__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Apache 2.0.47 Release Fixes Security Vulnerabilities [Apache 2.0.47 Released] September 4, 2003 20:00 GMT Number N-146 [REVISED 22 Sept 2003] [REVISED 27 Oct 2003] ______________________________________________________________________________ PROBLEM: There exist four security vulnerabilities: 1) Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. 2) Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. 3) Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. 4) The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. AFFECTED SOFTWARE: Apache 2.0.46 and earlier Red Hat Linux 7.1, 7.2, 7.3 Red Hat Enterprise Linux products DAMAGE: A Weaker ciphersuite may be used that was negotiated and denial-of-service attacks. SOLUTION: Upgrade to Apache 2.0.47, and update Red Hat Linux. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. These vulnerabilities may cause a weaker ASSESSMENT: ciphersuite to be used or a denial-of-service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-146.shtml ORIGINAL BULLETIN: http://www.apache.org/dist/httpd/Announcement2.html ADDITIONAL LINKS: RED HAT RHSA-2003:240-09 https://rhn.redhat.com/errata/RHSA-2003-240.html RED HAT RHSA-2003:243-07 https://rhn.redhat.com/errata/RHSA-2003-243.html RED HAT RHSA-2003:243-07 https://rhn.redhat.com/errata/RHSA-2003-244.html Visit HEWLETT PACKARD Subscription Service for: HPSBUX0307-269 (SSRT3587) HPSBUX0304-256 (SSRT3534) ______________________________________________________________________________ REVISION HISTORY: 9/22/03 - Updated AFFECTED SOFTWARE section; updated SOLUTION section; and added Red Hat RHSA-2003:243-03 link in ADDITIONAL LINKS section. 10/27/03 - Added additional link for Red Hat RHSA2003:244-07 which gives information for the Red Hat Enterprise Linux products. [***** Start Apache 2.0.47 Released *****] Apache 2.0.47 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the tenth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.47 as compared to 2.0.46. This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.47 addresses four security vulnerabilities: Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192] Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253] Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254] The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828] The Apache Software Foundation would like to thank Saheed Akhtar and Yoshioka Tsuneo for the responsible reporting of two of these issues. This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.47 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.47 Major changes Security vulnerabilities closed since Apache 2.0.46 * SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences of per- directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [Ben Laurie] * SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing temporary denial of service when accept() on a rarely accessed port returns certain errors. Reported by Saheed Akhtar . [Jeff Trawick] * SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial of service when target host is IPv6 but proxy server can't create IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo ] * SECURITY [VU#379828] Prevent the server from crashing when entering infinite loops. The new LimitInternalRecursion directive configures limits of subsequent internal redirects and nested subrequests, after which the request will be aborted. PR 19753 (and probably others). [William Rowe, Jeff Trawick, André Malo] Bugs fixed and features added since Apache 2.0.46 * core_output_filter: don't split the brigade after a FLUSH bucket if it's the last bucket. This prevents creating unneccessary empty brigades which may not be destroyed until the end of a keepalive connection. [Juan Rivera ] * Add support for "streamy" PROPFIND responses. [Ben Collins-Sussman ] * mod_cgid: Eliminate a double-close of a socket. This resolves various operational problems in a threaded MPM, since on the second attempt to close the socket, the same descriptor was often already in use by another thread for another purpose. [Jeff Trawick] * mod_negotiation: Introduce "prefer-language" environment variable, which allows to influence the negotiation process on request basis to prefer a certain language. [André Malo] * Make mod_expires' ExpiresByType work properly, including for dynamically- generated documents. [Ken Coar, Bill Stoddard] [***** End Apache 2.0.47 Released *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Apache for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-136: Microsoft Unchecked Buffer in MDAC Function Vulnerability N-137: Red Hat Updated pam_smb packages fix remote buffer overflow N-138: Red Hat Updated Sendmail packages fix vulnerability N-139: Red Hat Updated SSL Certificate for access to 'up2date' N-140: Sun Linux Vulnerability in VNC Package may allow local or remote unauthorized access N-141: Timing based attack vulnerabilities in the JAVA Secure Socket Extension N-142: Microsoft Word Macros Vulnerability N-143: Microsoft WordPerfect Converter Buffer Overrun Vulnerability N-144: Microsoft Visual Basic Buffer Overrun Vulnerability N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability