An issue has been discovered in the mod_ssl module when configured to use the
"SSLCipherSuite" directive in directory or location context. If a particular
location context has been configured to require a specific set of cipher suites,
then a client will be able to access that location using any cipher suite
allowed by the virtual host configuration.

This security issue affects versions 2.0.35 through 2.0.52.
This issue has been fixed in version 2.0.53-dev.

Advisories:
http://www.apacheweek.com/features/security-20
http://secunia.com/advisories/12787/

Patches:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111



------- Additional Comments From rob.myers.edu 2004-10-11 07:34:13 ----

this is a link to the bug in apache bugzilla:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31505



------- Additional Comments From marcdeslauriers 2004-10-11 14:10:27 ----

Here are Red Hat's bugs:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134826
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134825




------- Additional Comments From marcdeslauriers 2004-10-16 04:55:43 ----

Also affects mod_ssl in rh7.3



------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-17 15:23:46 ----

mod_ssl 2.8.20-1.3.31 was released.
mod_ssl patch references:
http://marc.theaimsgroup.com/?l=apache-modssl&m=109724918128044&q=raw



------- Additional Comments From rob.myers.edu 2004-10-21 11:26:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
packages to QA for FC1:
 
changelog:
* Thu Oct 21 2004 Rob Myers <rob.myers.edu> 2.0.51-1.5.legacy
- - add patch for CAN-2004-0885 (FL bug #2148)
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.5.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.5.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-debuginfo-2.0.51-1.5.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-devel-2.0.51-1.5.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-manual-2.0.51-1.5.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.0.51-1.5.legacy.i386.rpm
 
sha1sums:
c5beb1a3cb9cdb8719e8c81383e1cf83e46149e3  httpd-2.0.51-1.5.legacy.i386.rpm
e19f02deac822ea48ec8b941edb71877cc5bf089  httpd-2.0.51-1.5.legacy.src.rpm
a858df759d87dc75e1c0ef4d022ed5a195273e81  httpd-debuginfo-2.0.51-1.5.legacy.i386.rpm
5363d07aafcacb9f8942a41d030eb27cb6f8984f  httpd-devel-2.0.51-1.5.legacy.i386.rpm
20bb744d216ae248b397b7aca8fa8c4f924af637  httpd-manual-2.0.51-1.5.legacy.i386.rpm
3a1c9e8af87c7206a1d90ad7778ab7c20c688fc8  mod_ssl-2.0.51-1.5.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBeChHtU2XAt1OWnsRAnu3AKDTicn+y2VgRF02qFf+LzJmppvY1ACfauV3
MKGu7ZiJscmKeUYjSc00yQE=
=G5Gm
-----END PGP SIGNATURE-----




------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-22 05:14:14 ----

"mod_include" privilege escalation vulnerability has been discovered in Apache
1.3.x.

http://secunia.com/advisories/12898/

The vulnerability affects 1.3.0 to 1.3.32.



------- Additional Comments From michal 2004-10-24 08:45:55 ----

> ...  has been discovered in Apache 1.3.x.

Yes, indeed, but that patch you refer to in comment #4 is exactly for that.

Also, if I understand advisories correctly, unless "SSLCipherSuite" directive
is actually used, which seems to be pretty infrequent, then the problem does
not hit.  Obviously that does not mean that the bug should not be fixed but
only that the impact appears now to be on a low side.



------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-25 05:05:08 ----

Vulnerability in #6 is CAN-2004-0940.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940

> but that patch you refer to in comment #4 is exactly for that.

The patch of mod_ssl in #4 is for CAN-2004-0885. 

The patch for CAN-2004-0940 is here:
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_include.c?r1=1.140&r2=1.141

CAN-2004-0885 affects httpd of RH9, FC1 and mod_ssl of RH7.3.
CAN-2004-0940 affects apache of RH7.3.

>  Obviously that does not mean that the bug should not be fixed but
only that the impact appears now to be on a low side.

I think you are right. According to Secunia advisories, both of vulnerabilities
are "less impact".



------- Additional Comments From michal 2004-10-28 18:26:43 ----

Created an attachment (id=904)
patch for CAN-2004-0885  with mod_ssl-2.8.12-6.legacy (rh7.3)

> The patch of mod_ssl in #4 is for CAN-2004-0885

Indeed. Thanks! Either Secunia was showing me wrong advisory or I cannot read.

In any case both patches apply directly to mod_ssl and apache sources
as used on RH7.3.  Some offsets are possible.  To make for easier references
I am attaching them here.



------- Additional Comments From michal 2004-10-28 18:28:55 ----

Created an attachment (id=905)
patch for CAN-2004-0940, privilege escalation, apache-1.3.27- ... (rh7.3)




------- Additional Comments From fedora-legacy-bugzilla-2004 2004-11-04 13:12:25 ----

The new DoS vulnerability has been discovered in apache 2.0.35-52.

http://secunia.com/advisories/13045/

The vulnerability is caused due to an error in the parsing routine for headers
with a large amount of spaces. This can be exploited by sending some specially
crafted requests with a large amount of overly long headers containing only spaces.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138064



------- Additional Comments From rob.myers.edu 2004-11-05 12:51:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated httpd, apache, mod_ssl packages to QA for rh73, rh90, and fc1:
  
- - CAN-2004-0885, CAN-2004-0940, CAN-2004-0942 should now be fixed
 
- - please verify that apache-1.3.27 is not vulerable to CAN-2004-0942
  (does not appear to be if you believe the vulnerable list here:
   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138064 )
 
changelogs:
 
rh73:
apache-1.3.27-6.legacy:
* Thu Nov 04 2004 Rob Myers <rob.myers.edu> 1.3.27-6.legacy
- - add patch for CAN-2004-0940 (FL bug #2148)
 
mod_ssl-2.8.12-7.legacy:
* Fri Nov 05 2004 Rob Myers <rob.myers.edu> 2.8.12-7.legacy
- - add patch for CAN-2004-0885 (FL bug #2148)
 
rh9:
* Thu Nov 04 2004 Rob Myers <rob.myers.edu> 2.0.40-21.17.legacy
- - add patches for CAN-2004-0885, CAN-2004-0942  (FL bug #2148)
 
fc1:
* Fri Nov 05 2004 Rob Myers <rob.myers.edu> 2.0.51-1.6.legacy
- - add patch for CAN-2004-0942 (FL bug #2148)
  
* Thu Oct 21 2004 Rob Myers <rob.myers.edu> 2.0.51-1.5.legacy
- - add patch for CAN-2004-0885 (FL bug #2148)
 
  
sha1sums:
 
rh73:
3c3ede1eb50b7ea2ac1dce480510a49c16009efb  apache-1.3.27-6.legacy.i386.rpm
a619a90da660ce332a86e09ea059435df38e08ae  apache-1.3.27-6.legacy.src.rpm
d99fc33ef40a2f1d13b200a2eef0329e3f7fcf9e  apache-devel-1.3.27-6.legacy.i386.rpm
0f3bbce57396134306afab27aefd6231c63c22db  apache-manual-1.3.27-6.legacy.i386.rpm
02c4afc088c87f4438f21a66f14736a6e3e1b92c  mod_ssl-2.8.12-7.legacy.i386.rpm
50ee7bff4cf9a2625de89d9a4e826fd1d5870e79  mod_ssl-2.8.12-7.legacy.src.rpm
  
rh9:
9f454aabffc191a1ae83307b5661b133141fe9d7  httpd-2.0.40-21.17.legacy.i386.rpm
4636c7901147136ba2d9df9b073a879ae555286b  httpd-2.0.40-21.17.legacy.src.rpm
0b7f93ee2e3dc9817df3917b9568239557f06e4a 
httpd-debuginfo-2.0.40-21.17.legacy.i386.rpm
583249f86f9fc0b87bffc117c54a87018b5afc0f  httpd-devel-2.0.40-21.17.legacy.i386.rpm
472e4bfcd1b98a17c0225fb5cfc2fd0d892e6cbe  httpd-manual-2.0.40-21.17.legacy.i386.rpm
317be26ed4ecef764881d1b5f735b47f6c11acf2  mod_ssl-2.0.40-21.17.legacy.i386.rpm
 
fc1:
3f8f5c68e90276ee5991af17ee7c49e1d3238d83  httpd-2.0.51-1.6.legacy.i386.rpm
ccc5eb2e04e220acc7df1717250db0bf80ba7f3f  httpd-2.0.51-1.6.legacy.src.rpm
6eaa8c9e2f549afd90478e75ad8e0046273a4f4d  httpd-debuginfo-2.0.51-1.6.legacy.i386.rpm
f8abc728701ff3269f7a62370373b929e50dfeae  httpd-devel-2.0.51-1.6.legacy.i386.rpm
b3d8371d3d08cf3c393e4e16daec7701d5947dea  httpd-manual-2.0.51-1.6.legacy.i386.rpm
2aff6cc23aad7597c449940de2478bb5f0a67dc5  mod_ssl-2.0.51-1.6.legacy.i386.rpm
 
files:
 
rh73:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-1.3.27-6.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-1.3.27-6.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-devel-1.3.27-6.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-manual-1.3.27-6.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.8.12-7.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.8.12-7.legacy.i386.rpm
 
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.40-21.17.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.40-21.17.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-debuginfo-2.0.40-21.17.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-devel-2.0.40-21.17.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-manual-2.0.40-21.17.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.0.40-21.17.legacy.i386.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.6.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.6.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-debuginfo-2.0.51-1.6.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-devel-2.0.51-1.6.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-manual-2.0.51-1.6.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.0.51-1.6.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBjANltU2XAt1OWnsRAu+WAKDguipu9gnM1VZ884bOpv1j88vaDQCdFXoO
hQmQGaGVQKBals0n62df3ek=
=LkJ9
-----END PGP SIGNATURE-----




------- Additional Comments From fedora-legacy-bugzilla-2004 2004-11-05 16:42:02 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rob! Thanks for your job.

I did QA on Rob's RH9 package:
9f454aabffc191a1ae83307b5661b133141fe9d7  httpd-2.0.40-21.17.legacy.i386.rpm
4636c7901147136ba2d9df9b073a879ae555286b  httpd-2.0.40-21.17.legacy.src.rpm
583249f86f9fc0b87bffc117c54a87018b5afc0f
httpd-devel-2.0.40-21.17.legacy.i386.rpm
472e4bfcd1b98a17c0225fb5cfc2fd0d892e6cbe
httpd-manual-2.0.40-21.17.legacy.i386.rpm
317be26ed4ecef764881d1b5f735b47f6c11acf2  mod_ssl-2.0.40-21.17.legacy.i386.rpm

I think debuginfo packages don't need to be released.

sha1sum matches
rpm signature ok
source files ok
spec file ok
patches ok
src rebuilds ok
rpm-build-compare script ok
installs ok
runs ok
+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBjDeOuZYb5AhVqVoRApXTAJ9FOLYzwAfH2c6XimesdQdha3xBOACfcCX+
usSrr7cMmgghAj1m3u2tivQ=
=+Emk
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-11-09 17:54:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on Rob's 7.3 packages:

a619a90da660ce332a86e09ea059435df38e08ae  apache-1.3.27-6.legacy.src.rpm
50ee7bff4cf9a2625de89d9a4e826fd1d5870e79  mod_ssl-2.8.12-7.legacy.src.rpm

- - Source files match previous release
- - Patch files look good
- - Spec files look good
- - Builds, installs and runs OK

I confirm that CAN-2004-0942 doesn't apply to 7.3.

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBkZEULMAs/0C4zNoRAmQYAKCUaJJST2foiadoRayRcSjluY/eHgCfbAbu
WIVtQHao9hhYTpyYofHbPV0=
=ZaQd
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers 2004-11-11 11:21:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on Rob's rh9 package:

4636c7901147136ba2d9df9b073a879ae555286b  httpd-2.0.40-21.17.legacy.src.rpm

- - Source files match previous release
- - Patch files look good
- - Spec file looks good
- - Builds, installs and runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBk9f/LMAs/0C4zNoRAqCcAJ94/oK7jTsVX5+1BIE+lqhEzgMg9gCeJrU0
dO68kZ7pp1XSbDUpOEBmMLk=
=MHYv
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-11-13 03:55:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on Rob's fc1 package:

ccc5eb2e04e220acc7df1717250db0bf80ba7f3f  httpd-2.0.51-1.6.legacy.src.rpm

- - Source files match previous release
- - Patch files look good
- - Spec file looks good
- - Builds, installs and runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBlhJfLMAs/0C4zNoRAkrbAKC5e6sJ23V3Vhlr9GflSGndjuyPuACeIWi0
UEABxz/adUDaYrwP1KIlMD8=
=tQ4G
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-11-15 03:30:45 ----

Redhat advisory:

https://rhn.redhat.com/errata/RHSA-2004-562.html



------- Additional Comments From josh.kayse.edu 2004-11-15 09:09:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

ccc5eb2e04e220acc7df1717250db0bf80ba7f3f  httpd-2.0.51-1.6.legacy.src.rpm

- - source files identical to previous release
- - builds cleanly
- - patches look good
- - installs and runs cleanly
- - spec file is good

+ PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBmP7gwnUFCSDmt7ERAqe1AJwLpGLuAVOcBhbkoOFt6eBqHHc5oQCgpxi4
yi19TFy0APP5hzuLji/p/r0=
=476B
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-11-17 16:58:34 ----

Pushed to updates-testing.




------- Additional Comments From madhatter 2004-11-17 22:37:59 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
cf4421a5eb0cc960c4ac0e79c5a75af4d0a82caf httpd-2.0.40-21.17.legacy.i386.rpm
a4d3ec49253f09496284c7b089a539363d8c1ad1 mod_ssl-2.0.40-21.17.legacy.i386.rpm
 
packages install fine under RH9, basic apache functionality is OK (web
pages, cgi, virtual hosts).  i run squirrelmail entirely under https, so i
gave mod_ssl a reasonable workout, sending and reading email.  it's good.
 
++VERIFY
 
i note my SHA1sums don't match any previously mentioned in this bug report,
but they do match those in marc's posting to the mailing list.  i'm
slightly confused.
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBnF8gePtvKV31zw4RAquAAKCw0zw78WhqHKEMm1EY8exUf+jAkgCgtW5K
0mMm+wavvoSM9W7gm+ag2RY=
=lEo7
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-11-20 06:12:09 ----

In response to comment 20:

It's normal that the sha1sums don't match the ones in this bug report, when
packages get pushed to updates-testing, they are rebuilt in a clean mach
environment.



------- Additional Comments From mark.scott 2004-11-23 05:41:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
SHA1sums:
900fab9908fe5655ffaf75e85ddec3766244b095
  httpd-2.0.51-1.6.legacy.i386.rpm
92ceef4e0b98ae64df0ae82bdc70fbe19bbc3bff
  httpd-devel-2.0.51-1.6.legacy.i386.rpm
e4e38ace9ca2a3ee4c82b4c04fd15dc326fe0004
  mod_ssl-2.0.51-1.6.legacy.i386.rpm
 
Packages install fine under FC1, basic functionality works: web pages,
PHP module (4.3.8-1.1), virtual hosts, aliases, error docs. Accessing
 similar pages through mod_ssl also appears to be working fine.
 
VERIFIED
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBo1nkl2I0fYrP+68RAkEMAKCxg8PJ0cLEdtxALJxo23e16NzH+ACfc63m
JTVSzxRiSugceZ71B7tgwLg=
=gMHJ
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-12-02 16:19:35 ----

*** Bug 2325 has been marked as a duplicate of this bug. ***



------- Additional Comments From jimpop 2004-12-03 00:46:50 ----

d40866e11e91598844b054f657856d697449aad0  apache-1.3.27-6.legacy.i386.rpm
a55bac0fa92970caf3e3d8aa611fb80698f90573  mod_ssl-2.8.12-7.legacy.i386.rpm

VERIFIED on RH73 with VirtualHosts and SSL sites.





------- Additional Comments From jpdalbec 2004-12-03 11:24:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH 7.3

d40866e11e91598844b054f657856d697449aad0  apache-1.3.27-6.legacy.i386.rpm
a55bac0fa92970caf3e3d8aa611fb80698f90573  mod_ssl-2.8.12-7.legacy.i386.rpm

Installed packages on testing server.  I was able to log in to a mod_php
application (Horde) and a mod_perl/mod_fastcgi application (Sympa) over an
SSL connection.  I haven't tested virtual hosts.  I can install these on a
production server Monday.  I don't want to risk breaking something over the
weekend.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBsNk9JL4A+ldA7asRAnjDAKCxEaYpbA/WLCV5KxMNz7UbHPxC0QCbBeD6
a/T5dd8d7EOMQjnH2m/WJtQ=
=PD+N
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2004-12-06 02:24:52 ----

This bug appears to be Verified and closed.  See
http://www.redhat.com/archives/fedora-legacy-announce/2004-December/msg00000.html




------- Bug moved to this database by dkl 2005-03-30 18:28 -------

This bug previously known as bug 2148 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2148
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch for CAN-2004-0885  with mod_ssl-2.8.12-6.legacy (rh7.3)
https://bugzilla.fedora.us/attachment.cgi?action=view&id=904
patch for CAN-2004-0940, privilege escalation, apache-1.3.27- ... (rh7.3)
https://bugzilla.fedora.us/attachment.cgi?action=view&id=905

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.