af07e14ff54  httpd-2.0.52-12.2.ent.ppc.rpm
a6e1f360410c36f2cc641e321395fd16  httpd-devel-2.0.52-12.2.ent.ppc.rpm
69ce88336483a278bcad15ea6eaca096  httpd-manual-2.0.52-12.2.ent.ppc.rpm
f396126f7386857c22eeeef20d947652  httpd-suexec-2.0.52-12.2.ent.ppc.rpm
99b6d20eed066a3b565756ad83888d22  mod_ssl-2.0.52-12.2.ent.ppc.rpm

s390:
0cbd52d64a91644717a1df0e15ccc39a  httpd-2.0.52-12.2.ent.s390.rpm
ca79cb435376a78d9f6b33c83473defe  httpd-devel-2.0.52-12.2.ent.s390.rpm
3e8a5481d36c837350b17ee20c4fd429  httpd-manual-2.0.52-12.2.ent.s390.rpm
2899ee38bcd82766e731b57d3330ce9a  httpd-suexec-2.0.52-12.2.ent.s390.rpm
7b5f79e871aefd2482c18cff9904c7c4  mod_ssl-2.0.52-12.2.ent.s390.rpm

s390x:
ca68a1ae7ab25f761c901f28cd522f74  httpd-2.0.52-12.2.ent.s390x.rpm
09c838209a62cba64e5b28688e313026  httpd-devel-2.0.52-12.2.ent.s390x.rpm
caf032aaba9e03987ba1413743c47088  httpd-manual-2.0.52-12.2.ent.s390x.rpm
0eeea0d60e789902f10252c39b13140a  httpd-suexec-2.0.52-12.2.ent.s390x.rpm
cedd7dadf3408b281a9d4d7d45e31b16  mod_ssl-2.0.52-12.2.ent.s390x.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7  httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242  httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7  httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9  httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1  mod_ssl-2.0.52-12.2.ent.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c  httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0  httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29  httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63  httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637  httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209  mod_ssl-2.0.52-12.2.ent.i386.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7  httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242  httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7  httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9  httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1  mod_ssl-2.0.52-12.2.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c  httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0  httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29  httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63  httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637  httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209  mod_ssl-2.0.52-12.2.ent.i386.rpm

ia64:
2c03808a9cf8081f395259ae21730af0  httpd-2.0.52-12.2.ent.ia64.rpm
99fcf9f0c7ea2b8a4248cd3a0d25da89  httpd-devel-2.0.52-12.2.ent.ia64.rpm
856092d56cc712997901f534a76f568c  httpd-manual-2.0.52-12.2.ent.ia64.rpm
92ac8b5beb4e12b1ead63f7027d07cfb  httpd-suexec-2.0.52-12.2.ent.ia64.rpm
a44cc800809c368c7455c1af306b8e7d  mod_ssl-2.0.52-12.2.ent.ia64.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7  httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242  httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7  httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9  httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1  mod_ssl-2.0.52-12.2.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c  httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0  httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29  httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63  httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637  httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209  mod_ssl-2.0.52-12.2.ent.i386.rpm

ia64:
2c03808a9cf8081f395259ae21730af0  httpd-2.0.52-12.2.ent.ia64.rpm
99fcf9f0c7ea2b8a4248cd3a0d25da89  httpd-devel-2.0.52-12.2.ent.ia64.rpm
856092d56cc712997901f534a76f568c  httpd-manual-2.0.52-12.2.ent.ia64.rpm
92ac8b5beb4e12b1ead63f7027d07cfb  httpd-suexec-2.0.52-12.2.ent.ia64.rpm
a44cc800809c368c7455c1af306b8e7d  mod_ssl-2.0.52-12.2.ent.ia64.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7  httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242  httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7  httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9  httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1  mod_ssl-2.0.52-12.2.ent.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.