Bug 175406
Summary: | CVE-2005-2970, CVE-2005-3352, CVE-2005-3357 Apache httpd multiple security issues | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | John Dalbec <jpdalbec> |
Component: | httpd | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | fc2 | CC: | deisenst, dgunchev, pekkas, tao |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
URL: | http://www.apache.org/dist/httpd/Announcement2.0.html | ||
Whiteboard: | LEGACY, rh73, rh90, 1, 2, 3 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-02-18 19:15:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Dalbec
2005-12-09 20:58:57 UTC
New issue: CVE-2005-3352 cross-site scripting flaw in mod_imap Ref: Fedora Core: Bug #175714 Ref: Red Hat Enterprise Linux: Bug #175602 Ref: BugTraq ID 15834 http://www.securityfocus.com/bid/15834 From http://issues.apache.org/bugzilla/show_bug.cgi?id=37874 Summary: A flaw in the imagemap processing module, mod_imap, in versions of Apache httpd 1.3, 2.0 and 2.2 can in some circumstances cause the referer header to be output without being escaped in HTML. This could allow an attacker who is able to influence the referer header the ability to do cross-site scripting attacks against sites using mod_imap in a vulnerable configuration. Impact: moderate (http://httpd.apache.org/security/impact_levels.html) Mitigation: This flaw only affects sites using mod_imap with a map file that contains the "referer" directive. ... (More details available and patches available in http://issues.apache.org/bugzilla/show_bug.cgi?id=37874). Note that the CVE-2005-2790 issue is being handled by Red Hat as: * Fedora Core 3&4: Bug #171759 * RHEL 3 & 4 Bug #171756 CVE-2005-2790 should affect RH9, FC1 & FC2. CVE-2005-3352 should affect RH73, RH9, FC1, & FC2. s/CVE-2005-2790/CVE-2005-2970/ in comment #2. :( RedHat has issued RHSA-2006:0159-01: https://rhn.redhat.com/errata/RHSA-2006-0159.html for CVE-2005-2970, CVE-2005-3352 & CVE-2005-3357 for RHEL 3 & 4. "A memory leak in the worker MPM could allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2970 to this issue. This vulnerability only affects users who are using the non-default worker MPM. "A flaw in mod_imap when using the Referer directive with image maps was discovered. With certain site configurations, a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers. (CVE-2005-3352) "A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the non-default worker MPM. (CVE-2005-3357)" ------ RedHat has issued RHSA-2006:0158-01: https://rhn.redhat.com/errata/RHSA-2006-0158.html for CVE-2005-3352 for RHEL 2.1. ------- CVE-2005-2790 should affect RH9, FC1, FC2, & FC3. (Only in Apache 2.x). (Also see Bug #171756) CVE-2005-3352 should affect RH73, RH9, FC1, FC2, & FC3. (Also see Bug #175602, <http://issues.apache.org/bugzilla/show_bug.cgi?id=37874>.) CVE-2005-3357 should affect RH9, FC1, FC2, & FC3. (Only in Apache 2.x). (Also see Bug #175720, <http://issues.apache.org/bugzilla/show_bug.cgi?id=37791>.) Can somebody add to the Status Whiteboard: "LEGACY, NEEDSWORK, rh73, rh90, 1, 2, 3"? Can somebody change this bug's summary to: "CVE-2005-2970, CVE-2005-2970, CVE-2005-2970 Apache httpd multiple security issues"? Can someone change this bug's component from "apache" to "httpd"? Can someone change this bug's severity from "Normal" to "Security"? I cannot do any of these changes. Thanks. I'll work on this tonight -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated rpms to QA: Changelog: * Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers> 2.0.53-3.4.legacy - - mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357) - - mod_imap: add security fix for XSS issue (CVE-2005-3352) - - worker MPM: add security fix for memory consumption DoS (CVE-2005-2970), and bug fixes for handling resource allocation failures (#171759) 817758ee21c788aecf8e07bb340a786b5f12ec90 7.3/apache-1.3.27-9.legacy.i386.rpm 286bbe23003d13faa129b42e07a981210d01bd17 7.3/apache-1.3.27-9.legacy.src.rpm 60e772d2aaf6b1d9c72c89408d511a573aef2d78 7.3/apache-devel-1.3.27-9.legacy.i386.rpm f470df020516eb0b0d6e95df7517269d76407278 7.3/apache-manual-1.3.27-9.legacy.i386.rpm 34eb79fc81c9757d2e774673202b852e05478014 9/httpd-2.0.40-21.21.legacy.i386.rpm 7a9bc969f879b8cd45c8b71ddfdbd2b61211a383 9/httpd-2.0.40-21.21.legacy.src.rpm 6cfc4224c263758312cca29b15ed9ea5294333f9 9/httpd-devel-2.0.40-21.21.legacy.i386.rpm f2bad984f533467c3ff829abe278409e784721bd 9/httpd-manual-2.0.40-21.21.legacy.i386.rpm 1a3910d265e4854adec48ccaa81d67658095d968 9/mod_ssl-2.0.40-21.21.legacy.i386.rpm 8b566ccde72f5c4e4bc7f7897663c3d4a207b95a 1/httpd-2.0.51-1.10.legacy.i386.rpm ee9a4afe5732d8cc15b942195914578a237c8b37 1/httpd-2.0.51-1.10.legacy.src.rpm c0ccda3550ca53ec77888dbc7e0560e8a98383dd 1/httpd-devel-2.0.51-1.10.legacy.i386.rpm 8f481a8736a04a3f738d77d06a0ebe37fb21a165 1/httpd-manual-2.0.51-1.10.legacy.i386.rpm 27503de28662b9a0638accfff70617bc6e9307f8 1/mod_ssl-2.0.51-1.10.legacy.i386.rpm 5cbc962d18ca0d2e9d3b07363ca52daaeffa1471 2/httpd-2.0.51-2.9.5.legacy.i386.rpm aefa40ac3a967065630d35f68f659bcb217baea3 2/httpd-2.0.51-2.9.5.legacy.src.rpm 3587721f8fd3350890315a32be5941b8c123d83d 2/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm 37c9dbd152d94a9973e601652eddc78393a7c398 2/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm 89acfa080ca279fcae32dd012eb02b2d4e9c3f64 2/mod_ssl-2.0.51-2.9.5.legacy.i386.rpm c6972506aee08019802d3c99d43ada56c1b21c70 3/httpd-2.0.53-3.4.legacy.i386.rpm 42b8fd39a9457fae1f8e60dea9990aef0f2485c4 3/httpd-2.0.53-3.4.legacy.src.rpm 8f5a429c24b468de7794740403d35734d23a747e 3/httpd-devel-2.0.53-3.4.legacy.i386.rpm 79d61d4a593b9cfe3ba555c8d6b8b6b30817ca2a 3/httpd-manual-2.0.53-3.4.legacy.i386.rpm 1c055821a48657f3820e3b881e4ed663b20d652b 3/httpd-suexec-2.0.53-3.4.legacy.i386.rpm 9d3122a864ff8f2807e9c7b592d6c54975c63175 3/mod_ssl-2.0.53-3.4.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/apache-1.3.27-9.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.21.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/httpd-2.0.51-1.10.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/httpd-2.0.51-2.9.5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/httpd-2.0.53-3.4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD0832LMAs/0C4zNoRAo2NAJ9fCtJUVnaPqgE7GQoGdlh1UVxdrQCfS7Tq fipfr+hhIcNIqsT+F3/q/9A= =C9Ff -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches either identical to RHEL, or trivial backports +PUBLISH RHL73,RHL9,FC1,FC2,FC3 286bbe23003d13faa129b42e07a981210d01bd17 apache-1.3.27-9.legacy.src.rpm 7a9bc969f879b8cd45c8b71ddfdbd2b61211a383 httpd-2.0.40-21.21.legacy.src.rpm ee9a4afe5732d8cc15b942195914578a237c8b37 httpd-2.0.51-1.10.legacy.src.rpm aefa40ac3a967065630d35f68f659bcb217baea3 httpd-2.0.51-2.9.5.legacy.src.rpm 42b8fd39a9457fae1f8e60dea9990aef0f2485c4 httpd-2.0.53-3.4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD1ykKGHbTkzxSL7QRAs+HAJ9mmwv24BY82uScV4vGTN7XcKuBugCgqUFL xICGQ9PhYfq38XJvXLQ8VHw= =unTX -----END PGP SIGNATURE----- Packages were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 8e6ca52b5fb88a43322a38966ffeb0285b0699e1 httpd-2.0.40-21.21.legacy.i386.rpm 2d565db0d6fa0756c51ca7aef8211b463c5f5348 mod_ssl-2.0.40-21.21.legacy.i386.rpm install OK, apache restarts OK. main site and virtuals serve fine, https works fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD67iMePtvKV31zw4RAlNvAKCZTIJ05JFvrzMFEg02nMs8kWPwcgCff2JZ lS6ogsoTvhePfR7Nc2YAvss= =XyB9 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test with RHL73. Installs OK, signatures OK. Required manual restart, but worked just fine. +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD7C2NGHbTkzxSL7QRAo7iAKDDrrOR/MoVtYsJPBnus9JfYh0PugCgphbI +uKmXeiTORgj/D6bciiXgCE= =GRnE -----END PGP SIGNATURE----- Timeout in 2 weeks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed verify QA on the FC1 package. Package upgraded OK. Main and virtual test site fine, https works as well. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFD74SqpxMPKJzn2lIRAknQAJ91zGCQu2YKCGdj3dm3U+rOZo7XZwCfWfg4 8V0nJExTU2eZigo+J85+wAg= =AgCm -----END PGP SIGNATURE----- New policy: >= 2 VERIFYs, 1 week timeout. In the last httpd packages that we issued on November 9th, it is likely that we ended up introducing a regression error that is causing at least one of our users a problem. Doncho N. Gunchev reports in Bug 180470 that certain SSL functions (part of the mod_ssl binary package) no longer work in FC1 which do work for him in a previous Fedora Legacy package update. To give Doncho an opportunity to look into whether Legacy's testing packages fix his issue and respond in this bug ticket (as I suggested to him in Bug 180470), I am recommending here that we do *not* advance the timeout date for this package to 20060217. It appears that Red Hat may well have fixed Bug 180470's issues in their RHSA-2006-0159 (see Bug 123585 and Bug 170383). Any update on this one? Do we need to respin to fix some earlier patches? The patches are not at fault. Doncho N. Gunchev's problem is a side-effect of httpd not supporting what he is trying to do. Before the patch, httpd would let him access data without proper authentification, which is not good. The Red Hat patch to introduce the required functionnality for what he wants to do is a bit too intrusive to simply add to these packages. Ok, that was my impression as well, so we're just going to release these. Packages were released. |