Fedora Legacy Test Update Notification: httpd

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Nov 18 02:57:48 UTC 2004 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2004-2148
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2148
2004-11-17
---------------------------------------------------------------------

Name        : httpd, apache and mod_ssl
Versions    : 7.3: apache-1.3.27-6.legacy, mod_ssl-2.8.12-7.legacy
Versions    : 9: httpd-2.0.40-21.17.legacy
Versions    : fc1: httpd-2.0.51-1.6.legacy
Summary     : The httpd Web server
Description : 
This package contains a powerful, full-featured, efficient, and
freely-available Web server based on work done by the Apache Software
Foundation. It is also the most popular Web server on the Internet.

---------------------------------------------------------------------
Update Information:

An issue has been discovered in the mod_ssl module when configured to
use the "SSLCipherSuite" directive in directory or location context. If
a particular location context has been configured to require a specific
set of cipher suites, then a client will be able to access that location
using any cipher suite allowed by the virtual host configuration. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0885 to this issue.

Problems that apply to Red Hat Linux 7.3 only:

A buffer overflow in mod_include could allow a local user who is
authorised to create server side include (SSI) files to gain the
privileges of a httpd child. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0940 to this
issue.

Problems that apply to Red Hat Linux 9 and Fedora Core 1 only:

An issue has been discovered in the handling of white space in request
header lines using MIME folding. A malicious client could send a
carefully crafted request, forcing the server to consume large amounts
of memory, leading to a denial of service. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0942 to this issue.

---------------------------------------------------------------------
Changelogs

rh73:
apache-1.3.27-6.legacy:
* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu> 1.3.27-6.legacy
- add patch for CAN-2004-0940 (FL bug #2148)
 
mod_ssl-2.8.12-7.legacy:
* Fri Nov 05 2004 Rob Myers <rob.myers at gtri.gatech.edu> 2.8.12-7.legacy
- add patch for CAN-2004-0885 (FL bug #2148)
 
rh9:
* Thu Nov 04 2004 Rob Myers <rob.myers at gtri.gatech.edu>
2.0.40-21.17.legacy
- add patches for CAN-2004-0885, CAN-2004-0942  (FL bug #2148)
 
fc1:
* Fri Nov 05 2004 Rob Myers <rob.myers at gtri.gatech.edu>
2.0.51-1.6.legacy
- add patch for CAN-2004-0942 (FL bug #2148)
  
* Thu Oct 21 2004 Rob Myers <rob.myers at gtri.gatech.edu>
2.0.51-1.5.legacy
- add patch for CAN-2004-0885 (FL bug #2148)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

7.3:
d40866e11e91598844b054f657856d697449aad0
redhat/7.3/updates-testing/i386/apache-1.3.27-6.legacy.i386.rpm
14463609d71731d2d1a388dae83d03bcbb200eb3
redhat/7.3/updates-testing/i386/apache-devel-1.3.27-6.legacy.i386.rpm
ba4e9892ffe4afbc73d4913c145e2e5dc109751d
redhat/7.3/updates-testing/i386/apache-manual-1.3.27-6.legacy.i386.rpm
a55bac0fa92970caf3e3d8aa611fb80698f90573
redhat/7.3/updates-testing/i386/mod_ssl-2.8.12-7.legacy.i386.rpm
6def62270ae08a9fa7a8fc375bea8eb1e3553ff4
redhat/7.3/updates-testing/SRPMS/apache-1.3.27-6.legacy.src.rpm
079fb1966c98fab1274d44ca5d0c735c9e4b851b
redhat/7.3/updates-testing/SRPMS/mod_ssl-2.8.12-7.legacy.src.rpm

9:
cf4421a5eb0cc960c4ac0e79c5a75af4d0a82caf
redhat/9/updates-testing/i386/httpd-2.0.40-21.17.legacy.i386.rpm
6e74bb9366d1b43462ccc01eb394b8d28fc71008
redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.17.legacy.i386.rpm
fedddfa1d24545b9203c9d4dcd80565f12a68150
redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.17.legacy.i386.rpm
a4d3ec49253f09496284c7b089a539363d8c1ad1
redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.17.legacy.i386.rpm
1e7bca22c9f078a4053eea21db5d04f825a60807
redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.17.legacy.src.rpm

fc1:
900fab9908fe5655ffaf75e85ddec3766244b095
fedora/1/updates-testing/i386/httpd-2.0.51-1.6.legacy.i386.rpm
92ceef4e0b98ae64df0ae82bdc70fbe19bbc3bff
fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.6.legacy.i386.rpm
76b92621a50c287af6fc54c9bd93555d12bf206b
fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.6.legacy.i386.rpm
e4e38ace9ca2a3ee4c82b4c04fd15dc326fe0004
fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.6.legacy.i386.rpm
7204fb50b3eb48203142201f0f3e6324c327bafe
fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.6.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20041117/124eedcb/attachment.sig>

More information about the fedora-legacy-list mailing list