TUCoPS :: Web :: Apache :: n-146.txt

Apache 2.0.47 Release Fixes Security Vulnerabilities (CIAC N-146) 


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

              Apache 2.0.47 Release Fixes Security Vulnerabilities
                            [Apache 2.0.47 Released]

September 4, 2003 20:00 GMT                                       Number N-146
[REVISED 22 Sept 2003]
[REVISED 27 Oct  2003]
______________________________________________________________________________
PROBLEM:       There exist four security vulnerabilities:

               1) Certain sequences of per-directory renegotiations and the 
                  SSLCipherSuite directive being used to upgrade from a weak 
                  ciphersuite to a strong one could result in the weak 
                  ciphersuite being used in place of the strong one. 
               2) Certain errors returned by accept() on rarely accessed ports 
                  could cause temporal denial of service, due to a bug in the 
                  prefork MPM. 
               3) Denial of service was caused when target host is IPv6 
                  but ftp proxy server can't create IPv6 socket. 
               4) The server would crash when going into an infinite loop due 
                  to too many subsequent internal redirects and nested 
                  subrequests. 
AFFECTED
SOFTWARE:      Apache 2.0.46 and earlier 
               Red Hat Linux 7.1, 7.2, 7.3
               Red Hat Enterprise Linux products
DAMAGE:        A Weaker ciphersuite may be used that was negotiated and 
               denial-of-service attacks. 
SOLUTION:      Upgrade to Apache 2.0.47, and update Red Hat Linux. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. These vulnerabilities may cause a weaker 
ASSESSMENT:    ciphersuite to be used or a denial-of-service. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-146.shtml 
 ORIGINAL BULLETIN:  http://www.apache.org/dist/httpd/Announcement2.html 
 ADDITIONAL LINKS:   RED HAT RHSA-2003:240-09
                     https://rhn.redhat.com/errata/RHSA-2003-240.html
                     RED HAT RHSA-2003:243-07
                     https://rhn.redhat.com/errata/RHSA-2003-243.html
                     RED HAT RHSA-2003:243-07
                     https://rhn.redhat.com/errata/RHSA-2003-244.html
                     Visit HEWLETT PACKARD Subscription Service for:
                     HPSBUX0307-269 (SSRT3587)
                     HPSBUX0304-256 (SSRT3534)
______________________________________________________________________________
REVISION HISTORY: 
9/22/03 -  Updated AFFECTED SOFTWARE section; updated SOLUTION
           section; and added Red Hat RHSA-2003:243-03 link in
           ADDITIONAL LINKS section.
10/27/03 - Added additional link for Red Hat RHSA2003:244-07 which gives
           information for the Red Hat Enterprise Linux products.

[***** Start Apache 2.0.47 Released *****]

Apache 2.0.47 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased 
to announce the tenth public release of the Apache 2.0 HTTP Server. This 
Announcement notes the significant changes in 2.0.47 as compared to 2.0.46.

This version of Apache is principally a security and bug fix release. A 
summary of the bug fixes is given at the end of this document. Of particular 
note is that 2.0.47 addresses four security vulnerabilities:

Certain sequences of per-directory renegotiations and the SSLCipherSuite 
directive being used to upgrade from a weak ciphersuite to a strong one could 
result in the weak ciphersuite being used in place of the strong one.
[CAN-2003-0192]

Certain errors returned by accept() on rarely accessed ports could cause 
temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

Denial of service was caused when target host is IPv6 but ftp proxy server 
can't create IPv6 socket. [CAN-2003-0254]

The server would crash when going into an infinite loop due to too many 
subsequent internal redirects and nested subrequests. [VU#379828]

The Apache Software Foundation would like to thank Saheed Akhtar and Yoshioka 
Tsuneo for the responsible reporting of two of these issues.

This release is compatible with modules compiled for 2.0.42 and later versions. 
We consider this release to be the best version of Apache available and 
encourage users of all prior versions to upgrade.

Apache 2.0.47 is available for download from

http://httpd.apache.org/download.cgi 
Please see the CHANGES_2.0 file, linked from the above page, for a full list 
of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts 
over the 1.3 codebase. For an overview of new features introduced after 1.3 
please see

http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep in mind the 
following:

If you intend to use Apache with one of the threaded MPMs, you must ensure 
that the modules (and the libraries they depend on) that you will be using 
are thread-safe. Please contact the vendors of these modules to obtain this 
information.

Apache 2.0.47 Major changes

Security vulnerabilities closed since Apache 2.0.46

* SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences of per-
  directory renegotiations and the SSLCipherSuite directive being used to 
  upgrade from a weak ciphersuite to a strong one could result in the weak 
  ciphersuite being used in place of the strong one. [Ben Laurie] 
* SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing temporary 
  denial of service when accept() on a rarely accessed port returns certain 
  errors. Reported by Saheed Akhtar <S.Akhtar@talis.com>. [Jeff Trawick] 
* SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial of service 
  when target host is IPv6 but proxy server can't create IPv6 socket. Fixed by 
  the reporter. [Yoshioka Tsuneo <tsuneo.yoshioka@f-secure.com>] 
* SECURITY [VU#379828] Prevent the server from crashing when entering infinite 
  loops. The new LimitInternalRecursion directive configures limits of 
  subsequent internal redirects and nested subrequests, after which the 
  request will be aborted. PR 19753 (and probably others). [William Rowe, 
  Jeff Trawick, André Malo] 

Bugs fixed and features added since Apache 2.0.46

* core_output_filter: don't split the brigade after a FLUSH bucket if it's the 
  last bucket. This prevents creating unneccessary empty brigades which may 
  not be destroyed until the end of a keepalive connection. [Juan Rivera 
  <Juan.Rivera@citrix.com>] 
* Add support for "streamy" PROPFIND responses. [Ben Collins-Sussman 
  <sussman@collab.net>] 
* mod_cgid: Eliminate a double-close of a socket. This resolves various 
  operational problems in a threaded MPM, since on the second attempt to close 
  the socket, the same descriptor was often already in use by another thread 
  for another purpose. [Jeff Trawick] 
* mod_negotiation: Introduce "prefer-language" environment variable, which 
  allows to influence the negotiation process on request basis to prefer a 
  certain language. [André Malo] 
* Make mod_expires' ExpiresByType work properly, including for dynamically-
  generated documents. [Ken Coar, Bill Stoddard] 

[***** End Apache 2.0.47 Released *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Apache for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-136: Microsoft Unchecked Buffer in MDAC Function Vulnerability 
N-137: Red Hat Updated pam_smb packages fix remote buffer overflow
N-138: Red Hat Updated Sendmail packages fix vulnerability
N-139: Red Hat Updated SSL Certificate for access to 'up2date'
N-140: Sun Linux Vulnerability in VNC Package may allow local or remote unauthorized access
N-141: Timing based attack vulnerabilities in the JAVA Secure Socket Extension
N-142: Microsoft Word Macros Vulnerability
N-143: Microsoft WordPerfect Converter Buffer Overrun Vulnerability
N-144: Microsoft Visual Basic Buffer Overrun Vulnerability
N-145: Microsoft Access Snapshot View Buffer Overrun Vulnerability

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH