An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. This security issue affects versions 2.0.35 through 2.0.52. This issue has been fixed in version 2.0.53-dev. Advisories: http://www.apacheweek.com/features/security-20 http://secunia.com/advisories/12787/ Patches: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_init.c?r1=1.128&r2=1.129 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.110&r2=1.111 ------- Additional Comments From rob.myers.edu 2004-10-11 07:34:13 ---- this is a link to the bug in apache bugzilla: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31505 ------- Additional Comments From marcdeslauriers 2004-10-11 14:10:27 ---- Here are Red Hat's bugs: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134826 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134825 ------- Additional Comments From marcdeslauriers 2004-10-16 04:55:43 ---- Also affects mod_ssl in rh7.3 ------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-17 15:23:46 ---- mod_ssl 2.8.20-1.3.31 was released. mod_ssl patch references: http://marc.theaimsgroup.com/?l=apache-modssl&m=109724918128044&q=raw ------- Additional Comments From rob.myers.edu 2004-10-21 11:26:54 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 packages to QA for FC1: changelog: * Thu Oct 21 2004 Rob Myers <rob.myers.edu> 2.0.51-1.5.legacy - - add patch for CAN-2004-0885 (FL bug #2148) files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.5.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.5.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-debuginfo-2.0.51-1.5.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-devel-2.0.51-1.5.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-manual-2.0.51-1.5.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.0.51-1.5.legacy.i386.rpm sha1sums: c5beb1a3cb9cdb8719e8c81383e1cf83e46149e3 httpd-2.0.51-1.5.legacy.i386.rpm e19f02deac822ea48ec8b941edb71877cc5bf089 httpd-2.0.51-1.5.legacy.src.rpm a858df759d87dc75e1c0ef4d022ed5a195273e81 httpd-debuginfo-2.0.51-1.5.legacy.i386.rpm 5363d07aafcacb9f8942a41d030eb27cb6f8984f httpd-devel-2.0.51-1.5.legacy.i386.rpm 20bb744d216ae248b397b7aca8fa8c4f924af637 httpd-manual-2.0.51-1.5.legacy.i386.rpm 3a1c9e8af87c7206a1d90ad7778ab7c20c688fc8 mod_ssl-2.0.51-1.5.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBeChHtU2XAt1OWnsRAnu3AKDTicn+y2VgRF02qFf+LzJmppvY1ACfauV3 MKGu7ZiJscmKeUYjSc00yQE= =G5Gm -----END PGP SIGNATURE----- ------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-22 05:14:14 ---- "mod_include" privilege escalation vulnerability has been discovered in Apache 1.3.x. http://secunia.com/advisories/12898/ The vulnerability affects 1.3.0 to 1.3.32. ------- Additional Comments From michal 2004-10-24 08:45:55 ---- > ... has been discovered in Apache 1.3.x. Yes, indeed, but that patch you refer to in comment #4 is exactly for that. Also, if I understand advisories correctly, unless "SSLCipherSuite" directive is actually used, which seems to be pretty infrequent, then the problem does not hit. Obviously that does not mean that the bug should not be fixed but only that the impact appears now to be on a low side. ------- Additional Comments From fedora-legacy-bugzilla-2004 2004-10-25 05:05:08 ---- Vulnerability in #6 is CAN-2004-0940. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940 > but that patch you refer to in comment #4 is exactly for that. The patch of mod_ssl in #4 is for CAN-2004-0885. The patch for CAN-2004-0940 is here: http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_include.c?r1=1.140&r2=1.141 CAN-2004-0885 affects httpd of RH9, FC1 and mod_ssl of RH7.3. CAN-2004-0940 affects apache of RH7.3. > Obviously that does not mean that the bug should not be fixed but only that the impact appears now to be on a low side. I think you are right. According to Secunia advisories, both of vulnerabilities are "less impact". ------- Additional Comments From michal 2004-10-28 18:26:43 ---- Created an attachment (id=904) patch for CAN-2004-0885 with mod_ssl-2.8.12-6.legacy (rh7.3) > The patch of mod_ssl in #4 is for CAN-2004-0885 Indeed. Thanks! Either Secunia was showing me wrong advisory or I cannot read. In any case both patches apply directly to mod_ssl and apache sources as used on RH7.3. Some offsets are possible. To make for easier references I am attaching them here. ------- Additional Comments From michal 2004-10-28 18:28:55 ---- Created an attachment (id=905) patch for CAN-2004-0940, privilege escalation, apache-1.3.27- ... (rh7.3) ------- Additional Comments From fedora-legacy-bugzilla-2004 2004-11-04 13:12:25 ---- The new DoS vulnerability has been discovered in apache 2.0.35-52. http://secunia.com/advisories/13045/ The vulnerability is caused due to an error in the parsing routine for headers with a large amount of spaces. This can be exploited by sending some specially crafted requests with a large amount of overly long headers containing only spaces. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942 Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138064 ------- Additional Comments From rob.myers.edu 2004-11-05 12:51:01 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated httpd, apache, mod_ssl packages to QA for rh73, rh90, and fc1: - - CAN-2004-0885, CAN-2004-0940, CAN-2004-0942 should now be fixed - - please verify that apache-1.3.27 is not vulerable to CAN-2004-0942 (does not appear to be if you believe the vulnerable list here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138064 ) changelogs: rh73: apache-1.3.27-6.legacy: * Thu Nov 04 2004 Rob Myers <rob.myers.edu> 1.3.27-6.legacy - - add patch for CAN-2004-0940 (FL bug #2148) mod_ssl-2.8.12-7.legacy: * Fri Nov 05 2004 Rob Myers <rob.myers.edu> 2.8.12-7.legacy - - add patch for CAN-2004-0885 (FL bug #2148) rh9: * Thu Nov 04 2004 Rob Myers <rob.myers.edu> 2.0.40-21.17.legacy - - add patches for CAN-2004-0885, CAN-2004-0942 (FL bug #2148) fc1: * Fri Nov 05 2004 Rob Myers <rob.myers.edu> 2.0.51-1.6.legacy - - add patch for CAN-2004-0942 (FL bug #2148) * Thu Oct 21 2004 Rob Myers <rob.myers.edu> 2.0.51-1.5.legacy - - add patch for CAN-2004-0885 (FL bug #2148) sha1sums: rh73: 3c3ede1eb50b7ea2ac1dce480510a49c16009efb apache-1.3.27-6.legacy.i386.rpm a619a90da660ce332a86e09ea059435df38e08ae apache-1.3.27-6.legacy.src.rpm d99fc33ef40a2f1d13b200a2eef0329e3f7fcf9e apache-devel-1.3.27-6.legacy.i386.rpm 0f3bbce57396134306afab27aefd6231c63c22db apache-manual-1.3.27-6.legacy.i386.rpm 02c4afc088c87f4438f21a66f14736a6e3e1b92c mod_ssl-2.8.12-7.legacy.i386.rpm 50ee7bff4cf9a2625de89d9a4e826fd1d5870e79 mod_ssl-2.8.12-7.legacy.src.rpm rh9: 9f454aabffc191a1ae83307b5661b133141fe9d7 httpd-2.0.40-21.17.legacy.i386.rpm 4636c7901147136ba2d9df9b073a879ae555286b httpd-2.0.40-21.17.legacy.src.rpm 0b7f93ee2e3dc9817df3917b9568239557f06e4a httpd-debuginfo-2.0.40-21.17.legacy.i386.rpm 583249f86f9fc0b87bffc117c54a87018b5afc0f httpd-devel-2.0.40-21.17.legacy.i386.rpm 472e4bfcd1b98a17c0225fb5cfc2fd0d892e6cbe httpd-manual-2.0.40-21.17.legacy.i386.rpm 317be26ed4ecef764881d1b5f735b47f6c11acf2 mod_ssl-2.0.40-21.17.legacy.i386.rpm fc1: 3f8f5c68e90276ee5991af17ee7c49e1d3238d83 httpd-2.0.51-1.6.legacy.i386.rpm ccc5eb2e04e220acc7df1717250db0bf80ba7f3f httpd-2.0.51-1.6.legacy.src.rpm 6eaa8c9e2f549afd90478e75ad8e0046273a4f4d httpd-debuginfo-2.0.51-1.6.legacy.i386.rpm f8abc728701ff3269f7a62370373b929e50dfeae httpd-devel-2.0.51-1.6.legacy.i386.rpm b3d8371d3d08cf3c393e4e16daec7701d5947dea httpd-manual-2.0.51-1.6.legacy.i386.rpm 2aff6cc23aad7597c449940de2478bb5f0a67dc5 mod_ssl-2.0.51-1.6.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-1.3.27-6.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-1.3.27-6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-devel-1.3.27-6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/apache-manual-1.3.27-6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.8.12-7.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.8.12-7.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.40-21.17.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.40-21.17.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-debuginfo-2.0.40-21.17.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-devel-2.0.40-21.17.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-manual-2.0.40-21.17.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.0.40-21.17.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.6.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-2.0.51-1.6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-debuginfo-2.0.51-1.6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-devel-2.0.51-1.6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/httpd-manual-2.0.51-1.6.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/mod_ssl-2.0.51-1.6.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBjANltU2XAt1OWnsRAu+WAKDguipu9gnM1VZ884bOpv1j88vaDQCdFXoO hQmQGaGVQKBals0n62df3ek= =LkJ9 -----END PGP SIGNATURE----- ------- Additional Comments From fedora-legacy-bugzilla-2004 2004-11-05 16:42:02 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rob! Thanks for your job. I did QA on Rob's RH9 package: 9f454aabffc191a1ae83307b5661b133141fe9d7 httpd-2.0.40-21.17.legacy.i386.rpm 4636c7901147136ba2d9df9b073a879ae555286b httpd-2.0.40-21.17.legacy.src.rpm 583249f86f9fc0b87bffc117c54a87018b5afc0f httpd-devel-2.0.40-21.17.legacy.i386.rpm 472e4bfcd1b98a17c0225fb5cfc2fd0d892e6cbe httpd-manual-2.0.40-21.17.legacy.i386.rpm 317be26ed4ecef764881d1b5f735b47f6c11acf2 mod_ssl-2.0.40-21.17.legacy.i386.rpm I think debuginfo packages don't need to be released. sha1sum matches rpm signature ok source files ok spec file ok patches ok src rebuilds ok rpm-build-compare script ok installs ok runs ok +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBjDeOuZYb5AhVqVoRApXTAJ9FOLYzwAfH2c6XimesdQdha3xBOACfcCX+ usSrr7cMmgghAj1m3u2tivQ= =+Emk -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-09 17:54:48 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on Rob's 7.3 packages: a619a90da660ce332a86e09ea059435df38e08ae apache-1.3.27-6.legacy.src.rpm 50ee7bff4cf9a2625de89d9a4e826fd1d5870e79 mod_ssl-2.8.12-7.legacy.src.rpm - - Source files match previous release - - Patch files look good - - Spec files look good - - Builds, installs and runs OK I confirm that CAN-2004-0942 doesn't apply to 7.3. +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBkZEULMAs/0C4zNoRAmQYAKCUaJJST2foiadoRayRcSjluY/eHgCfbAbu WIVtQHao9hhYTpyYofHbPV0= =ZaQd -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-11 11:21:28 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on Rob's rh9 package: 4636c7901147136ba2d9df9b073a879ae555286b httpd-2.0.40-21.17.legacy.src.rpm - - Source files match previous release - - Patch files look good - - Spec file looks good - - Builds, installs and runs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBk9f/LMAs/0C4zNoRAqCcAJ94/oK7jTsVX5+1BIE+lqhEzgMg9gCeJrU0 dO68kZ7pp1XSbDUpOEBmMLk= =MHYv -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-13 03:55:08 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on Rob's fc1 package: ccc5eb2e04e220acc7df1717250db0bf80ba7f3f httpd-2.0.51-1.6.legacy.src.rpm - - Source files match previous release - - Patch files look good - - Spec file looks good - - Builds, installs and runs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBlhJfLMAs/0C4zNoRAkrbAKC5e6sJ23V3Vhlr9GflSGndjuyPuACeIWi0 UEABxz/adUDaYrwP1KIlMD8= =tQ4G -----END PGP SIGNATURE----- ------- Additional Comments From dom 2004-11-15 03:30:45 ---- Redhat advisory: https://rhn.redhat.com/errata/RHSA-2004-562.html ------- Additional Comments From josh.kayse.edu 2004-11-15 09:09:53 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: ccc5eb2e04e220acc7df1717250db0bf80ba7f3f httpd-2.0.51-1.6.legacy.src.rpm - - source files identical to previous release - - builds cleanly - - patches look good - - installs and runs cleanly - - spec file is good + PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBmP7gwnUFCSDmt7ERAqe1AJwLpGLuAVOcBhbkoOFt6eBqHHc5oQCgpxi4 yi19TFy0APP5hzuLji/p/r0= =476B -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-17 16:58:34 ---- Pushed to updates-testing. ------- Additional Comments From madhatter 2004-11-17 22:37:59 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 cf4421a5eb0cc960c4ac0e79c5a75af4d0a82caf httpd-2.0.40-21.17.legacy.i386.rpm a4d3ec49253f09496284c7b089a539363d8c1ad1 mod_ssl-2.0.40-21.17.legacy.i386.rpm packages install fine under RH9, basic apache functionality is OK (web pages, cgi, virtual hosts). i run squirrelmail entirely under https, so i gave mod_ssl a reasonable workout, sending and reading email. it's good. ++VERIFY i note my SHA1sums don't match any previously mentioned in this bug report, but they do match those in marc's posting to the mailing list. i'm slightly confused. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBnF8gePtvKV31zw4RAquAAKCw0zw78WhqHKEMm1EY8exUf+jAkgCgtW5K 0mMm+wavvoSM9W7gm+ag2RY= =lEo7 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-20 06:12:09 ---- In response to comment 20: It's normal that the sha1sums don't match the ones in this bug report, when packages get pushed to updates-testing, they are rebuilt in a clean mach environment. ------- Additional Comments From mark.scott 2004-11-23 05:41:11 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHA1sums: 900fab9908fe5655ffaf75e85ddec3766244b095 httpd-2.0.51-1.6.legacy.i386.rpm 92ceef4e0b98ae64df0ae82bdc70fbe19bbc3bff httpd-devel-2.0.51-1.6.legacy.i386.rpm e4e38ace9ca2a3ee4c82b4c04fd15dc326fe0004 mod_ssl-2.0.51-1.6.legacy.i386.rpm Packages install fine under FC1, basic functionality works: web pages, PHP module (4.3.8-1.1), virtual hosts, aliases, error docs. Accessing similar pages through mod_ssl also appears to be working fine. VERIFIED -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBo1nkl2I0fYrP+68RAkEMAKCxg8PJ0cLEdtxALJxo23e16NzH+ACfc63m JTVSzxRiSugceZ71B7tgwLg= =gMHJ -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-12-02 16:19:35 ---- *** Bug 2325 has been marked as a duplicate of this bug. *** ------- Additional Comments From jimpop 2004-12-03 00:46:50 ---- d40866e11e91598844b054f657856d697449aad0 apache-1.3.27-6.legacy.i386.rpm a55bac0fa92970caf3e3d8aa611fb80698f90573 mod_ssl-2.8.12-7.legacy.i386.rpm VERIFIED on RH73 with VirtualHosts and SSL sites. ------- Additional Comments From jpdalbec 2004-12-03 11:24:04 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RH 7.3 d40866e11e91598844b054f657856d697449aad0 apache-1.3.27-6.legacy.i386.rpm a55bac0fa92970caf3e3d8aa611fb80698f90573 mod_ssl-2.8.12-7.legacy.i386.rpm Installed packages on testing server. I was able to log in to a mod_php application (Horde) and a mod_perl/mod_fastcgi application (Sympa) over an SSL connection. I haven't tested virtual hosts. I can install these on a production server Monday. I don't want to risk breaking something over the weekend. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBsNk9JL4A+ldA7asRAnjDAKCxEaYpbA/WLCV5KxMNz7UbHPxC0QCbBeD6 a/T5dd8d7EOMQjnH2m/WJtQ= =PD+N -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2004-12-06 02:24:52 ---- This bug appears to be Verified and closed. See http://www.redhat.com/archives/fedora-legacy-announce/2004-December/msg00000.html ------- Bug moved to this database by dkl 2005-03-30 18:28 ------- This bug previously known as bug 2148 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2148 Originally filed under the Fedora Legacy product and Package request component. Attachments: patch for CAN-2004-0885 with mod_ssl-2.8.12-6.legacy (rh7.3) https://bugzilla.fedora.us/attachment.cgi?action=view&id=904 patch for CAN-2004-0940, privilege escalation, apache-1.3.27- ... (rh7.3) https://bugzilla.fedora.us/attachment.cgi?action=view&id=905 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was fedora-legacy-bugzilla-2004. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.