Bug 166941 - mod_ssl/httpd multiple vulnerabilities - CAN-2005-2700, CAN-2005-2728
mod_ssl/httpd multiple vulnerabilities - CAN-2005-2700, CAN-2005-2728
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: httpd (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
rh73, rh9, 1, 2
:
: 168420 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-28 08:44 EDT by Jeff Sheltren
Modified: 2007-04-18 13:30 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-09 22:02:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Sheltren 2005-08-28 08:44:25 EDT
Watchfire reported a flaw that occured when using the Apache server as an
HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this
issue.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback. In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL). The
Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the
name CAN-2005-1268 to this issue.

See https://rhn.redhat.com/errata/RHSA-2005-582.html

rh7.3 is not effected, I need to check about rh9.  FC1 and FC2 are both effected.
Comment 1 Jeff Sheltren 2005-09-06 10:20:07 EDT
I guess we need to also add two more CANs to this - CAN-2005-2700 and CAN-2005-2728

See https://rhn.redhat.com/errata/RHSA-2005-608.html
Comment 2 John Dalbec 2005-09-20 10:12:45 EDT
05.35.13 CVE: Not Available
Platform: Cross Platform
Title: Apache CGI Byterange Request Denial of Service
Description: Apache is a freely available, open source Web server
software package. It is distributed and maintained by the Apache
Group. Apache is prone to a denial of service when handling large CGI
byterange requests. This may also be triggered by ProxyRequests. The
problem occurs because Apache does not free memory used in these
requests, allowing multiple requests to consume all memory and swap
space.
Ref: http://www.securityfocus.com/advisories/9117
Comment 3 Ivan Baldo 2005-09-23 15:40:40 EDT
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728
20050829, its near a month of this now...
Comment 4 Jeff Sheltren 2005-09-23 16:50:45 EDT
CAN-2005-1268 and CAN-2005-2088 were already patched, see bug #157701 sorry for
the dupe.
Comment 5 Jeff Sheltren 2005-09-23 18:36:20 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created packages to fix CAN-2005-2700 and CAN-2005-2728.

Here are the sha1sums:
846dc14ec54b040361672ade32b326a7f25a5835  httpd-2.0.40-21.19.legacy.src.rpm
1f14d6b1b41bf51c736da5d0a7ab589806cc34c0  httpd-2.0.51-1.8.legacy.src.rpm
48664ce621750e8253f25b4417a4880bb16e0368  httpd-2.0.51-2.9.3.legacy.src.rpm

And the packages can be found here:
http://www.cs.ucsb.edu/~jeff/legacy/httpd/

Note, I also removed the 'Serial' tag from the spec (used for the
mod_ssl package).  That has been depreciated and so I couldn't
build the SRPMs on FC4 (in order to feed them to mock). Since
the serial should only be used if RPM can't figure out the
version/release, this should not be an issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDNILTKe7MLJjUbNMRAjUIAJ9oEIrMzhT6THHIV623a9TiUqR2SACgoQZt
GDhFbRzimzskPzS00TTbx8Y=
=KaO+
-----END PGP SIGNATURE-----
Comment 6 Jeff Sheltren 2005-09-23 20:35:05 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, rh73 mod_ssl package is also vulnerable to CAN-2005-2700, so
I'm also including that here.

Here is an updated mod_ssl for RH7.3 using the patch from RHEL 2.1:
http://www.cs.ucsb.edu/~jeff/legacy/httpd/mod_ssl-2.8.12-8.legacy.src.rpm

f9ea24c89593eebe6ab9da47f49f6e6ef56d415c  mod_ssl-2.8.12-8.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDNJ8qKe7MLJjUbNMRAihwAJ4l6xhvw9bB659FIZ3vvCVZIXw8+gCdEjOB
emGvStu2guax/AkXFPGwDis=
=8hZ5
-----END PGP SIGNATURE-----
Comment 7 Stu Tomlinson 2005-09-30 11:33:39 EDT
I think the "Serial" tag is the old name for "Epoch", and should be replaced by
"Epoch: 1" instead of removing it to ensure rpm can upgrade the mod_ssl package.

Without this rpm will assume the older package with the Serial/Epoch is newer.
Comment 8 Jeff Sheltren 2005-09-30 13:22:59 EDT
Oh, I see that now, thanks.  I'll post updated packages using 'Epoch' hopefully
later today.
Comment 9 Jeff Sheltren 2005-09-30 17:59:28 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Created new httpd packages with the 'epoch' tag instead of using 'serial'
(or commenting out serial).

They're in the same place as before:
http://www.cs.ucsb.edu/~jeff/legacy/httpd/

the 7.3 mod_ssl package is unchanged, here are the checksums for the
new httpd packages:
3814a0ad773689968a26256a3ff51bd5dc10ca2d  httpd-2.0.40-21.20.legacy.src.rpm
449274b284280cf9cf20ecaae8890f1f22f3d61f  httpd-2.0.51-1.9.legacy.src.rpm
be3328a223be1e97d52437d9c540775a4d21a608  httpd-2.0.51-2.9.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDPbVIKe7MLJjUbNMRAkC4AKCs1YtjyrUiiIo6kDxdh9k9O4fYPgCgxdNw
zQIyWIKz3gAV/Gpprus2KC4=
=5DDc
-----END PGP SIGNATURE-----
Comment 10 Pekka Savola 2005-10-01 01:09:24 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
- - spec file changes minimal
- - source integrity good
- - patches identical to RHEL

+PUBLISH RHL73, RHL9, FC1, FC2

f9ea24c89593eebe6ab9da47f49f6e6ef56d415c  mod_ssl-2.8.12-8.legacy.src.rpm
3814a0ad773689968a26256a3ff51bd5dc10ca2d  httpd-2.0.40-21.20.legacy.src.rpm
449274b284280cf9cf20ecaae8890f1f22f3d61f  httpd-2.0.51-1.9.legacy.src.rpm
be3328a223be1e97d52437d9c540775a4d21a608  httpd-2.0.51-2.9.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDPhpAGHbTkzxSL7QRAqOSAJ9BUiX+xkvQR1GgbBwVUBUWwTxEGACfer8D
OykyYo54etAeSXkaLWK42PY=
=ZoHl
-----END PGP SIGNATURE-----
Comment 11 Marc Deslauriers 2005-10-22 19:48:57 EDT
Packages were pushed to updates-testing
Comment 12 Tom Yates 2005-10-23 04:34:05 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

installed:
f0b6c4125d2d20acfceb179da0fe2811 httpd-2.0.40-21.20.legacy.i386.rpm
b0bd6ddc3fd86666774a72d43853207d mod_ssl-2.0.40-21.20.legacy.i386.rpm

installs OK, apache manually stops and starts OK, http and https pages
serve OK (including php-generated pages under both protocols).

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDW0tWePtvKV31zw4RAveEAJ9sZkXbLlRf1d+6PLf+u+u3WL0e2gCgubYk
LIIkt4v+qmAPM3/DZqalnJw=
=7WQf
-----END PGP SIGNATURE-----
Comment 13 Pekka Savola 2005-10-24 01:38:57 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL73: gpg signature OK, mod_ssl installs nicely, serving httpd works
fine after the update.  ++VERIFY RHL73
 
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDXHPHGHbTkzxSL7QRAhSLAJ9N5gaRFZDYfyPNxE/2JG67Fm7sEwCgrQzE
rGLGb5wHwcdqbDF3n0LZv3Q=
=5vEI
-----END PGP SIGNATURE-----


Timeout in 2 weeks.
Comment 14 Pekka Savola 2005-10-24 02:01:21 EDT
*** Bug 168420 has been marked as a duplicate of this bug. ***
Comment 15 Jim Popovitch 2005-10-25 10:05:13 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RH73

mod_ssl upgrades and works fine (note: had to manually restart httpd).

670aa135fb5073b29e94f0a3fe2db9e592b40558  mod_ssl-2.8.12-8.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)

iD8DBQFDXjwKMyG7U7lo69MRAoE7AKC1rN41tmm+9TOwLYt9itKP7qF+SwCgsPcp
NU/vf6yW22F3UTLkr1wf5yU=
=VnYn
-----END PGP SIGNATURE-----
Comment 16 Eric Jon Rostetter 2005-10-26 12:20:05 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
 
RHL 9 Packages:
2e1f513ec64bc94dd087138282fb0e868a1a3abe  httpd-2.0.40-21.20.legacy.i386.rpm
8fbff503cd3bf5ce657dbd977b063437775750f7  httpd-devel-2.0.40-21.20.legacy.i386.rpm
b0313b4f0203cd03c84facefb1eebdb4ed928c26  httpd-manual-2.0.40-21.20.legacy.i386.rpm
cface2ec6aca89b8c4641055cabd14a7b37a4ebf  mod_ssl-2.0.40-21.20.legacy.i386.rpm
 
 
SHA1 checksums all match test update advisory.  Signatures verify okay.
 
I installed all the packages on a RHL 9 machine without problem.  I restarted
web server without incident.  Checked the apache, php, etc. all still worked.
 
Vote for release for RHL 9. ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDX6yQ4jZRbknHoPIRAmbhAJ9CMLgzLmmD1Mm1O8jP3/CK2EYHDQCgiYs8
7ghdW5rEEV+bUXRVXgesKJg=
=/HvH
-----END PGP SIGNATURE-----
Comment 17 David Eisenstein 2005-10-29 23:24:43 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fedora Core 1 Packages:
d5cbd7cfdd31b1a6222727f99366407eb06e53e7  httpd-2.0.51-1.9.legacy.i386.rpm
994e4b34b91ae60eb7f632dc50b39c1f5e89aca4  httpd-devel-2.0.51-1.9.legacy.i386.rpm
b75c88ba3deda8aed4cb3d6e5d4ea55141554723 httpd-manual-2.0.51-1.9.legacy.i386.rpm
465efbcc39ef52325928c2dc8093fc6447c33477  mod_ssl-2.0.51-1.9.legacy.i386.rpm

  *  Package SHA1sums and signatures were fine.

  *  packages installed fine.

  *  (Minor burp with mod_ssl's installation, in the post-install scriptlet,
     but that was due to a corrupt already-existing
     '/etc/httpd/conf/ssl.key/server.key' file when it tried to create the
     'server.crt' file (which didn't exist).  Deleting server.key and re-
     installing mod_ssl created a good sample X509 self-signed certificate
     pair.)

  *  Webserver daemon works fine, served up both http: and https: URL's
     well; able to run CGI scripts; PHP works with the updated Apache.

  *  Had no opportunity to test httpd-devel package.  However, using the
     rpm-build-compare script shows the files are exactly the same as the
     ones in my previously-installed httpd-devel-2.0.51-1.6.legacy.i386.rpm
     package.

  *  Have no idea if the "SSLVerifyClient" (CVE-2005-2700) or byterange
     filter DoS (CVE-2005-2728) vulnerabilities are fixed or not.  Am not
     sure how to test those.

Works for me.  I vote VERIFY++ FC1.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDZD0txou1V/j9XZwRAkFiAJ99NLgg27IXOgR1TRsXeuUBeaDh3QCg3bnk
/XQPDVIGAms4pudvM0LQHew=
=41j2
-----END PGP SIGNATURE-----
Comment 18 Pekka Savola 2005-11-09 11:14:50 EST
Timeout over.
Comment 19 Marc Deslauriers 2005-11-09 22:02:24 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.