Date: 26 March 2010
References: ASB-2010.0070 ASB-2010.0073 ASB-2010.0087 ESB-2010.0692 ESB-2010.0871.2
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2010.0277
Moderate: httpd security and enhancement update
26 March 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: httpd
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-0434 CVE-2010-0408
Reference: ASB-2010.0087
ASB-2010.0073
ASB-2010.0070
Original Bulletin:
https://rhn.redhat.com/errata/RHSA-2010-0168.html
https://rhn.redhat.com/errata/RHSA-2010-0175.html
Comment: This bulletin contains two (2) Red Hat Security Advisories relating
to httpd for Red Hat Enterprise Linux 4 and 5.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: httpd security and enhancement update
Advisory ID: RHSA-2010:0168-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0168.html
Issue date: 2010-03-25
CVE Names: CVE-2010-0408 CVE-2010-0434
=====================================================================
1. Summary:
Updated httpd packages that fix two security issues and add an enhancement
are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
3. Description:
The Apache HTTP Server is a popular web server.
It was discovered that mod_proxy_ajp incorrectly returned an "Internal
Server Error" response when processing certain malformed requests, which
caused the back-end server to be marked as failed in configurations where
mod_proxy is used in load balancer mode. A remote attacker could cause
mod_proxy to not send requests to back-end AJP (Apache JServ Protocol)
servers for the retry timeout period (60 seconds by default) by sending
specially-crafted requests. (CVE-2010-0408)
A use-after-free flaw was discovered in the way the Apache HTTP Server
handled request headers in subrequests. In configurations where subrequests
are used, a multithreaded MPM (Multi-Processing Module) could possibly leak
information from other requests in request replies. (CVE-2010-0434)
This update also adds the following enhancement:
* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl
will refuse to renegotiate a TLS/SSL connection with an unpatched client
that does not support RFC 5746. This update adds the
"SSLInsecureRenegotiation" configuration directive. If this directive is
enabled, mod_ssl will renegotiate insecurely with unpatched clients.
(BZ#567980)
Refer to the following Red Hat Knowledgebase article for more details about
the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491
All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues and add this enhancement. After
installing the updated packages, the httpd daemon must be restarted for the
update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
567980 - [RFE] mod_ssl: Add SSLInsecureRenegotiation directive [rhel-5]
569905 - CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS
570171 - CVE-2010-0434 httpd: request header information leak
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-31.el5_4.4.src.rpm
i386:
httpd-2.2.3-31.el5_4.4.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.i386.rpm
mod_ssl-2.2.3-31.el5_4.4.i386.rpm
x86_64:
httpd-2.2.3-31.el5_4.4.x86_64.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.x86_64.rpm
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-31.el5_4.4.src.rpm
i386:
httpd-debuginfo-2.2.3-31.el5_4.4.i386.rpm
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
httpd-manual-2.2.3-31.el5_4.4.i386.rpm
x86_64:
httpd-debuginfo-2.2.3-31.el5_4.4.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.x86_64.rpm
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-31.el5_4.4.src.rpm
i386:
httpd-2.2.3-31.el5_4.4.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.i386.rpm
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
httpd-manual-2.2.3-31.el5_4.4.i386.rpm
mod_ssl-2.2.3-31.el5_4.4.i386.rpm
ia64:
httpd-2.2.3-31.el5_4.4.ia64.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.ia64.rpm
httpd-devel-2.2.3-31.el5_4.4.ia64.rpm
httpd-manual-2.2.3-31.el5_4.4.ia64.rpm
mod_ssl-2.2.3-31.el5_4.4.ia64.rpm
ppc:
httpd-2.2.3-31.el5_4.4.ppc.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.ppc.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.ppc64.rpm
httpd-devel-2.2.3-31.el5_4.4.ppc.rpm
httpd-devel-2.2.3-31.el5_4.4.ppc64.rpm
httpd-manual-2.2.3-31.el5_4.4.ppc.rpm
mod_ssl-2.2.3-31.el5_4.4.ppc.rpm
s390x:
httpd-2.2.3-31.el5_4.4.s390x.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.s390.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.s390x.rpm
httpd-devel-2.2.3-31.el5_4.4.s390.rpm
httpd-devel-2.2.3-31.el5_4.4.s390x.rpm
httpd-manual-2.2.3-31.el5_4.4.s390x.rpm
mod_ssl-2.2.3-31.el5_4.4.s390x.rpm
x86_64:
httpd-2.2.3-31.el5_4.4.x86_64.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.4.x86_64.rpm
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-0408.html
https://www.redhat.com/security/data/cve/CVE-2010-0434.html
http://www.redhat.com/security/updates/classification/#moderate
http://kbase.redhat.com/faq/docs/DOC-20491
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFLq0O9XlSAg2UNWIIRArtjAJ9xSUFspvZd3sA9pHvQ9r5CfNfzmwCfQB3B
T3PiK20o3d0V6m26ZqVSHiM=
=p6kl
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Low: httpd security, bug fix, and enhancement update
Advisory ID: RHSA-2010:0175-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2010-0175.html
Issue date: 2010-03-25
CVE Names: CVE-2010-0434
=====================================================================
1. Summary:
Updated httpd packages that fix one security issue, a bug, and add an
enhancement are now available for Red Hat Enterprise Linux 4.
The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
3. Description:
The Apache HTTP Server is a popular web server.
A use-after-free flaw was discovered in the way the Apache HTTP Server
handled request headers in subrequests. In configurations where subrequests
are used, a multithreaded MPM (Multi-Processing Module) could possibly leak
information from other requests in request replies. (CVE-2010-0434)
This update also fixes the following bug:
* a bug was found in the mod_dav module. If a PUT request for an existing
file failed, that file would be unexpectedly deleted and a "Could not get
next bucket brigade" error logged. With this update, failed PUT requests no
longer cause mod_dav to delete files, which resolves this issue.
(BZ#572932)
As well, this update adds the following enhancement:
* with the updated openssl packages from RHSA-2010:0163 installed, mod_ssl
will refuse to renegotiate a TLS/SSL connection with an unpatched client
that does not support RFC 5746. This update adds the
"SSLInsecureRenegotiation" configuration directive. If this directive is
enabled, mod_ssl will renegotiate insecurely with unpatched clients.
(BZ#575805)
Refer to the following Red Hat Knowledgebase article for more details about
the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491
All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues and add this enhancement. After
installing the updated packages, the httpd daemon must be restarted for the
update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
570171 - CVE-2010-0434 httpd: request header information leak
572932 - "could not get next bucket brigade" while a client is doing a PUT results in data loss
575805 - mod_ssl: Add SSLInsecureRenegotiation directive [rhel-4]
6. Package List:
Red Hat Enterprise Linux AS version 4:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-41.ent.7.src.rpm
i386:
httpd-2.0.52-41.ent.7.i386.rpm
httpd-debuginfo-2.0.52-41.ent.7.i386.rpm
httpd-devel-2.0.52-41.ent.7.i386.rpm
httpd-manual-2.0.52-41.ent.7.i386.rpm
httpd-suexec-2.0.52-41.ent.7.i386.rpm
mod_ssl-2.0.52-41.ent.7.i386.rpm
ia64:
httpd-2.0.52-41.ent.7.ia64.rpm
httpd-debuginfo-2.0.52-41.ent.7.ia64.rpm
httpd-devel-2.0.52-41.ent.7.ia64.rpm
httpd-manual-2.0.52-41.ent.7.ia64.rpm
httpd-suexec-2.0.52-41.ent.7.ia64.rpm
mod_ssl-2.0.52-41.ent.7.ia64.rpm
ppc:
httpd-2.0.52-41.ent.7.ppc.rpm
httpd-debuginfo-2.0.52-41.ent.7.ppc.rpm
httpd-devel-2.0.52-41.ent.7.ppc.rpm
httpd-manual-2.0.52-41.ent.7.ppc.rpm
httpd-suexec-2.0.52-41.ent.7.ppc.rpm
mod_ssl-2.0.52-41.ent.7.ppc.rpm
s390:
httpd-2.0.52-41.ent.7.s390.rpm
httpd-debuginfo-2.0.52-41.ent.7.s390.rpm
httpd-devel-2.0.52-41.ent.7.s390.rpm
httpd-manual-2.0.52-41.ent.7.s390.rpm
httpd-suexec-2.0.52-41.ent.7.s390.rpm
mod_ssl-2.0.52-41.ent.7.s390.rpm
s390x:
httpd-2.0.52-41.ent.7.s390x.rpm
httpd-debuginfo-2.0.52-41.ent.7.s390x.rpm
httpd-devel-2.0.52-41.ent.7.s390x.rpm
httpd-manual-2.0.52-41.ent.7.s390x.rpm
httpd-suexec-2.0.52-41.ent.7.s390x.rpm
mod_ssl-2.0.52-41.ent.7.s390x.rpm
x86_64:
httpd-2.0.52-41.ent.7.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.7.x86_64.rpm
httpd-devel-2.0.52-41.ent.7.x86_64.rpm
httpd-manual-2.0.52-41.ent.7.x86_64.rpm
httpd-suexec-2.0.52-41.ent.7.x86_64.rpm
mod_ssl-2.0.52-41.ent.7.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-41.ent.7.src.rpm
i386:
httpd-2.0.52-41.ent.7.i386.rpm
httpd-debuginfo-2.0.52-41.ent.7.i386.rpm
httpd-devel-2.0.52-41.ent.7.i386.rpm
httpd-manual-2.0.52-41.ent.7.i386.rpm
httpd-suexec-2.0.52-41.ent.7.i386.rpm
mod_ssl-2.0.52-41.ent.7.i386.rpm
x86_64:
httpd-2.0.52-41.ent.7.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.7.x86_64.rpm
httpd-devel-2.0.52-41.ent.7.x86_64.rpm
httpd-manual-2.0.52-41.ent.7.x86_64.rpm
httpd-suexec-2.0.52-41.ent.7.x86_64.rpm
mod_ssl-2.0.52-41.ent.7.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-41.ent.7.src.rpm
i386:
httpd-2.0.52-41.ent.7.i386.rpm
httpd-debuginfo-2.0.52-41.ent.7.i386.rpm
httpd-devel-2.0.52-41.ent.7.i386.rpm
httpd-manual-2.0.52-41.ent.7.i386.rpm
httpd-suexec-2.0.52-41.ent.7.i386.rpm
mod_ssl-2.0.52-41.ent.7.i386.rpm
ia64:
httpd-2.0.52-41.ent.7.ia64.rpm
httpd-debuginfo-2.0.52-41.ent.7.ia64.rpm
httpd-devel-2.0.52-41.ent.7.ia64.rpm
httpd-manual-2.0.52-41.ent.7.ia64.rpm
httpd-suexec-2.0.52-41.ent.7.ia64.rpm
mod_ssl-2.0.52-41.ent.7.ia64.rpm
x86_64:
httpd-2.0.52-41.ent.7.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.7.x86_64.rpm
httpd-devel-2.0.52-41.ent.7.x86_64.rpm
httpd-manual-2.0.52-41.ent.7.x86_64.rpm
httpd-suexec-2.0.52-41.ent.7.x86_64.rpm
mod_ssl-2.0.52-41.ent.7.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-41.ent.7.src.rpm
i386:
httpd-2.0.52-41.ent.7.i386.rpm
httpd-debuginfo-2.0.52-41.ent.7.i386.rpm
httpd-devel-2.0.52-41.ent.7.i386.rpm
httpd-manual-2.0.52-41.ent.7.i386.rpm
httpd-suexec-2.0.52-41.ent.7.i386.rpm
mod_ssl-2.0.52-41.ent.7.i386.rpm
ia64:
httpd-2.0.52-41.ent.7.ia64.rpm
httpd-debuginfo-2.0.52-41.ent.7.ia64.rpm
httpd-devel-2.0.52-41.ent.7.ia64.rpm
httpd-manual-2.0.52-41.ent.7.ia64.rpm
httpd-suexec-2.0.52-41.ent.7.ia64.rpm
mod_ssl-2.0.52-41.ent.7.ia64.rpm
x86_64:
httpd-2.0.52-41.ent.7.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.7.x86_64.rpm
httpd-devel-2.0.52-41.ent.7.x86_64.rpm
httpd-manual-2.0.52-41.ent.7.x86_64.rpm
httpd-suexec-2.0.52-41.ent.7.x86_64.rpm
mod_ssl-2.0.52-41.ent.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2010-0434.html
http://www.redhat.com/security/updates/classification/#low
http://kbase.redhat.com/faq/docs/DOC-20491
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2010 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFLq4dLXlSAg2UNWIIRAh0RAJ9NmKVsRI0K4yn+2572bhneJpN3rwCaAtto
0JZcH3quVhxOA4XqTIVEQQU=
=1JNH
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLq+02/iFOrG6YcBERAr2/AJsH7NhAyzJZ1tcnKOYXXPp+Yc8XRQCdHd6i
rQ9fmq8g4f6QPwfPzNiKz/4=
=JTFj
-----END PGP SIGNATURE-----
|