__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN 'httpd' Security Update [Red Hat Security Advisory RHSA-2005:582-04] July 25, 2005 18:00 GMT Number P-259 [REVISED 15 Aug 2005] [REVISED 08 Sep 2005] [REVISED 02 Mar 2006] [REVISED 07 Mar 2006] [REVISED 14 Jun 2006] [REVISED 14 July 2006] [REVISED 15 Aug 2006] ______________________________________________________________________________ PROBLEM: Updated Apache httpd packages that address two security vulnerabilities are available. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. PLATFORM: Red Hat Desktop (v. 3 and v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 3 and v. 4) Debian GNU/Linux 3.0 (woody) Debian GNU/Linux 3.1 (sarge) Solaris 8, 9, 10 Operating Systems DAMAGE: The worst of the two vulnerabilities occurs when using the Apache server as an HTTP proxy. Sending an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header causes the server to process the requests incorrectly and may allow an attacker to bypass web application firewall protection or conduct cross site scripting attacks. SOLUTION: Apply the security updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Exploiting this vulnerability may allow ASSESSMENT: cross site scripting attacks and/or bypassing of web application firewall protection. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-259.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-582.html ADDITIONAL LINKS: SGI Advanced Linux Environment 3 Security Update #45 ftp://patches.sgi.com/support/free/security/advisories/ 20050802-01-U.asc Debian Security Advisories DSA 803 and DSA 805 http://www.debian.org/security/2005/dsa-803 http://www.debian.org/security/2005/dsa-805 Sun Alert ID: 102197 http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-102197-1&searchclause=%22category:security%22%2420% 22availability,%2420security%22%2420category:security Sun Alert ID: 102198 http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-102198-1&searchclause=%22category:security%22%2420% 22availability,%2420security%22%2420category:security CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-1268, CAN-2005-2088 ______________________________________________________________________________ REVISION HISTORY: 08/15/2005 - revised to add a link to SGI Security Advisory SGI Advanced Linux Environment 3 Security Update #45 patch 10197 for SGI ProPack 3 Service Pack 6. 09/08/2005 - added links to Debian Security Advisories DSA 803 and DSA 805 that provides updated packages for these vulnerabilities. 03/02/2006 - revised to add a link to Sun Alert ID: 102197 and Sun Alert ID: 102198 for Solaris 8, 9, 10 Operating Systems. 03/07/2006 - revised to reference Sun Alert ID: 102197 for Solaris 8, 9, 10 Operating Systems. 06/14/2006 - Sun Alert ID: 102197 updated its Contributing Factors and Resolution sections 07/14/2006 - Sun Alert ID: 102197 updated its Contributing Factors and Resolution sections 08/15/2006 - Sun Alert ID: 102197 updated its Contributing Factors and Resolution sections and changed its "State" to resolved [***** Start Red Hat Security Advisory RHSA-2005:582-04 *****] Moderate: httpd security update Advisory: RHSA-2005:582-04 Type: Security Advisory Issued on: 2005-07-25 Last updated on: 2005-07-25 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CAN-2005-1268 CAN-2005-2088 Details Updated Apache httpd packages to correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this issue. Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1268 to this issue. Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) SRPMS: httpd-2.0.46-46.2.ent.src.rpm 2485d59f9189bb5a5e9463867cb00937 IA-32: httpd-2.0.46-46.2.ent.i386.rpm 5915db1d48c7e002164887a49156f038 httpd-devel-2.0.46-46.2.ent.i386.rpm dcd3540ca04584c48b126d19b4d02f00 mod_ssl-2.0.46-46.2.ent.i386.rpm 16497b8e37ecefc801109a3aafe9e2cd x86_64: httpd-2.0.46-46.2.ent.x86_64.rpm ceff2faef7e7761e0c3af1afddd90089 httpd-devel-2.0.46-46.2.ent.x86_64.rpm 36d38f054073c6ba6fe191661e5a3262 mod_ssl-2.0.46-46.2.ent.x86_64.rpm 3364d1be17046cf4b34e2d07eb480c0c Red Hat Desktop (v. 4) SRPMS: httpd-2.0.52-12.1.ent.src.rpm 4bf86a415d443e3f9e82a8655f70491d IA-32: httpd-2.0.52-12.1.ent.i386.rpm f0ff91d7729f04fcb6b772f87b01c179 httpd-devel-2.0.52-12.1.ent.i386.rpm 5bfd6d2f6c3b1da7dd0e49ff845ec22c httpd-manual-2.0.52-12.1.ent.i386.rpm 5cd0e2f836bca3d18cd85d580b1df21d httpd-suexec-2.0.52-12.1.ent.i386.rpm 5eeef4820af8a522e0cd8c38dd50705c mod_ssl-2.0.52-12.1.ent.i386.rpm 8c88eec014875998f0d61ed71005d764 x86_64: httpd-2.0.52-12.1.ent.x86_64.rpm 8a92e250417a3dee66927f566c04becd httpd-devel-2.0.52-12.1.ent.x86_64.rpm 84ad072a58b1410ece325c35b3b4b07f httpd-manual-2.0.52-12.1.ent.x86_64.rpm d3ca7c4932a1004b5f009b4ddc9d8895 httpd-suexec-2.0.52-12.1.ent.x86_64.rpm bd5ac6d9149784138adbaf6172602998 mod_ssl-2.0.52-12.1.ent.x86_64.rpm 7912fac9169ce5071198c3503566cbaf Red Hat Enterprise Linux AS (v. 3) SRPMS: httpd-2.0.46-46.2.ent.src.rpm 2485d59f9189bb5a5e9463867cb00937 IA-32: httpd-2.0.46-46.2.ent.i386.rpm 5915db1d48c7e002164887a49156f038 httpd-devel-2.0.46-46.2.ent.i386.rpm dcd3540ca04584c48b126d19b4d02f00 mod_ssl-2.0.46-46.2.ent.i386.rpm 16497b8e37ecefc801109a3aafe9e2cd IA-64: httpd-2.0.46-46.2.ent.ia64.rpm fe914bbf691939bfb2f87a002ec2e7a8 httpd-devel-2.0.46-46.2.ent.ia64.rpm e3f48f063d1eec644797347299ebd317 mod_ssl-2.0.46-46.2.ent.ia64.rpm b8fc362a02f2d1a74ebd1e8573288831 PPC: httpd-2.0.46-46.2.ent.ppc.rpm d74b60a2081276c375074735c200bf71 httpd-devel-2.0.46-46.2.ent.ppc.rpm debba18353c314f1156b379fff3e0ba3 mod_ssl-2.0.46-46.2.ent.ppc.rpm d4055c6b92c696c90259753c195dd2f5 s390: httpd-2.0.46-46.2.ent.s390.rpm 9c0c7fd62f33cb30e479d920b296ae52 httpd-devel-2.0.46-46.2.ent.s390.rpm 772353077869e3daa4cd9a223626b87e mod_ssl-2.0.46-46.2.ent.s390.rpm 4ad4d92181a4d3dec2a7a7f2a6c802fd s390x: httpd-2.0.46-46.2.ent.s390x.rpm 7acb2591480191fc2388050a1fcbbd6f httpd-devel-2.0.46-46.2.ent.s390x.rpm 759af088061f6de619f45d2a4186f391 mod_ssl-2.0.46-46.2.ent.s390x.rpm 0df3c03a9ddec5969f5e44a344f25797 x86_64: httpd-2.0.46-46.2.ent.x86_64.rpm ceff2faef7e7761e0c3af1afddd90089 httpd-devel-2.0.46-46.2.ent.x86_64.rpm 36d38f054073c6ba6fe191661e5a3262 mod_ssl-2.0.46-46.2.ent.x86_64.rpm 3364d1be17046cf4b34e2d07eb480c0c Red Hat Enterprise Linux AS (v. 4) SRPMS: httpd-2.0.52-12.1.ent.src.rpm 4bf86a415d443e3f9e82a8655f70491d IA-32: httpd-2.0.52-12.1.ent.i386.rpm f0ff91d7729f04fcb6b772f87b01c179 httpd-devel-2.0.52-12.1.ent.i386.rpm 5bfd6d2f6c3b1da7dd0e49ff845ec22c httpd-manual-2.0.52-12.1.ent.i386.rpm 5cd0e2f836bca3d18cd85d580b1df21d httpd-suexec-2.0.52-12.1.ent.i386.rpm 5eeef4820af8a522e0cd8c38dd50705c mod_ssl-2.0.52-12.1.ent.i386.rpm 8c88eec014875998f0d61ed71005d764 IA-64: httpd-2.0.52-12.1.ent.ia64.rpm d461e0a6b0b00511f55f2407e466ce46 httpd-devel-2.0.52-12.1.ent.ia64.rpm 97d80a559ec7287d2d5f5f2d2c6ad358 httpd-manual-2.0.52-12.1.ent.ia64.rpm 718fd0a64412ade9e587ecb2efec2f8d httpd-suexec-2.0.52-12.1.ent.ia64.rpm ca9b95e1307733fb7405ee2637d258b3 mod_ssl-2.0.52-12.1.ent.ia64.rpm 10d218820e3916ea405c487f00b2adef PPC: httpd-2.0.52-12.1.ent.ppc.rpm 1a5a5c16643d4dde9cbb7b91da6ee148 httpd-devel-2.0.52-12.1.ent.ppc.rpm d7394c176ccf80e7e5b5349d7ea56849 httpd-manual-2.0.52-12.1.ent.ppc.rpm 021f850d3602a95333c4bd09a5157f3a httpd-suexec-2.0.52-12.1.ent.ppc.rpm 86bc7a492b98346c43e9896c2ba69e42 mod_ssl-2.0.52-12.1.ent.ppc.rpm 9d8b653242aa26be29c935821d69a3d7 s390: httpd-2.0.52-12.1.ent.s390.rpm 49b18d9f25642358fc51b9ee899ce821 httpd-devel-2.0.52-12.1.ent.s390.rpm 134b801a276e12c3c18cf8c3224de76b httpd-manual-2.0.52-12.1.ent.s390.rpm b83871e54a55b528bfd721d09a3750c7 httpd-suexec-2.0.52-12.1.ent.s390.rpm 787d97aa79b2e56baa3f0e32a4381ede mod_ssl-2.0.52-12.1.ent.s390.rpm 387c3be4fbe49a71c1b25692d195bb25 s390x: httpd-2.0.52-12.1.ent.s390x.rpm b332322b6ab797bba039212403240cb9 httpd-devel-2.0.52-12.1.ent.s390x.rpm 67b79e022ea14b19e5c6a50862db2b36 httpd-manual-2.0.52-12.1.ent.s390x.rpm b09d1feaa0370a17d629ab0e2499ff33 httpd-suexec-2.0.52-12.1.ent.s390x.rpm dad3f84731db6346251bcae31528b8fa mod_ssl-2.0.52-12.1.ent.s390x.rpm a0c61974562e85e3b89957d478be6c42 x86_64: httpd-2.0.52-12.1.ent.x86_64.rpm 8a92e250417a3dee66927f566c04becd httpd-devel-2.0.52-12.1.ent.x86_64.rpm 84ad072a58b1410ece325c35b3b4b07f httpd-manual-2.0.52-12.1.ent.x86_64.rpm d3ca7c4932a1004b5f009b4ddc9d8895 httpd-suexec-2.0.52-12.1.ent.x86_64.rpm bd5ac6d9149784138adbaf6172602998 mod_ssl-2.0.52-12.1.ent.x86_64.rpm 7912fac9169ce5071198c3503566cbaf Red Hat Enterprise Linux ES (v. 3) SRPMS: httpd-2.0.46-46.2.ent.src.rpm 2485d59f9189bb5a5e9463867cb00937 IA-32: httpd-2.0.46-46.2.ent.i386.rpm 5915db1d48c7e002164887a49156f038 httpd-devel-2.0.46-46.2.ent.i386.rpm dcd3540ca04584c48b126d19b4d02f00 mod_ssl-2.0.46-46.2.ent.i386.rpm 16497b8e37ecefc801109a3aafe9e2cd IA-64: httpd-2.0.46-46.2.ent.ia64.rpm fe914bbf691939bfb2f87a002ec2e7a8 httpd-devel-2.0.46-46.2.ent.ia64.rpm e3f48f063d1eec644797347299ebd317 mod_ssl-2.0.46-46.2.ent.ia64.rpm b8fc362a02f2d1a74ebd1e8573288831 x86_64: httpd-2.0.46-46.2.ent.x86_64.rpm ceff2faef7e7761e0c3af1afddd90089 httpd-devel-2.0.46-46.2.ent.x86_64.rpm 36d38f054073c6ba6fe191661e5a3262 mod_ssl-2.0.46-46.2.ent.x86_64.rpm 3364d1be17046cf4b34e2d07eb480c0c Red Hat Enterprise Linux ES (v. 4) SRPMS: httpd-2.0.52-12.1.ent.src.rpm 4bf86a415d443e3f9e82a8655f70491d IA-32: httpd-2.0.52-12.1.ent.i386.rpm f0ff91d7729f04fcb6b772f87b01c179 httpd-devel-2.0.52-12.1.ent.i386.rpm 5bfd6d2f6c3b1da7dd0e49ff845ec22c httpd-manual-2.0.52-12.1.ent.i386.rpm 5cd0e2f836bca3d18cd85d580b1df21d httpd-suexec-2.0.52-12.1.ent.i386.rpm 5eeef4820af8a522e0cd8c38dd50705c mod_ssl-2.0.52-12.1.ent.i386.rpm 8c88eec014875998f0d61ed71005d764 IA-64: httpd-2.0.52-12.1.ent.ia64.rpm d461e0a6b0b00511f55f2407e466ce46 httpd-devel-2.0.52-12.1.ent.ia64.rpm 97d80a559ec7287d2d5f5f2d2c6ad358 httpd-manual-2.0.52-12.1.ent.ia64.rpm 718fd0a64412ade9e587ecb2efec2f8d httpd-suexec-2.0.52-12.1.ent.ia64.rpm ca9b95e1307733fb7405ee2637d258b3 mod_ssl-2.0.52-12.1.ent.ia64.rpm 10d218820e3916ea405c487f00b2adef x86_64: httpd-2.0.52-12.1.ent.x86_64.rpm 8a92e250417a3dee66927f566c04becd httpd-devel-2.0.52-12.1.ent.x86_64.rpm 84ad072a58b1410ece325c35b3b4b07f httpd-manual-2.0.52-12.1.ent.x86_64.rpm d3ca7c4932a1004b5f009b4ddc9d8895 httpd-suexec-2.0.52-12.1.ent.x86_64.rpm bd5ac6d9149784138adbaf6172602998 mod_ssl-2.0.52-12.1.ent.x86_64.rpm 7912fac9169ce5071198c3503566cbaf Red Hat Enterprise Linux WS (v. 3) SRPMS: httpd-2.0.46-46.2.ent.src.rpm 2485d59f9189bb5a5e9463867cb00937 IA-32: httpd-2.0.46-46.2.ent.i386.rpm 5915db1d48c7e002164887a49156f038 httpd-devel-2.0.46-46.2.ent.i386.rpm dcd3540ca04584c48b126d19b4d02f00 mod_ssl-2.0.46-46.2.ent.i386.rpm 16497b8e37ecefc801109a3aafe9e2cd IA-64: httpd-2.0.46-46.2.ent.ia64.rpm fe914bbf691939bfb2f87a002ec2e7a8 httpd-devel-2.0.46-46.2.ent.ia64.rpm e3f48f063d1eec644797347299ebd317 mod_ssl-2.0.46-46.2.ent.ia64.rpm b8fc362a02f2d1a74ebd1e8573288831 x86_64: httpd-2.0.46-46.2.ent.x86_64.rpm ceff2faef7e7761e0c3af1afddd90089 httpd-devel-2.0.46-46.2.ent.x86_64.rpm 36d38f054073c6ba6fe191661e5a3262 mod_ssl-2.0.46-46.2.ent.x86_64.rpm 3364d1be17046cf4b34e2d07eb480c0c Red Hat Enterprise Linux WS (v. 4) SRPMS: httpd-2.0.52-12.1.ent.src.rpm 4bf86a415d443e3f9e82a8655f70491d IA-32: httpd-2.0.52-12.1.ent.i386.rpm f0ff91d7729f04fcb6b772f87b01c179 httpd-devel-2.0.52-12.1.ent.i386.rpm 5bfd6d2f6c3b1da7dd0e49ff845ec22c httpd-manual-2.0.52-12.1.ent.i386.rpm 5cd0e2f836bca3d18cd85d580b1df21d httpd-suexec-2.0.52-12.1.ent.i386.rpm 5eeef4820af8a522e0cd8c38dd50705c mod_ssl-2.0.52-12.1.ent.i386.rpm 8c88eec014875998f0d61ed71005d764 IA-64: httpd-2.0.52-12.1.ent.ia64.rpm d461e0a6b0b00511f55f2407e466ce46 httpd-devel-2.0.52-12.1.ent.ia64.rpm 97d80a559ec7287d2d5f5f2d2c6ad358 httpd-manual-2.0.52-12.1.ent.ia64.rpm 718fd0a64412ade9e587ecb2efec2f8d httpd-suexec-2.0.52-12.1.ent.ia64.rpm ca9b95e1307733fb7405ee2637d258b3 mod_ssl-2.0.52-12.1.ent.ia64.rpm 10d218820e3916ea405c487f00b2adef x86_64: httpd-2.0.52-12.1.ent.x86_64.rpm 8a92e250417a3dee66927f566c04becd httpd-devel-2.0.52-12.1.ent.x86_64.rpm 84ad072a58b1410ece325c35b3b4b07f httpd-manual-2.0.52-12.1.ent.x86_64.rpm d3ca7c4932a1004b5f009b4ddc9d8895 httpd-suexec-2.0.52-12.1.ent.x86_64.rpm bd5ac6d9149784138adbaf6172602998 mod_ssl-2.0.52-12.1.ent.x86_64.rpm 7912fac9169ce5071198c3503566cbaf (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 161893 - Bug 145666 is missing a ',' after REDIRECT_REMOTE_USER 162244 - CAN-2005-2088 httpd proxy request smuggling 163013 - CAN-2005-1268 mod_ssl off-by-one References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088 http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf http://issues.apache.org/bugzilla/show_bug.cgi?id=35081 http://issues.apache.org/bugzilla/show_bug.cgi?id=34588 Keywords watchfire These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Security Advisory RHSA-2005:582-04 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-249: krb5 Security Update P-250: Critical Patch Update - July 2005 P-251: Mozilla Security Updates P-252: Firefox Security Updates P-253: Solaris Runtime Linker Vulnerability P-254: 'tiff' Buffer Overflow Vulnerability P-255: Heimdal P-256: Targeted Attacks P-257: SSH Tectia Server Private Key Permission Vulnerability in Windows P-258: Security Vulnerability Involving the Common Desktop Environment (CDE) dtlogin(1X) Command