Fedora Legacy Test Update Notification: httpd and mod_ssl

Marc Deslauriers marcdeslauriers at videotron.ca
Sat Oct 22 23:50:43 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-166941
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941
2005-10-22
---------------------------------------------------------------------

Name        : httpd and mod_ssl
Versions    : rh73: mod_ssl-2.8.12-8.legacy
Versions    : rh9: httpd-2.0.40-21.20.legacy
Versions    : fc1: httpd-2.0.51-1.9.legacy
Versions    : fc2: httpd-2.0.51-2.9.4.legacy
Summary     : The httpd Web server
Description :
This package contains a powerful, full-featured, efficient, and
freely-available Web server based on work done by the Apache Software
Foundation. It is also the most popular Web server on the Internet.

---------------------------------------------------------------------
Update Information:

Updated mod_ssl and Apache httpd packages that correct two security
issues are now available.

The Apache HTTP Server is a popular and freely-available Web server.

The mod_ssl module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols.

A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
directive. This flaw occurs if a virtual host is configured
using "SSLVerifyClient optional" and a directive "SSLVerifyClient
required" is set for a specific location. For servers configured in this
fashion, an attacker may be able to access resources that should
otherwise be protected, by not supplying a client certificate when
connecting. The Common Vulnerabilities and Exposures project assigned
the name CAN-2005-2700 to this issue.

A flaw was discovered in Apache httpd where the byterange filter would
buffer certain responses into memory. If a server has a dynamic
resource such as a CGI script or PHP script that generates a large
amount of data, an attacker could send carefully crafted requests in
order to consume resources, potentially leading to a Denial of Service.
(CAN-2005-2728)

Users of mod_ssl and Apache httpd should update to these errata packages
that contain backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.8.12-8.legacy
- patch CAN-2005-2700 (#166941)

rh9:
* Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.40-21.20.legacy
- change 'serial' tag to 'epoch' for mod_ssl package

* Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.40-21.19.legacy
- Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)

fc1:
* Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-1.9.legacy
- Change 'serial' tag to 'epoch' for mod_ssl package

* Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-1.8.legacy
- Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)

fc2:
* Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-2.9.4.legacy
- Change 'serial' tag to 'epoch' for mod_ssl package

* Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-2.9.3.legacy
- Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
670aa135fb5073b29e94f0a3fe2db9e592b40558
redhat/7.3/updates-testing/i386/mod_ssl-2.8.12-8.legacy.i386.rpm
3442b014c181d2d1d791e8c743b4e627c87e35dc
redhat/7.3/updates-testing/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm

rh9:
2e1f513ec64bc94dd087138282fb0e868a1a3abe
redhat/9/updates-testing/i386/httpd-2.0.40-21.20.legacy.i386.rpm
8fbff503cd3bf5ce657dbd977b063437775750f7
redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm
b0313b4f0203cd03c84facefb1eebdb4ed928c26
redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm
54b412d5bb90f1e649f838b41b1dd4c34ea93c90
redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm
cface2ec6aca89b8c4641055cabd14a7b37a4ebf
redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm

fc1:
d5cbd7cfdd31b1a6222727f99366407eb06e53e7
fedora/1/updates-testing/i386/httpd-2.0.51-1.9.legacy.i386.rpm
994e4b34b91ae60eb7f632dc50b39c1f5e89aca4
fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm
b75c88ba3deda8aed4cb3d6e5d4ea55141554723
fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm
2bd06a4df99b703eea8f882d87b812713e5fa1c2
fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm
465efbcc39ef52325928c2dc8093fc6447c33477
fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm

fc2:
0f4333e775c1b7b6f5af6e5cf092fa69606766c4
fedora/2/updates-testing/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm
59a54683c490ecfcea66fe0134c9ed6130905602
fedora/2/updates-testing/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm
9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e
fedora/2/updates-testing/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm
db6c3e2bb4470e592cb74bf3e986ae426010dfaf
fedora/2/updates-testing/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm
a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1
fedora/2/updates-testing/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20051022/11c3f045/attachment.sig>

More information about the fedora-legacy-list mailing list