Fedora Legacy Test Update Notification: httpd and mod_ssl

Mon Oct 24 22:26:03 UTC 2005

I've got a few questions about this release of mod_ssl.

1) why is it bundled w/ httpd v2.0 and not a separate bug?

2) does anything in this apply to apache v1.3?

3) why was it never tracked in Pekka's issues list?

4) why am I the only one inquiring about this. :-)

-Jim P.

Marc Deslauriers wrote:
> ---------------------------------------------------------------------
> Fedora Legacy Test Update Notification
> FEDORALEGACY-2005-166941
> Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941
> 2005-10-22
> ---------------------------------------------------------------------
> 
> Name        : httpd and mod_ssl
> Versions    : rh73: mod_ssl-2.8.12-8.legacy
> Versions    : rh9: httpd-2.0.40-21.20.legacy
> Versions    : fc1: httpd-2.0.51-1.9.legacy
> Versions    : fc2: httpd-2.0.51-2.9.4.legacy
> Summary     : The httpd Web server
> Description :
> This package contains a powerful, full-featured, efficient, and
> freely-available Web server based on work done by the Apache Software
> Foundation. It is also the most popular Web server on the Internet.
> 
> ---------------------------------------------------------------------
> Update Information:
> 
> Updated mod_ssl and Apache httpd packages that correct two security
> issues are now available.
> 
> The Apache HTTP Server is a popular and freely-available Web server.
> 
> The mod_ssl module provides strong cryptography for the Apache Web
> server via the Secure Sockets Layer (SSL) and Transport Layer Security
> (TLS) protocols.
> 
> A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
> directive. This flaw occurs if a virtual host is configured
> using "SSLVerifyClient optional" and a directive "SSLVerifyClient
> required" is set for a specific location. For servers configured in this
> fashion, an attacker may be able to access resources that should
> otherwise be protected, by not supplying a client certificate when
> connecting. The Common Vulnerabilities and Exposures project assigned
> the name CAN-2005-2700 to this issue.
> 
> A flaw was discovered in Apache httpd where the byterange filter would
> buffer certain responses into memory. If a server has a dynamic
> resource such as a CGI script or PHP script that generates a large
> amount of data, an attacker could send carefully crafted requests in
> order to consume resources, potentially leading to a Denial of Service.
> (CAN-2005-2728)
> 
> Users of mod_ssl and Apache httpd should update to these errata packages
> that contain backported patches to correct these issues.
> 
> ---------------------------------------------------------------------
> Changelogs
> 
> rh73:
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.8.12-8.legacy
> - patch CAN-2005-2700 (#166941)
> 
> rh9:
> * Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.40-21.20.legacy
> - change 'serial' tag to 'epoch' for mod_ssl package
> 
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.40-21.19.legacy
> - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)
> 
> fc1:
> * Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-1.9.legacy
> - Change 'serial' tag to 'epoch' for mod_ssl package
> 
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-1.8.legacy
> - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)
> 
> fc2:
> * Fri Sep 30 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-2.9.4.legacy
> - Change 'serial' tag to 'epoch' for mod_ssl package
> 
> * Fri Sep 23 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 2.0.51-2.9.3.legacy
> - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941)
> 
> ---------------------------------------------------------------------
> This update can be downloaded from:
>   http://download.fedoralegacy.org/
> (sha1sums)
> 
> rh73:
> 670aa135fb5073b29e94f0a3fe2db9e592b40558
> redhat/7.3/updates-testing/i386/mod_ssl-2.8.12-8.legacy.i386.rpm
> 3442b014c181d2d1d791e8c743b4e627c87e35dc
> redhat/7.3/updates-testing/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm
> 
> rh9:
> 2e1f513ec64bc94dd087138282fb0e868a1a3abe
> redhat/9/updates-testing/i386/httpd-2.0.40-21.20.legacy.i386.rpm
> 8fbff503cd3bf5ce657dbd977b063437775750f7
> redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm
> b0313b4f0203cd03c84facefb1eebdb4ed928c26
> redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm
> 54b412d5bb90f1e649f838b41b1dd4c34ea93c90
> redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm
> cface2ec6aca89b8c4641055cabd14a7b37a4ebf
> redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm
> 
> fc1:
> d5cbd7cfdd31b1a6222727f99366407eb06e53e7
> fedora/1/updates-testing/i386/httpd-2.0.51-1.9.legacy.i386.rpm
> 994e4b34b91ae60eb7f632dc50b39c1f5e89aca4
> fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm
> b75c88ba3deda8aed4cb3d6e5d4ea55141554723
> fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm
> 2bd06a4df99b703eea8f882d87b812713e5fa1c2
> fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm
> 465efbcc39ef52325928c2dc8093fc6447c33477
> fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm
> 
> fc2:
> 0f4333e775c1b7b6f5af6e5cf092fa69606766c4
> fedora/2/updates-testing/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm
> 59a54683c490ecfcea66fe0134c9ed6130905602
> fedora/2/updates-testing/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm
> 9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e
> fedora/2/updates-testing/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm
> db6c3e2bb4470e592cb74bf3e986ae426010dfaf
> fedora/2/updates-testing/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm
> a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1
> fedora/2/updates-testing/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm
> 
> ---------------------------------------------------------------------
> 
> Please test and comment in bugzilla.
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-legacy-list