Bug 175406

New issue:  CVE-2005-3352 cross-site scripting flaw in mod_imap
Ref:        Fedora Core:               Bug #175714
Ref:        Red Hat Enterprise Linux:  Bug #175602
Ref:        BugTraq ID 15834   http://www.securityfocus.com/bid/15834

From        http://issues.apache.org/bugzilla/show_bug.cgi?id=37874

Summary:

A flaw in the imagemap processing module, mod_imap, in versions of Apache httpd
1.3, 2.0 and 2.2 can in some circumstances cause the referer header to be output
without being escaped in HTML.  This could allow an attacker who is able to
influence the referer header the ability to do cross-site scripting attacks
against sites using mod_imap in a vulnerable configuration.

Impact: 

moderate (http://httpd.apache.org/security/impact_levels.html)

Mitigation:

This flaw only affects sites using mod_imap with a map file that contains the
"referer" directive.   ...

(More details available and patches available in
   http://issues.apache.org/bugzilla/show_bug.cgi?id=37874).

Note that the CVE-2005-2790 issue is being handled by Red Hat as:

   * Fedora Core 3&4:        Bug #171759
   * RHEL 3 & 4              Bug #171756

CVE-2005-2790 should affect RH9, FC1 & FC2.
CVE-2005-3352 should affect RH73, RH9, FC1, & FC2.

s/CVE-2005-2790/CVE-2005-2970/  in comment #2.

:(

RedHat has issued RHSA-2006:0159-01:
  https://rhn.redhat.com/errata/RHSA-2006-0159.html
for CVE-2005-2970, CVE-2005-3352 & CVE-2005-3357
for RHEL 3 & 4.

"A memory leak in the worker MPM could allow remote attackers to cause a
denial of service (memory consumption) via aborted connections, which
prevents the memory for the transaction pool from being reused for other
connections.  The Common Vulnerabilities and Exposures project assigned the
name CVE-2005-2970 to this issue.  This vulnerability only affects users
who are using the non-default worker MPM.

"A flaw in mod_imap when using the Referer directive with image maps was
discovered.  With certain site configurations, a remote attacker could
perform a cross-site scripting attack if a victim can be forced to visit a
malicious URL using certain web browsers.  (CVE-2005-3352)

"A NULL pointer dereference flaw in mod_ssl was discovered affecting server
configurations where an SSL virtual host is configured with access control
and a custom 400 error document.  A remote attacker could send a carefully
crafted request to trigger this issue which would lead to a crash.  This
crash would only be a denial of service if using the non-default worker
MPM.  (CVE-2005-3357)"

------

RedHat has issued RHSA-2006:0158-01:
   https://rhn.redhat.com/errata/RHSA-2006-0158.html
for CVE-2005-3352  for RHEL 2.1.

-------
CVE-2005-2790 should affect RH9, FC1, FC2, & FC3.  (Only in Apache 2.x).
    (Also see Bug #171756)

CVE-2005-3352 should affect RH73, RH9, FC1, FC2, & FC3.
    (Also see Bug #175602,
     <http://issues.apache.org/bugzilla/show_bug.cgi?id=37874>.)

CVE-2005-3357 should affect RH9, FC1, FC2, & FC3.  (Only in Apache 2.x).
    (Also see Bug #175720,
     <http://issues.apache.org/bugzilla/show_bug.cgi?id=37791>.)

Can somebody add to the Status Whiteboard:
  "LEGACY, NEEDSWORK, rh73, rh90, 1, 2, 3"?

Can somebody change this bug's summary to:
  "CVE-2005-2970, CVE-2005-2970, CVE-2005-2970 Apache httpd multiple security
issues"?

Can someone change this bug's component from "apache" to "httpd"?

Can someone change this bug's severity from "Normal" to "Security"?

I cannot do any of these changes.  Thanks.

I'll work on this tonight

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated rpms to QA:

Changelog:
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers> 2.0.53-3.4.legacy
- - mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- - mod_imap: add security fix for XSS issue (CVE-2005-3352)
- - worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

817758ee21c788aecf8e07bb340a786b5f12ec90  7.3/apache-1.3.27-9.legacy.i386.rpm
286bbe23003d13faa129b42e07a981210d01bd17  7.3/apache-1.3.27-9.legacy.src.rpm
60e772d2aaf6b1d9c72c89408d511a573aef2d78  7.3/apache-devel-1.3.27-9.legacy.i386.rpm
f470df020516eb0b0d6e95df7517269d76407278  7.3/apache-manual-1.3.27-9.legacy.i386.rpm

34eb79fc81c9757d2e774673202b852e05478014  9/httpd-2.0.40-21.21.legacy.i386.rpm
7a9bc969f879b8cd45c8b71ddfdbd2b61211a383  9/httpd-2.0.40-21.21.legacy.src.rpm
6cfc4224c263758312cca29b15ed9ea5294333f9  9/httpd-devel-2.0.40-21.21.legacy.i386.rpm
f2bad984f533467c3ff829abe278409e784721bd 
9/httpd-manual-2.0.40-21.21.legacy.i386.rpm
1a3910d265e4854adec48ccaa81d67658095d968  9/mod_ssl-2.0.40-21.21.legacy.i386.rpm

8b566ccde72f5c4e4bc7f7897663c3d4a207b95a  1/httpd-2.0.51-1.10.legacy.i386.rpm
ee9a4afe5732d8cc15b942195914578a237c8b37  1/httpd-2.0.51-1.10.legacy.src.rpm
c0ccda3550ca53ec77888dbc7e0560e8a98383dd  1/httpd-devel-2.0.51-1.10.legacy.i386.rpm
8f481a8736a04a3f738d77d06a0ebe37fb21a165  1/httpd-manual-2.0.51-1.10.legacy.i386.rpm
27503de28662b9a0638accfff70617bc6e9307f8  1/mod_ssl-2.0.51-1.10.legacy.i386.rpm

5cbc962d18ca0d2e9d3b07363ca52daaeffa1471  2/httpd-2.0.51-2.9.5.legacy.i386.rpm
aefa40ac3a967065630d35f68f659bcb217baea3  2/httpd-2.0.51-2.9.5.legacy.src.rpm
3587721f8fd3350890315a32be5941b8c123d83d  2/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm
37c9dbd152d94a9973e601652eddc78393a7c398 
2/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm
89acfa080ca279fcae32dd012eb02b2d4e9c3f64  2/mod_ssl-2.0.51-2.9.5.legacy.i386.rpm

c6972506aee08019802d3c99d43ada56c1b21c70  3/httpd-2.0.53-3.4.legacy.i386.rpm
42b8fd39a9457fae1f8e60dea9990aef0f2485c4  3/httpd-2.0.53-3.4.legacy.src.rpm
8f5a429c24b468de7794740403d35734d23a747e  3/httpd-devel-2.0.53-3.4.legacy.i386.rpm
79d61d4a593b9cfe3ba555c8d6b8b6b30817ca2a  3/httpd-manual-2.0.53-3.4.legacy.i386.rpm
1c055821a48657f3820e3b881e4ed663b20d652b  3/httpd-suexec-2.0.53-3.4.legacy.i386.rpm
9d3122a864ff8f2807e9c7b592d6c54975c63175  3/mod_ssl-2.0.53-3.4.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/apache-1.3.27-9.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/httpd-2.0.40-21.21.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/httpd-2.0.51-1.10.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/httpd-2.0.51-2.9.5.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/httpd-2.0.53-3.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD0832LMAs/0C4zNoRAo2NAJ9fCtJUVnaPqgE7GQoGdlh1UVxdrQCfS7Tq
fipfr+hhIcNIqsT+F3/q/9A=
=C9Ff
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches either identical to RHEL, or trivial backports
 
+PUBLISH RHL73,RHL9,FC1,FC2,FC3
 
286bbe23003d13faa129b42e07a981210d01bd17  apache-1.3.27-9.legacy.src.rpm
7a9bc969f879b8cd45c8b71ddfdbd2b61211a383  httpd-2.0.40-21.21.legacy.src.rpm
ee9a4afe5732d8cc15b942195914578a237c8b37  httpd-2.0.51-1.10.legacy.src.rpm
aefa40ac3a967065630d35f68f659bcb217baea3  httpd-2.0.51-2.9.5.legacy.src.rpm
42b8fd39a9457fae1f8e60dea9990aef0f2485c4  httpd-2.0.53-3.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD1ykKGHbTkzxSL7QRAs+HAJ9mmwv24BY82uScV4vGTN7XcKuBugCgqUFL
xICGQ9PhYfq38XJvXLQ8VHw=
=unTX
-----END PGP SIGNATURE-----

Packages were pushed to updates-testing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

8e6ca52b5fb88a43322a38966ffeb0285b0699e1 httpd-2.0.40-21.21.legacy.i386.rpm
2d565db0d6fa0756c51ca7aef8211b463c5f5348 mod_ssl-2.0.40-21.21.legacy.i386.rpm

install OK, apache restarts OK.  main site and virtuals serve fine, https
works fine.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD67iMePtvKV31zw4RAlNvAKCZTIJ05JFvrzMFEg02nMs8kWPwcgCff2JZ
lS6ogsoTvhePfR7Nc2YAvss=
=XyB9
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Test with RHL73.  Installs OK, signatures OK.  Required manual restart, but
worked just fine.
 
+VERIFY RHL73
 
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD7C2NGHbTkzxSL7QRAo7iAKDDrrOR/MoVtYsJPBnus9JfYh0PugCgphbI
+uKmXeiTORgj/D6bciiXgCE=
=GRnE
-----END PGP SIGNATURE-----

Timeout in 2 weeks.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed verify QA on the FC1 package.

Package upgraded OK.  Main and virtual test site fine, https works as well.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFD74SqpxMPKJzn2lIRAknQAJ91zGCQu2YKCGdj3dm3U+rOZo7XZwCfWfg4
8V0nJExTU2eZigo+J85+wAg=
=AgCm
-----END PGP SIGNATURE-----

New policy: >= 2 VERIFYs, 1 week timeout.

In the last httpd packages that we issued on November 9th, it is likely
that we ended up introducing a regression error that is causing at least
one of our users a problem.  Doncho N. Gunchev reports in Bug 180470 that
certain SSL functions (part of the mod_ssl binary package) no longer work
in FC1 which do work for him in a previous Fedora Legacy package update.

To give Doncho an opportunity to look into whether Legacy's testing packages
fix his issue and respond in this bug ticket (as I suggested to him in Bug
180470), I am recommending here that we do *not* advance the timeout date
for this package to 20060217.

It appears that Red Hat may well have fixed Bug 180470's issues in their
RHSA-2006-0159 (see Bug 123585 and Bug 170383).

Any update on this one?  Do we need to respin to fix some earlier patches?

The patches are not at fault. Doncho N. Gunchev's problem is a side-effect of
httpd not supporting what he is trying to do. Before the patch, httpd would let
him access data without proper authentification, which is not good.

The Red Hat patch to introduce the required functionnality for what he wants to
do is a bit too intrusive to simply add to these packages.

Ok, that was my impression as well, so we're just going to release these.

Packages were released.