__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN httpd Security Update [Red Hat Security Advisory RHSA-2005:608] September 8, 2005 21:00 GMT Number P-301 [REVISED 12 Sep 2005] [REVISED 16 Sep 2005] [REVISED 06 Oct 2005] [REVISED 02 Mar 2006] [REVISED 07 Mar 2006] [REVISED 14 Jun 2006] [REVISED 14 July 2006] [REVISED 15 Aug 2006] ______________________________________________________________________________ PROBLEM: Two vulnerabilities were discovered in Apache httpd package, a popular and freely available Web server. PLATFORM: Red Hat Desktop (v. 3 and v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v. 3 and v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.0 (woody) Debian GNU/Linux 3.1 (sarge) SGI Advanced Linux Environment 3 HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE-HP-US Apache-based Web Server Solaris 8, 9, 10 Operating Systems DAMAGE: Under certain configurations, an attacker may be able to access resources that would otherwise be protected. Another flaw was found where it is possible an attacker may craft requests that would consume resources and lead to a denial of service. SOLUTION: Apply the available security updates. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Possible disclosure of sensitive information ASSESSMENT: and/or denial of service in a non-default configuration. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-301.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2005-608.html ADDITIONAL LINKS: Debian Security Advisory DSA-805 http://www.debian.org/security/2005/dsa-805 SGI Security Advisory Number 2005090101-U ftp://patches.sgi.com/support/free/security/advisories/ 20050901-01-U.asc Debian Security Advisory DSA-807 http://www.debian.org/security/2005/dsa-807 Red Hat Security Advisory RHSA-2005:773 https://rhn.redhat.com/errata/RHSA-2005-773.html Visit your HP Subscription Service for: HP Security Bulletin HPSBUX01232 / SSRT051043 rev. 0 Sun Alert ID: 102197 http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-102197-1&searchclause=%22category:security%22%2420% 22availability,%2420security%22%2420category:security Sun Alert ID: 102198 http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-102198-1&searchclause=%22category:security%22%2420% 22availability,%2420security%22%2420category:security CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-2700, CAN-2005-2728 ______________________________________________________________________________ REVISION HISTORY: 09/12/2005 - added link to Debian Security Advisory DSA-807 that provides updated packages addressing this vulnerability. 09/16/2005 - add a link to Red Hat Security Advisory RHSA-2005:773 that provides updated packages for Red Hat v. 2.1. 10/06/2005 - added reference to HP's HPSBUX01232 / SSRT051043 rev. 0 that provides patches for HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE-HP-US Apache-based Web Server. 03/02/2006 - revised to add a link to Sun Alert ID: 102197 & Sun Alert ID: 102198 for Solaris 8, 9, 10 Operating Systems. 03/07/2006 - revised to reference Sun Alert ID: 102197 for Solaris 8, 9, 10 Operating Systems. 06/14/2006 - Sun Alert ID: 102197 updated its Contributing Factors and Resolution sections 07/14/2006 - Sun Alert ID: 102197 updated its Contributing Factors and Resolution sections 08/15/2006 - Sun Alert ID: 102197 updated its Contributing Factors and Resolution sections and changed its "State" to resolved [***** Start Red Hat Security Advisory RHSA-2005:608 *****] Important: httpd security update Advisory: RHSA-2005:608-7 Type: Security Advisory Issued on: 2005-09-06 Last updated on: 2005-09-06 Affected Products: Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) CVEs (cve.mitre.org): CAN-2005-2700 CAN-2005-2728 Details Updated Apache httpd packages that correct two security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having important security impact by the Red Hat Security Response Team. The Apache HTTP Server is a popular and freely-available Web server. A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient" directive. This flaw occurs if a virtual host is configured using "SSLVerifyClient optional" and a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2700 to this issue. A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CAN-2005-2728) Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Desktop (v. 3) SRPMS: httpd-2.0.46-46.3.ent.src.rpm 484b418c080a8fc60b3add4dfcf1900f IA-32: httpd-2.0.46-46.3.ent.i386.rpm 319460633151ee1517c8148931ca72de httpd-devel-2.0.46-46.3.ent.i386.rpm 6cc3044405158920afedbd288430544c mod_ssl-2.0.46-46.3.ent.i386.rpm ee51eb393a77fcbc28640ab9c7c0376c x86_64: httpd-2.0.46-46.3.ent.x86_64.rpm d1bd5698951993680a3f4d78b332117e httpd-devel-2.0.46-46.3.ent.x86_64.rpm 9d57852140e597b4719cda1d8aee4101 mod_ssl-2.0.46-46.3.ent.x86_64.rpm fc4beccd061aa1de3286a4548d820bcc Red Hat Desktop (v. 4) SRPMS: httpd-2.0.52-12.2.ent.src.rpm de6c9583b0be4f8a91d58f9d96082d3c IA-32: httpd-2.0.52-12.2.ent.i386.rpm 2b535c428cc468bb8c94e88cb47b48a0 httpd-devel-2.0.52-12.2.ent.i386.rpm 62933dc89da98cf4e2cdb885cb195d29 httpd-manual-2.0.52-12.2.ent.i386.rpm 573ee8e079b51dd2d6a474c7513ede63 httpd-suexec-2.0.52-12.2.ent.i386.rpm ee7ce0885eb313d0f359c89b0d22b637 mod_ssl-2.0.52-12.2.ent.i386.rpm df4a617088e7c3d22cdb88d149f81209 x86_64: httpd-2.0.52-12.2.ent.x86_64.rpm 34ec39c05630e576fad8859e8f233ba7 httpd-devel-2.0.52-12.2.ent.x86_64.rpm 614164cb0770a14d30eacc211fed4242 httpd-manual-2.0.52-12.2.ent.x86_64.rpm 2b59b10e2c8e41ed23041e3d433a67c7 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm 2ce9c581b49e48da9db9b95e61f18ea9 mod_ssl-2.0.52-12.2.ent.x86_64.rpm 048f5c406bac99d9026eca82573c59f1 Red Hat Enterprise Linux AS (v. 3) SRPMS: httpd-2.0.46-46.3.ent.src.rpm 484b418c080a8fc60b3add4dfcf1900f IA-32: httpd-2.0.46-46.3.ent.i386.rpm 319460633151ee1517c8148931ca72de httpd-devel-2.0.46-46.3.ent.i386.rpm 6cc3044405158920afedbd288430544c mod_ssl-2.0.46-46.3.ent.i386.rpm ee51eb393a77fcbc28640ab9c7c0376c IA-64: httpd-2.0.46-46.3.ent.ia64.rpm 5f9c92619f6a7e60409aeef7b92f5056 httpd-devel-2.0.46-46.3.ent.ia64.rpm cba1acc27a9904ea4988159c81e96a97 mod_ssl-2.0.46-46.3.ent.ia64.rpm 15b4dba781df66f9cbcfc0230b96d261 PPC: httpd-2.0.46-46.3.ent.ppc.rpm 2ae362a59d4c95ef58879a9f74ec6c30 httpd-devel-2.0.46-46.3.ent.ppc.rpm 2b61fbe228b61e5d113abd012e9bf619 mod_ssl-2.0.46-46.3.ent.ppc.rpm 6f653931571bfaebb519aecdbb7150c8 s390: httpd-2.0.46-46.3.ent.s390.rpm c59a7c3908fa71b8b7ba36d07cd0d0d4 httpd-devel-2.0.46-46.3.ent.s390.rpm 2d3f8bf4a5745ba5b87d188f18d04a75 mod_ssl-2.0.46-46.3.ent.s390.rpm e1bc611d1e4eaecffbc58ff669d16b39 s390x: httpd-2.0.46-46.3.ent.s390x.rpm ba883d990a3fc34d2c6d20b6329372c1 httpd-devel-2.0.46-46.3.ent.s390x.rpm 57c48448f06e2444d285440a6e43631c mod_ssl-2.0.46-46.3.ent.s390x.rpm 2f44730013c2c1aef58d4c81e9ae613b x86_64: httpd-2.0.46-46.3.ent.x86_64.rpm d1bd5698951993680a3f4d78b332117e httpd-devel-2.0.46-46.3.ent.x86_64.rpm 9d57852140e597b4719cda1d8aee4101 mod_ssl-2.0.46-46.3.ent.x86_64.rpm fc4beccd061aa1de3286a4548d820bcc Red Hat Enterprise Linux AS (v. 4) SRPMS: httpd-2.0.52-12.2.ent.src.rpm de6c9583b0be4f8a91d58f9d96082d3c IA-32: httpd-2.0.52-12.2.ent.i386.rpm 2b535c428cc468bb8c94e88cb47b48a0 httpd-devel-2.0.52-12.2.ent.i386.rpm 62933dc89da98cf4e2cdb885cb195d29 httpd-manual-2.0.52-12.2.ent.i386.rpm 573ee8e079b51dd2d6a474c7513ede63 httpd-suexec-2.0.52-12.2.ent.i386.rpm ee7ce0885eb313d0f359c89b0d22b637 mod_ssl-2.0.52-12.2.ent.i386.rpm df4a617088e7c3d22cdb88d149f81209 IA-64: httpd-2.0.52-12.2.ent.ia64.rpm 2c03808a9cf8081f395259ae21730af0 httpd-devel-2.0.52-12.2.ent.ia64.rpm 99fcf9f0c7ea2b8a4248cd3a0d25da89 httpd-manual-2.0.52-12.2.ent.ia64.rpm 856092d56cc712997901f534a76f568c httpd-suexec-2.0.52-12.2.ent.ia64.rpm 92ac8b5beb4e12b1ead63f7027d07cfb mod_ssl-2.0.52-12.2.ent.ia64.rpm a44cc800809c368c7455c1af306b8e7d PPC: httpd-2.0.52-12.2.ent.ppc.rpm 7f49f8989dd2261c2d137af07e14ff54 httpd-devel-2.0.52-12.2.ent.ppc.rpm a6e1f360410c36f2cc641e321395fd16 httpd-manual-2.0.52-12.2.ent.ppc.rpm 69ce88336483a278bcad15ea6eaca096 httpd-suexec-2.0.52-12.2.ent.ppc.rpm f396126f7386857c22eeeef20d947652 mod_ssl-2.0.52-12.2.ent.ppc.rpm 99b6d20eed066a3b565756ad83888d22 s390: httpd-2.0.52-12.2.ent.s390.rpm 0cbd52d64a91644717a1df0e15ccc39a httpd-devel-2.0.52-12.2.ent.s390.rpm ca79cb435376a78d9f6b33c83473defe httpd-manual-2.0.52-12.2.ent.s390.rpm 3e8a5481d36c837350b17ee20c4fd429 httpd-suexec-2.0.52-12.2.ent.s390.rpm 2899ee38bcd82766e731b57d3330ce9a mod_ssl-2.0.52-12.2.ent.s390.rpm 7b5f79e871aefd2482c18cff9904c7c4 s390x: httpd-2.0.52-12.2.ent.s390x.rpm ca68a1ae7ab25f761c901f28cd522f74 httpd-devel-2.0.52-12.2.ent.s390x.rpm 09c838209a62cba64e5b28688e313026 httpd-manual-2.0.52-12.2.ent.s390x.rpm caf032aaba9e03987ba1413743c47088 httpd-suexec-2.0.52-12.2.ent.s390x.rpm 0eeea0d60e789902f10252c39b13140a mod_ssl-2.0.52-12.2.ent.s390x.rpm cedd7dadf3408b281a9d4d7d45e31b16 x86_64: httpd-2.0.52-12.2.ent.x86_64.rpm 34ec39c05630e576fad8859e8f233ba7 httpd-devel-2.0.52-12.2.ent.x86_64.rpm 614164cb0770a14d30eacc211fed4242 httpd-manual-2.0.52-12.2.ent.x86_64.rpm 2b59b10e2c8e41ed23041e3d433a67c7 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm 2ce9c581b49e48da9db9b95e61f18ea9 mod_ssl-2.0.52-12.2.ent.x86_64.rpm 048f5c406bac99d9026eca82573c59f1 Red Hat Enterprise Linux ES (v. 3) SRPMS: httpd-2.0.46-46.3.ent.src.rpm 484b418c080a8fc60b3add4dfcf1900f IA-32: httpd-2.0.46-46.3.ent.i386.rpm 319460633151ee1517c8148931ca72de httpd-devel-2.0.46-46.3.ent.i386.rpm 6cc3044405158920afedbd288430544c mod_ssl-2.0.46-46.3.ent.i386.rpm ee51eb393a77fcbc28640ab9c7c0376c IA-64: httpd-2.0.46-46.3.ent.ia64.rpm 5f9c92619f6a7e60409aeef7b92f5056 httpd-devel-2.0.46-46.3.ent.ia64.rpm cba1acc27a9904ea4988159c81e96a97 mod_ssl-2.0.46-46.3.ent.ia64.rpm 15b4dba781df66f9cbcfc0230b96d261 x86_64: httpd-2.0.46-46.3.ent.x86_64.rpm d1bd5698951993680a3f4d78b332117e httpd-devel-2.0.46-46.3.ent.x86_64.rpm 9d57852140e597b4719cda1d8aee4101 mod_ssl-2.0.46-46.3.ent.x86_64.rpm fc4beccd061aa1de3286a4548d820bcc Red Hat Enterprise Linux ES (v. 4) SRPMS: httpd-2.0.52-12.2.ent.src.rpm de6c9583b0be4f8a91d58f9d96082d3c IA-32: httpd-2.0.52-12.2.ent.i386.rpm 2b535c428cc468bb8c94e88cb47b48a0 httpd-devel-2.0.52-12.2.ent.i386.rpm 62933dc89da98cf4e2cdb885cb195d29 httpd-manual-2.0.52-12.2.ent.i386.rpm 573ee8e079b51dd2d6a474c7513ede63 httpd-suexec-2.0.52-12.2.ent.i386.rpm ee7ce0885eb313d0f359c89b0d22b637 mod_ssl-2.0.52-12.2.ent.i386.rpm df4a617088e7c3d22cdb88d149f81209 IA-64: httpd-2.0.52-12.2.ent.ia64.rpm 2c03808a9cf8081f395259ae21730af0 httpd-devel-2.0.52-12.2.ent.ia64.rpm 99fcf9f0c7ea2b8a4248cd3a0d25da89 httpd-manual-2.0.52-12.2.ent.ia64.rpm 856092d56cc712997901f534a76f568c httpd-suexec-2.0.52-12.2.ent.ia64.rpm 92ac8b5beb4e12b1ead63f7027d07cfb mod_ssl-2.0.52-12.2.ent.ia64.rpm a44cc800809c368c7455c1af306b8e7d x86_64: httpd-2.0.52-12.2.ent.x86_64.rpm 34ec39c05630e576fad8859e8f233ba7 httpd-devel-2.0.52-12.2.ent.x86_64.rpm 614164cb0770a14d30eacc211fed4242 httpd-manual-2.0.52-12.2.ent.x86_64.rpm 2b59b10e2c8e41ed23041e3d433a67c7 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm 2ce9c581b49e48da9db9b95e61f18ea9 mod_ssl-2.0.52-12.2.ent.x86_64.rpm 048f5c406bac99d9026eca82573c59f1 Red Hat Enterprise Linux WS (v. 3) SRPMS: httpd-2.0.46-46.3.ent.src.rpm 484b418c080a8fc60b3add4dfcf1900f IA-32: httpd-2.0.46-46.3.ent.i386.rpm 319460633151ee1517c8148931ca72de httpd-devel-2.0.46-46.3.ent.i386.rpm 6cc3044405158920afedbd288430544c mod_ssl-2.0.46-46.3.ent.i386.rpm ee51eb393a77fcbc28640ab9c7c0376c IA-64: httpd-2.0.46-46.3.ent.ia64.rpm 5f9c92619f6a7e60409aeef7b92f5056 httpd-devel-2.0.46-46.3.ent.ia64.rpm cba1acc27a9904ea4988159c81e96a97 mod_ssl-2.0.46-46.3.ent.ia64.rpm 15b4dba781df66f9cbcfc0230b96d261 x86_64: httpd-2.0.46-46.3.ent.x86_64.rpm d1bd5698951993680a3f4d78b332117e httpd-devel-2.0.46-46.3.ent.x86_64.rpm 9d57852140e597b4719cda1d8aee4101 mod_ssl-2.0.46-46.3.ent.x86_64.rpm fc4beccd061aa1de3286a4548d820bcc Red Hat Enterprise Linux WS (v. 4) SRPMS: httpd-2.0.52-12.2.ent.src.rpm de6c9583b0be4f8a91d58f9d96082d3c IA-32: httpd-2.0.52-12.2.ent.i386.rpm 2b535c428cc468bb8c94e88cb47b48a0 httpd-devel-2.0.52-12.2.ent.i386.rpm 62933dc89da98cf4e2cdb885cb195d29 httpd-manual-2.0.52-12.2.ent.i386.rpm 573ee8e079b51dd2d6a474c7513ede63 httpd-suexec-2.0.52-12.2.ent.i386.rpm ee7ce0885eb313d0f359c89b0d22b637 mod_ssl-2.0.52-12.2.ent.i386.rpm df4a617088e7c3d22cdb88d149f81209 IA-64: httpd-2.0.52-12.2.ent.ia64.rpm 2c03808a9cf8081f395259ae21730af0 httpd-devel-2.0.52-12.2.ent.ia64.rpm 99fcf9f0c7ea2b8a4248cd3a0d25da89 httpd-manual-2.0.52-12.2.ent.ia64.rpm 856092d56cc712997901f534a76f568c httpd-suexec-2.0.52-12.2.ent.ia64.rpm 92ac8b5beb4e12b1ead63f7027d07cfb mod_ssl-2.0.52-12.2.ent.ia64.rpm a44cc800809c368c7455c1af306b8e7d x86_64: httpd-2.0.52-12.2.ent.x86_64.rpm 34ec39c05630e576fad8859e8f233ba7 httpd-devel-2.0.52-12.2.ent.x86_64.rpm 614164cb0770a14d30eacc211fed4242 httpd-manual-2.0.52-12.2.ent.x86_64.rpm 2b59b10e2c8e41ed23041e3d433a67c7 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm 2ce9c581b49e48da9db9b95e61f18ea9 mod_ssl-2.0.52-12.2.ent.x86_64.rpm 048f5c406bac99d9026eca82573c59f1 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 167102 - CAN-2005-2728 byterange memory DoS 167194 - CAN-2005-2700 SSLVerifyClient flaw References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728 Keywords apache, asf These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat Security Advisory RHSA-2005:608 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-291: Symantec AntiVirus Help File Elevation of Privilege P-292: HP-UX Running Veritas Unauthorized Data Access P-293: HP Openview Network Node Manager (OV NNM) Remote Unauthorized Access P-294: phpldapadmin P-295: Courier P-296: PCRE3 P-297: HP OpenView Event Correlation Services Vulnerability P-298: Sun iPlanet Messaging Server Vulnerability P-299: 'cvsbug' Security Update P-300: Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Vulnerability