Bug 166941
Summary: | mod_ssl/httpd multiple vulnerabilities - CAN-2005-2700, CAN-2005-2728 | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Jeff Sheltren <sheltren> |
Component: | httpd | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | deisenst, ibaldo, jimpop, jpdalbec, michal, pekkas, redhat-bugzilla, stu |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | rh73, rh9, 1, 2 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-11-10 03:02:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeff Sheltren
2005-08-28 12:44:25 UTC
I guess we need to also add two more CANs to this - CAN-2005-2700 and CAN-2005-2728 See https://rhn.redhat.com/errata/RHSA-2005-608.html 05.35.13 CVE: Not Available Platform: Cross Platform Title: Apache CGI Byterange Request Denial of Service Description: Apache is a freely available, open source Web server software package. It is distributed and maintained by the Apache Group. Apache is prone to a denial of service when handling large CGI byterange requests. This may also be triggered by ProxyRequests. The problem occurs because Apache does not free memory used in these requests, allowing multiple requests to consume all memory and swap space. Ref: http://www.securityfocus.com/advisories/9117 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728 20050829, its near a month of this now... CAN-2005-1268 and CAN-2005-2088 were already patched, see bug #157701 sorry for the dupe. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've created packages to fix CAN-2005-2700 and CAN-2005-2728. Here are the sha1sums: 846dc14ec54b040361672ade32b326a7f25a5835 httpd-2.0.40-21.19.legacy.src.rpm 1f14d6b1b41bf51c736da5d0a7ab589806cc34c0 httpd-2.0.51-1.8.legacy.src.rpm 48664ce621750e8253f25b4417a4880bb16e0368 httpd-2.0.51-2.9.3.legacy.src.rpm And the packages can be found here: http://www.cs.ucsb.edu/~jeff/legacy/httpd/ Note, I also removed the 'Serial' tag from the spec (used for the mod_ssl package). That has been depreciated and so I couldn't build the SRPMs on FC4 (in order to feed them to mock). Since the serial should only be used if RPM can't figure out the version/release, this should not be an issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDNILTKe7MLJjUbNMRAjUIAJ9oEIrMzhT6THHIV623a9TiUqR2SACgoQZt GDhFbRzimzskPzS00TTbx8Y= =KaO+ -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, rh73 mod_ssl package is also vulnerable to CAN-2005-2700, so I'm also including that here. Here is an updated mod_ssl for RH7.3 using the patch from RHEL 2.1: http://www.cs.ucsb.edu/~jeff/legacy/httpd/mod_ssl-2.8.12-8.legacy.src.rpm f9ea24c89593eebe6ab9da47f49f6e6ef56d415c mod_ssl-2.8.12-8.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDNJ8qKe7MLJjUbNMRAihwAJ4l6xhvw9bB659FIZ3vvCVZIXw8+gCdEjOB emGvStu2guax/AkXFPGwDis= =8hZ5 -----END PGP SIGNATURE----- I think the "Serial" tag is the old name for "Epoch", and should be replaced by "Epoch: 1" instead of removing it to ensure rpm can upgrade the mod_ssl package. Without this rpm will assume the older package with the Serial/Epoch is newer. Oh, I see that now, thanks. I'll post updated packages using 'Epoch' hopefully later today. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Created new httpd packages with the 'epoch' tag instead of using 'serial' (or commenting out serial). They're in the same place as before: http://www.cs.ucsb.edu/~jeff/legacy/httpd/ the 7.3 mod_ssl package is unchanged, here are the checksums for the new httpd packages: 3814a0ad773689968a26256a3ff51bd5dc10ca2d httpd-2.0.40-21.20.legacy.src.rpm 449274b284280cf9cf20ecaae8890f1f22f3d61f httpd-2.0.51-1.9.legacy.src.rpm be3328a223be1e97d52437d9c540775a4d21a608 httpd-2.0.51-2.9.4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDPbVIKe7MLJjUbNMRAkC4AKCs1YtjyrUiiIo6kDxdh9k9O4fYPgCgxdNw zQIyWIKz3gAV/Gpprus2KC4= =5DDc -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - - spec file changes minimal - - source integrity good - - patches identical to RHEL +PUBLISH RHL73, RHL9, FC1, FC2 f9ea24c89593eebe6ab9da47f49f6e6ef56d415c mod_ssl-2.8.12-8.legacy.src.rpm 3814a0ad773689968a26256a3ff51bd5dc10ca2d httpd-2.0.40-21.20.legacy.src.rpm 449274b284280cf9cf20ecaae8890f1f22f3d61f httpd-2.0.51-1.9.legacy.src.rpm be3328a223be1e97d52437d9c540775a4d21a608 httpd-2.0.51-2.9.4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDPhpAGHbTkzxSL7QRAqOSAJ9BUiX+xkvQR1GgbBwVUBUWwTxEGACfer8D OykyYo54etAeSXkaLWK42PY= =ZoHl -----END PGP SIGNATURE----- Packages were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 installed: f0b6c4125d2d20acfceb179da0fe2811 httpd-2.0.40-21.20.legacy.i386.rpm b0bd6ddc3fd86666774a72d43853207d mod_ssl-2.0.40-21.20.legacy.i386.rpm installs OK, apache manually stops and starts OK, http and https pages serve OK (including php-generated pages under both protocols). +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDW0tWePtvKV31zw4RAveEAJ9sZkXbLlRf1d+6PLf+u+u3WL0e2gCgubYk LIIkt4v+qmAPM3/DZqalnJw= =7WQf -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73: gpg signature OK, mod_ssl installs nicely, serving httpd works fine after the update. ++VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDXHPHGHbTkzxSL7QRAhSLAJ9N5gaRFZDYfyPNxE/2JG67Fm7sEwCgrQzE rGLGb5wHwcdqbDF3n0LZv3Q= =5vEI -----END PGP SIGNATURE----- Timeout in 2 weeks. *** Bug 168420 has been marked as a duplicate of this bug. *** -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RH73 mod_ssl upgrades and works fine (note: had to manually restart httpd). 670aa135fb5073b29e94f0a3fe2db9e592b40558 mod_ssl-2.8.12-8.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Cygwin) iD8DBQFDXjwKMyG7U7lo69MRAoE7AKC1rN41tmm+9TOwLYt9itKP7qF+SwCgsPcp NU/vf6yW22F3UTLkr1wf5yU= =VnYn -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 RHL 9 Packages: 2e1f513ec64bc94dd087138282fb0e868a1a3abe httpd-2.0.40-21.20.legacy.i386.rpm 8fbff503cd3bf5ce657dbd977b063437775750f7 httpd-devel-2.0.40-21.20.legacy.i386.rpm b0313b4f0203cd03c84facefb1eebdb4ed928c26 httpd-manual-2.0.40-21.20.legacy.i386.rpm cface2ec6aca89b8c4641055cabd14a7b37a4ebf mod_ssl-2.0.40-21.20.legacy.i386.rpm SHA1 checksums all match test update advisory. Signatures verify okay. I installed all the packages on a RHL 9 machine without problem. I restarted web server without incident. Checked the apache, php, etc. all still worked. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDX6yQ4jZRbknHoPIRAmbhAJ9CMLgzLmmD1Mm1O8jP3/CK2EYHDQCgiYs8 7ghdW5rEEV+bUXRVXgesKJg= =/HvH -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fedora Core 1 Packages: d5cbd7cfdd31b1a6222727f99366407eb06e53e7 httpd-2.0.51-1.9.legacy.i386.rpm 994e4b34b91ae60eb7f632dc50b39c1f5e89aca4 httpd-devel-2.0.51-1.9.legacy.i386.rpm b75c88ba3deda8aed4cb3d6e5d4ea55141554723 httpd-manual-2.0.51-1.9.legacy.i386.rpm 465efbcc39ef52325928c2dc8093fc6447c33477 mod_ssl-2.0.51-1.9.legacy.i386.rpm * Package SHA1sums and signatures were fine. * packages installed fine. * (Minor burp with mod_ssl's installation, in the post-install scriptlet, but that was due to a corrupt already-existing '/etc/httpd/conf/ssl.key/server.key' file when it tried to create the 'server.crt' file (which didn't exist). Deleting server.key and re- installing mod_ssl created a good sample X509 self-signed certificate pair.) * Webserver daemon works fine, served up both http: and https: URL's well; able to run CGI scripts; PHP works with the updated Apache. * Had no opportunity to test httpd-devel package. However, using the rpm-build-compare script shows the files are exactly the same as the ones in my previously-installed httpd-devel-2.0.51-1.6.legacy.i386.rpm package. * Have no idea if the "SSLVerifyClient" (CVE-2005-2700) or byterange filter DoS (CVE-2005-2728) vulnerabilities are fixed or not. Am not sure how to test those. Works for me. I vote VERIFY++ FC1. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDZD0txou1V/j9XZwRAkFiAJ99NLgg27IXOgR1TRsXeuUBeaDh3QCg3bnk /XQPDVIGAms4pudvM0LQHew= =41j2 -----END PGP SIGNATURE----- Timeout over. Packages were released. |