From bugzilla at redhat.com Fri Jul 23 09:29:00 2004 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Fri, 23 Jul 2004 05:29 -0400 Subject: [RHSA-2004:405-02] Stronghold 4: New release fixes Apache, mod_ssl, and PHP issues Message-ID: <200407230929.i6N9TnF16170@lacrosse.corp.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Stronghold 4: New release fixes Apache, mod_ssl, and PHP issues Advisory ID: RHSA-2004:405-02 Issue date: 2004-07-23 Updated on: 2004-07-23 Product: Stronghold Cross Platform Keywords: Apache DoS PHP memory_limit mod_ssl CVE Names: CAN-2004-0174 CAN-2004-0488 CAN-2004-0594 CAN-2004-0595 CAN-2004-0700 - --------------------------------------------------------------------- 1. Summary: Updated versions of cross-platform Stronghold that fix security issues in mod_ssl, PHP, and the Apache HTTP Server are now available. 2. Problem description: Stronghold 4 contains a number of open source technologies, including PHP, mod_ssl and the Apache HTTP Server. Stefan Esser discovered a flaw when the memory_limit configuration setting was enabled in PHP 4 versions prior to 4.3.8. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0594 to this issue. It may be possible to exploit this issue if using a non-default PHP configuration with the "register_defaults" setting is changed to "On". Red Hat does not believe that this flaw is exploitable in the default configuration of Stronghold 4. Stefan Esser discovered a flaw in the strip_tags function in versions of PHP prior to 4.3.8. The strip_tags function is commonly used by PHP scripts to prevent cross-site scripting attacks by removing HTML tags from user-supplied form data. By embedding NUL bytes into form data, HTML tags can in some cases be passed intact through the strip_tags function, which may allow a cross-site scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to this issue. A stack buffer overflow was discovered in mod_ssl which can be triggered if using the FakeBasicAuth option. If mod_ssl is sent a client certificate with a subject DN field longer than 6000 characters, a stack overflow can occur if FakeBasicAuth has been enabled. In order to exploit this issue, the carefully crafted malicious certificate would have to be signed by a Certificate Authority which mod_ssl is configured to trust. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0488 to this issue. A format string issue was discovered in mod_ssl which can be triggered if mod_ssl is configured to allow a client to proxy to remote SSL sites. If mod_ssl is forced to connect to a remote SSL server using a carefully crafted hostname, an attacker may be able to crash an Apache child process. This issue is not known to allow arbitrary execution of code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0700 to this issue. A denial of service issue was discovered which affects versions of the Apache HTTP Server prior to 1.3.30. On some platforms, when Apache is configured with multiple listening sockets, a short-lived connection to one socket may temporarily block new connections to other sockets. This issue does not affect Stronghold if running on Linux, FreeBSD or HP-UX platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0174 to this issue. Users of Stronghold 4 cross-platform are advised to update to these errata versions, which contain backported security fixes and are not vulnerable to these issues. 3. Solution: Updated Stronghold 4 packages are now available via the update agent service. Run the following command from the Stronghold 4 install root to upgrade an existing Stronghold 4 installation to the new package versions: $ bin/agent The Stronghold 4.0i patch release which contains these updated packages is also available from the download site. After upgrading Stronghold, the server must be completely restarted by running the following commands from the install root: $ bin/stop-server $ bin/start-server For more information on how to upgrade between releases of Stronghold 4, refer to http://stronghold.redhat.com/support/upgrade-sh4 4. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 127703 - CAN-2004-0594 PHP memory_limit issue 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0700 6. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBANp0XlSAg2UNWIIRAjdHAJwOaqdJnJdSk+dOwcbs/9ZhAKfjlQCgumnc 7yfQ1H1QWoB6G6MyAs6PfT8= =dku+ -----END PGP SIGNATURE-----