From bugzilla at redhat.com Wed Nov 2 09:27:17 2005 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 2 Nov 2005 04:27:17 -0500 Subject: [RHSA-2005:816-00] Important: apache, mod_ssl, php update for Stronghold Message-ID: <200511020927.jA29RHs9013641@porkchop.devel.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Important: apache, mod_ssl, php update for Stronghold Advisory ID: RHSA-2005:816-00 Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-816.html Issue date: 2005-11-02 Updated on: 2005-11-02 Product: Stronghold 4.0 for Red Hat Enterprise Linux CVE Names: CVE-2003-0542 CVE-2003-0987 CVE-2004-0488 CVE-2004-0594 CVE-2004-0595 CVE-2004-0885 CVE-2004-0940 CVE-2004-1018 CVE-2004-1019 CVE-2005-2700 - --------------------------------------------------------------------- 1. Summary: Updated versions of the Apache HTTP server, PHP, and mod_ssl are now available for Stronghold 4.0 for Enterprise Linux. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Stronghold 4.0 for Red Hat Enterprise Linux AS (version 2.1) - i386 3. Problem description: Several security issues have been found in various packages in Stronghold 4.0: A flaw in the strip_tags function in PHP, commonly used by PHP scripts to prevent cross-site scripting attacks by removing HTML tags from user-supplied form data. HTML tags can, in some cases, be passed intact through the strip_tags function, which may allow a cross-site scripting attack. (CVE-2004-0595) A flaw if the memory_limit configuration setting is enabled in PHP. If a remote attacker could force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins, then the attacker may be able to supply the contents of a PHP hash table remotely. This hash table could then be used to execute arbitrary code in the context of the server. (CVE-2004-0594) Various flaws, including possible information disclosure, double free, and negative reference index array underflow in the deserialization code of PHP. PHP applications may use the unserialize function on untrusted user data, which could allow a remote attacker to gain access to memory or potentially execute arbitrary code. (CVE-2004-1019) Flaws in shmop_write, pack, and unpack PHP functions. These functions are not normally passed user-supplied data, so would require a malicious PHP script to be exploited. (CVE-2004-1018) A stack buffer overflow in mod_ssl. If FakeBasicAuth had been enabled, a carefully crafted client certificate sent to mod_ssl can cause a stack overflow. In order to exploit this issue, the malicious certificate would have to be signed by a Certificate Authority which mod_ssl is configured to trust. (CVE-2004-0488) The mod_ssl module, when using the "SSLCipherSuite" directive in directory or location context, allowed remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration. (CVE-2004-0885) A flaw in mod_ssl triggered if a virtual host was configured using "SSLVerifyClient optional" and a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected. (CVE-2005-2700) A flaw in the handling of regular expressions from configuration files in the Apache HTTP Server could lead to a buffer overflow. To exploit this issue, an attacker would need to have the ability to write to Apache configuration files such as .htaccess or httpd.conf. (CVE-2003-0542) mod_digest did not properly verify the nonce of a client response by using a AuthNonce secret. This could allow a malicious user who is able to sniff network traffic to conduct a replay attack against a website using Digest protection. Note that mod_digest implements an older version of the MD5 Digest Authentication specification which is known not to work with modern browsers. This issue does not affect mod_auth_digest. (CVE-2003-0987) A buffer overflow in the get_tag function in mod_include allowed local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error. (CVE-2004-0940) Users of Stronghold are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 171694 - CVE-2003-0542 multiple flaws in Apache (CVE-2003-0542, CVE-2003-0987, CVE-2004-0940) 171695 - CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019) 171696 - CVE-2004-0488 mod_ssl flaws (CVE-2004-0885 CVE-2005-2700) 6. RPMs required: Stronghold 4.0 for Red Hat Enterprise Linux AS (version 2.1): SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/stronghold-apache-1.3.22-25.src.rpm 049c475bd0b56ee035ac2bddf0969012 stronghold-apache-1.3.22-25.src.rpm ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/stronghold-mod_ssl-2.8.7-9.src.rpm 636c0ab5f8223ecebfed31a8584e72fd stronghold-mod_ssl-2.8.7-9.src.rpm ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/stronghold-php-4.1.2-7.src.rpm 0c10caf1d418bbe5592deaa141b73ce1 stronghold-php-4.1.2-7.src.rpm i386: 1187ef428a5b37098221bb513799124a stronghold-apache-1.3.22-25.i386.rpm 8f5ec71681a13733ab62bdfb6370aba3 stronghold-apache-devel-1.3.22-25.i386.rpm 8c31c5a669fdcded626528dca434c060 stronghold-apache-manual-1.3.22-25.i386.rpm ae2bdc1b65627517fb03f43324916953 stronghold-mod_ssl-2.8.7-9.i386.rpm ab7ba645fbf0707c499f104dfb78d5fe stronghold-php-4.1.2-7.i386.rpm db92030b3686e49fe8f48f60d3f355e2 stronghold-php-devel-4.1.2-7.i386.rpm 7754d68472de62bf627dee6d12fb37f5 stronghold-php-imap-4.1.2-7.i386.rpm a8c61ddb232201f177d6bbb1c2a6724e stronghold-php-ldap-4.1.2-7.i386.rpm 1ca0abc9dda0dd09acf7d78ef12c6d51 stronghold-php-manual-4.1.2-7.i386.rpm bd1e2d3fe7c632daae55eb6d1bb7af4e stronghold-php-mysql-4.1.2-7.i386.rpm 7a9583334c7704c2d1b4bf98e53e9906 stronghold-php-odbc-4.1.2-7.i386.rpm cb714a12f38ca1625acfccceaeaffb74 stronghold-php-pgsql-4.1.2-7.i386.rpm abe38bfae15d2d747a90f774ab2bdc7e stronghold-php-snmp-4.1.2-7.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0542 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0987 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1018 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1019 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2700 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2005 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDaIZpXlSAg2UNWIIRAsBIAJ9bnZjeEQr/zKhqBbD7w7jAeq5uVwCfddZK OCRWYftiRVDqpM6mwd7ph5g= =zBHZ -----END PGP SIGNATURE-----