Fedora Legacy Test Update Notification: httpd and mod_ssl
Jim Popovitch
jimpop at yahoo.com
Mon Oct 24 22:26:03 UTC 2005
I've got a few questions about this release of mod_ssl.
1) why is it bundled w/ httpd v2.0 and not a separate bug?
2) does anything in this apply to apache v1.3?
3) why was it never tracked in Pekka's issues list?
4) why am I the only one inquiring about this. :-)
-Jim P.
Marc Deslauriers wrote:
> ---------------------------------------------------------------------
> Fedora Legacy Test Update Notification
> FEDORALEGACY-2005-166941
> Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941
> 2005-10-22
> ---------------------------------------------------------------------
>
> Name : httpd and mod_ssl
> Versions : rh73: mod_ssl-2.8.12-8.legacy
> Versions : rh9: httpd-2.0.40-21.20.legacy
> Versions : fc1: httpd-2.0.51-1.9.legacy
> Versions : fc2: httpd-2.0.51-2.9.4.legacy
> Summary : The httpd Web server
> Description :
> This package contains a powerful, full-featured, efficient, and
> freely-available Web server based on work done by the Apache Software
> Foundation. It is also the most popular Web server on the Internet.
>
> ---------------------------------------------------------------------
> Update Information:
>
> Updated mod_ssl and Apache httpd packages that correct two security
> issues are now available.
>
> The Apache HTTP Server is a popular and freely-available Web server.
>
> The mod_ssl module provides strong cryptography for the Apache Web
> server via the Secure Sockets Layer (SSL) and Transport Layer Security
> (TLS) protocols.
>
> A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
> directive. This flaw occurs if a virtual host is configured
> using "SSLVerifyClient optional" and a directive "SSLVerifyClient
> required" is set for a specific location. For servers configured in this
> fashion, an attacker may be able to access resources that should
> otherwise be protected, by not supplying a client certificate when
> connecting. The Common Vulnerabilities and Exposures project assigned
> the name CAN-2005-2700 to this issue.
>
> A flaw was discovered in Apache httpd where the byterange filter would
> buffer certain responses into memory. If a server has a dynamic
> resource such as a CGI script or PHP script that generates a large
> amount of data, an attacker could send carefully crafted requests in
> order to consume resources, potentially leading to a Denial of Service.
> (CAN-2005-2728)
>
> Users of mod_ssl and Apache httpd should update to these errata packages
> that contain backported patches to correct these issues.
>
> ---------------------------------------------------------------------
> Changelogs
>
> rh73:
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.8.12-8.legacy
> - patch CAN-2005-2700 (#166941)
>
> rh9:
> * Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.40-21.20.legacy
> - change 'serial' tag to 'epoch' for mod_ssl package
>
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.40-21.19.legacy
> - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)
>
> fc1:
> * Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-1.9.legacy
> - Change 'serial' tag to 'epoch' for mod_ssl package
>
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-1.8.legacy
> - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)
>
> fc2:
> * Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-2.9.4.legacy
> - Change 'serial' tag to 'epoch' for mod_ssl package
>
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-2.9.3.legacy
> - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)
>
> ---------------------------------------------------------------------
> This update can be downloaded from:
> http://download.fedoralegacy.org/
> (sha1sums)
>
> rh73:
> 670aa135fb5073b29e94f0a3fe2db9e592b40558
> redhat/7.3/updates-testing/i386/mod_ssl-2.8.12-8.legacy.i386.rpm
> 3442b014c181d2d1d791e8c743b4e627c87e35dc
> redhat/7.3/updates-testing/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm
>
> rh9:
> 2e1f513ec64bc94dd087138282fb0e868a1a3abe
> redhat/9/updates-testing/i386/httpd-2.0.40-21.20.legacy.i386.rpm
> 8fbff503cd3bf5ce657dbd977b063437775750f7
> redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm
> b0313b4f0203cd03c84facefb1eebdb4ed928c26
> redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm
> 54b412d5bb90f1e649f838b41b1dd4c34ea93c90
> redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm
> cface2ec6aca89b8c4641055cabd14a7b37a4ebf
> redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm
>
> fc1:
> d5cbd7cfdd31b1a6222727f99366407eb06e53e7
> fedora/1/updates-testing/i386/httpd-2.0.51-1.9.legacy.i386.rpm
> 994e4b34b91ae60eb7f632dc50b39c1f5e89aca4
> fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm
> b75c88ba3deda8aed4cb3d6e5d4ea55141554723
> fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm
> 2bd06a4df99b703eea8f882d87b812713e5fa1c2
> fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm
> 465efbcc39ef52325928c2dc8093fc6447c33477
> fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm
>
> fc2:
> 0f4333e775c1b7b6f5af6e5cf092fa69606766c4
> fedora/2/updates-testing/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm
> 59a54683c490ecfcea66fe0134c9ed6130905602
> fedora/2/updates-testing/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm
> 9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e
> fedora/2/updates-testing/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm
> db6c3e2bb4470e592cb74bf3e986ae426010dfaf
> fedora/2/updates-testing/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm
> a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1
> fedora/2/updates-testing/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm
>
> ---------------------------------------------------------------------
>
> Please test and comment in bugzilla.
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-legacy-list
More information about the fedora-legacy-list
mailing list