Red Hat 9044 Published by

A new update is available for Red Hat Enterprise Linux. Here the announcement:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Important: httpd security update
Advisory ID: RHSA-2005:608-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-608.html
Issue date: 2005-09-06
Updated on: 2005-09-06
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-2700 CAN-2005-2728
- ---------------------------------------------------------------------

1. Summary:

Updated Apache httpd packages that correct two security issues are now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The Apache HTTP Server is a popular and freely-available Web server.

A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
directive. This flaw occurs if a virtual host is configured
using "SSLVerifyClient optional" and a directive "SSLVerifyClient
required" is set for a specific location. For servers configured in this
fashion, an attacker may be able to access resources that should otherwise
be protected, by not supplying a client certificate when connecting. The
Common Vulnerabilities and Exposures project assigned the name
CAN-2005-2700 to this issue.

A flaw was discovered in Apache httpd where the byterange filter would
buffer certain responses into memory. If a server has a dynamic
resource such as a CGI script or PHP script that generates a large amount
of data, an attacker could send carefully crafted requests in order to
consume resources, potentially leading to a Denial of Service. (CAN-2005-2728)

Users of Apache httpd should update to these errata packages that contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

167102 - CAN-2005-2728 byterange memory DoS
167194 - CAN-2005-2700 SSLVerifyClient flaw


6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c mod_ssl-2.0.46-46.3.ent.i386.rpm

ia64:
5f9c92619f6a7e60409aeef7b92f5056 httpd-2.0.46-46.3.ent.ia64.rpm
cba1acc27a9904ea4988159c81e96a97 httpd-devel-2.0.46-46.3.ent.ia64.rpm
15b4dba781df66f9cbcfc0230b96d261 mod_ssl-2.0.46-46.3.ent.ia64.rpm

ppc:
2ae362a59d4c95ef58879a9f74ec6c30 httpd-2.0.46-46.3.ent.ppc.rpm
2b61fbe228b61e5d113abd012e9bf619 httpd-devel-2.0.46-46.3.ent.ppc.rpm
6f653931571bfaebb519aecdbb7150c8 mod_ssl-2.0.46-46.3.ent.ppc.rpm

s390:
c59a7c3908fa71b8b7ba36d07cd0d0d4 httpd-2.0.46-46.3.ent.s390.rpm
2d3f8bf4a5745ba5b87d188f18d04a75 httpd-devel-2.0.46-46.3.ent.s390.rpm
e1bc611d1e4eaecffbc58ff669d16b39 mod_ssl-2.0.46-46.3.ent.s390.rpm

s390x:
ba883d990a3fc34d2c6d20b6329372c1 httpd-2.0.46-46.3.ent.s390x.rpm
57c48448f06e2444d285440a6e43631c httpd-devel-2.0.46-46.3.ent.s390x.rpm
2f44730013c2c1aef58d4c81e9ae613b mod_ssl-2.0.46-46.3.ent.s390x.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101 httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c mod_ssl-2.0.46-46.3.ent.i386.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101 httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c mod_ssl-2.0.46-46.3.ent.i386.rpm

ia64:
5f9c92619f6a7e60409aeef7b92f5056 httpd-2.0.46-46.3.ent.ia64.rpm
cba1acc27a9904ea4988159c81e96a97 httpd-devel-2.0.46-46.3.ent.ia64.rpm
15b4dba781df66f9cbcfc0230b96d261 mod_ssl-2.0.46-46.3.ent.ia64.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101 httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-46.3.ent.src.rpm
484b418c080a8fc60b3add4dfcf1900f httpd-2.0.46-46.3.ent.src.rpm

i386:
319460633151ee1517c8148931ca72de httpd-2.0.46-46.3.ent.i386.rpm
6cc3044405158920afedbd288430544c httpd-devel-2.0.46-46.3.ent.i386.rpm
ee51eb393a77fcbc28640ab9c7c0376c mod_ssl-2.0.46-46.3.ent.i386.rpm

ia64:
5f9c92619f6a7e60409aeef7b92f5056 httpd-2.0.46-46.3.ent.ia64.rpm
cba1acc27a9904ea4988159c81e96a97 httpd-devel-2.0.46-46.3.ent.ia64.rpm
15b4dba781df66f9cbcfc0230b96d261 mod_ssl-2.0.46-46.3.ent.ia64.rpm

x86_64:
d1bd5698951993680a3f4d78b332117e httpd-2.0.46-46.3.ent.x86_64.rpm
9d57852140e597b4719cda1d8aee4101 httpd-devel-2.0.46-46.3.ent.x86_64.rpm
fc4beccd061aa1de3286a4548d820bcc mod_ssl-2.0.46-46.3.ent.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0 httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29 httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63 httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637 httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209 mod_ssl-2.0.52-12.2.ent.i386.rpm

ia64:
2c03808a9cf8081f395259ae21730af0 httpd-2.0.52-12.2.ent.ia64.rpm
99fcf9f0c7ea2b8a4248cd3a0d25da89 httpd-devel-2.0.52-12.2.ent.ia64.rpm
856092d56cc712997901f534a76f568c httpd-manual-2.0.52-12.2.ent.ia64.rpm
92ac8b5beb4e12b1ead63f7027d07cfb httpd-suexec-2.0.52-12.2.ent.ia64.rpm
a44cc800809c368c7455c1af306b8e7d mod_ssl-2.0.52-12.2.ent.ia64.rpm

ppc:
7f49f8989dd2261c2d137af07e14ff54 httpd-2.0.52-12.2.ent.ppc.rpm
a6e1f360410c36f2cc641e321395fd16 httpd-devel-2.0.52-12.2.ent.ppc.rpm
69ce88336483a278bcad15ea6eaca096 httpd-manual-2.0.52-12.2.ent.ppc.rpm
f396126f7386857c22eeeef20d947652 httpd-suexec-2.0.52-12.2.ent.ppc.rpm
99b6d20eed066a3b565756ad83888d22 mod_ssl-2.0.52-12.2.ent.ppc.rpm

s390:
0cbd52d64a91644717a1df0e15ccc39a httpd-2.0.52-12.2.ent.s390.rpm
ca79cb435376a78d9f6b33c83473defe httpd-devel-2.0.52-12.2.ent.s390.rpm
3e8a5481d36c837350b17ee20c4fd429 httpd-manual-2.0.52-12.2.ent.s390.rpm
2899ee38bcd82766e731b57d3330ce9a httpd-suexec-2.0.52-12.2.ent.s390.rpm
7b5f79e871aefd2482c18cff9904c7c4 mod_ssl-2.0.52-12.2.ent.s390.rpm

s390x:
ca68a1ae7ab25f761c901f28cd522f74 httpd-2.0.52-12.2.ent.s390x.rpm
09c838209a62cba64e5b28688e313026 httpd-devel-2.0.52-12.2.ent.s390x.rpm
caf032aaba9e03987ba1413743c47088 httpd-manual-2.0.52-12.2.ent.s390x.rpm
0eeea0d60e789902f10252c39b13140a httpd-suexec-2.0.52-12.2.ent.s390x.rpm
cedd7dadf3408b281a9d4d7d45e31b16 mod_ssl-2.0.52-12.2.ent.s390x.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7 httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242 httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7 httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1 mod_ssl-2.0.52-12.2.ent.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0 httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29 httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63 httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637 httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209 mod_ssl-2.0.52-12.2.ent.i386.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7 httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242 httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7 httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1 mod_ssl-2.0.52-12.2.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0 httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29 httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63 httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637 httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209 mod_ssl-2.0.52-12.2.ent.i386.rpm

ia64:
2c03808a9cf8081f395259ae21730af0 httpd-2.0.52-12.2.ent.ia64.rpm
99fcf9f0c7ea2b8a4248cd3a0d25da89 httpd-devel-2.0.52-12.2.ent.ia64.rpm
856092d56cc712997901f534a76f568c httpd-manual-2.0.52-12.2.ent.ia64.rpm
92ac8b5beb4e12b1ead63f7027d07cfb httpd-suexec-2.0.52-12.2.ent.ia64.rpm
a44cc800809c368c7455c1af306b8e7d mod_ssl-2.0.52-12.2.ent.ia64.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7 httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242 httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7 httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1 mod_ssl-2.0.52-12.2.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-12.2.ent.src.rpm
de6c9583b0be4f8a91d58f9d96082d3c httpd-2.0.52-12.2.ent.src.rpm

i386:
2b535c428cc468bb8c94e88cb47b48a0 httpd-2.0.52-12.2.ent.i386.rpm
62933dc89da98cf4e2cdb885cb195d29 httpd-devel-2.0.52-12.2.ent.i386.rpm
573ee8e079b51dd2d6a474c7513ede63 httpd-manual-2.0.52-12.2.ent.i386.rpm
ee7ce0885eb313d0f359c89b0d22b637 httpd-suexec-2.0.52-12.2.ent.i386.rpm
df4a617088e7c3d22cdb88d149f81209 mod_ssl-2.0.52-12.2.ent.i386.rpm

ia64:
2c03808a9cf8081f395259ae21730af0 httpd-2.0.52-12.2.ent.ia64.rpm
99fcf9f0c7ea2b8a4248cd3a0d25da89 httpd-devel-2.0.52-12.2.ent.ia64.rpm
856092d56cc712997901f534a76f568c httpd-manual-2.0.52-12.2.ent.ia64.rpm
92ac8b5beb4e12b1ead63f7027d07cfb httpd-suexec-2.0.52-12.2.ent.ia64.rpm
a44cc800809c368c7455c1af306b8e7d mod_ssl-2.0.52-12.2.ent.ia64.rpm

x86_64:
34ec39c05630e576fad8859e8f233ba7 httpd-2.0.52-12.2.ent.x86_64.rpm
614164cb0770a14d30eacc211fed4242 httpd-devel-2.0.52-12.2.ent.x86_64.rpm
2b59b10e2c8e41ed23041e3d433a67c7 httpd-manual-2.0.52-12.2.ent.x86_64.rpm
2ce9c581b49e48da9db9b95e61f18ea9 httpd-suexec-2.0.52-12.2.ent.x86_64.rpm
048f5c406bac99d9026eca82573c59f1 mod_ssl-2.0.52-12.2.ent.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFDHZ1DXlSAg2UNWIIRAhAaAKCLHwSGizEHoseJwUtrHko26MrF1QCfdu6p
USKagCRGlItbZeQXAjvAkm4=
=A+ZE
-----END PGP SIGNATURE-----