-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                     ESB-2005.0589 -- RHSA-2005:582-01
                      Moderate: httpd security update
                               26 July 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Desktop 4
                   Red Hat Enterprise Linux AS/ES/WS 4
                   Red Hat Desktop 3
                   Red Hat Enterprise Linux AS/ES/WS 3
                   UNIX variants
                   Windows
Impact:            Execute Arbitrary Code/Commands
                   Inappropriate Access
                   Denial of Service
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-2088 CAN-2005-1268

Original Bulletin: https://rhn.redhat.com/errata/RHSA-2005-582.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: httpd security update
Advisory ID:       RHSA-2005:582-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2005-582.html
Issue date:        2005-07-25
Updated on:        2005-07-25
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2005-1268 CAN-2005-2088
- - ---------------------------------------------------------------------

1. Summary:

Updated Apache httpd packages to correct two security issues are now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

The Apache HTTP Server is a powerful, full-featured, efficient, and
freely-available Web server.

Watchfire reported a flaw that occured when using the Apache server as an
HTTP proxy.  A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header.  This
caused Apache to incorrectly handle and forward the body of the request in
a way that the receiving server processes it as a separate HTTP request.
This could allow the bypass of Web application firewall protection or lead
to cross-site scripting (XSS) attacks.  The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this
issue.

Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification
callback.  In order to exploit this issue the Apache server would need to
be configured to use a malicious certificate revocation list (CRL).   The
Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the
name CAN-2005-1268 to this issue.

Users of Apache httpd should update to these errata packages that contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

161893 - Bug 145666 is missing a ',' after REDIRECT_REMOTE_USER
162244 - CAN-2005-2088 httpd proxy request smuggling
163013 - CAN-2005-1268 mod_ssl off-by-one


6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-46.2.ent.src.rpm
2485d59f9189bb5a5e9463867cb00937  httpd-2.0.46-46.2.ent.src.rpm

i386:
5915db1d48c7e002164887a49156f038  httpd-2.0.46-46.2.ent.i386.rpm
dcd3540ca04584c48b126d19b4d02f00  httpd-devel-2.0.46-46.2.ent.i386.rpm
16497b8e37ecefc801109a3aafe9e2cd  mod_ssl-2.0.46-46.2.ent.i386.rpm

ia64:
fe914bbf691939bfb2f87a002ec2e7a8  httpd-2.0.46-46.2.ent.ia64.rpm
e3f48f063d1eec644797347299ebd317  httpd-devel-2.0.46-46.2.ent.ia64.rpm
b8fc362a02f2d1a74ebd1e8573288831  mod_ssl-2.0.46-46.2.ent.ia64.rpm

ppc:
d74b60a2081276c375074735c200bf71  httpd-2.0.46-46.2.ent.ppc.rpm
debba18353c314f1156b379fff3e0ba3  httpd-devel-2.0.46-46.2.ent.ppc.rpm
d4055c6b92c696c90259753c195dd2f5  mod_ssl-2.0.46-46.2.ent.ppc.rpm

s390:
9c0c7fd62f33cb30e479d920b296ae52  httpd-2.0.46-46.2.ent.s390.rpm
772353077869e3daa4cd9a223626b87e  httpd-devel-2.0.46-46.2.ent.s390.rpm
4ad4d92181a4d3dec2a7a7f2a6c802fd  mod_ssl-2.0.46-46.2.ent.s390.rpm

s390x:
7acb2591480191fc2388050a1fcbbd6f  httpd-2.0.46-46.2.ent.s390x.rpm
759af088061f6de619f45d2a4186f391  httpd-devel-2.0.46-46.2.ent.s390x.rpm
0df3c03a9ddec5969f5e44a344f25797  mod_ssl-2.0.46-46.2.ent.s390x.rpm

x86_64:
ceff2faef7e7761e0c3af1afddd90089  httpd-2.0.46-46.2.ent.x86_64.rpm
36d38f054073c6ba6fe191661e5a3262  httpd-devel-2.0.46-46.2.ent.x86_64.rpm
3364d1be17046cf4b34e2d07eb480c0c  mod_ssl-2.0.46-46.2.ent.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-46.2.ent.src.rpm
2485d59f9189bb5a5e9463867cb00937  httpd-2.0.46-46.2.ent.src.rpm

i386:
5915db1d48c7e002164887a49156f038  httpd-2.0.46-46.2.ent.i386.rpm
dcd3540ca04584c48b126d19b4d02f00  httpd-devel-2.0.46-46.2.ent.i386.rpm
16497b8e37ecefc801109a3aafe9e2cd  mod_ssl-2.0.46-46.2.ent.i386.rpm

x86_64:
ceff2faef7e7761e0c3af1afddd90089  httpd-2.0.46-46.2.ent.x86_64.rpm
36d38f054073c6ba6fe191661e5a3262  httpd-devel-2.0.46-46.2.ent.x86_64.rpm
3364d1be17046cf4b34e2d07eb480c0c  mod_ssl-2.0.46-46.2.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-46.2.ent.src.rpm
2485d59f9189bb5a5e9463867cb00937  httpd-2.0.46-46.2.ent.src.rpm

i386:
5915db1d48c7e002164887a49156f038  httpd-2.0.46-46.2.ent.i386.rpm
dcd3540ca04584c48b126d19b4d02f00  httpd-devel-2.0.46-46.2.ent.i386.rpm
16497b8e37ecefc801109a3aafe9e2cd  mod_ssl-2.0.46-46.2.ent.i386.rpm

ia64:
fe914bbf691939bfb2f87a002ec2e7a8  httpd-2.0.46-46.2.ent.ia64.rpm
e3f48f063d1eec644797347299ebd317  httpd-devel-2.0.46-46.2.ent.ia64.rpm
b8fc362a02f2d1a74ebd1e8573288831  mod_ssl-2.0.46-46.2.ent.ia64.rpm

x86_64:
ceff2faef7e7761e0c3af1afddd90089  httpd-2.0.46-46.2.ent.x86_64.rpm
36d38f054073c6ba6fe191661e5a3262  httpd-devel-2.0.46-46.2.ent.x86_64.rpm
3364d1be17046cf4b34e2d07eb480c0c  mod_ssl-2.0.46-46.2.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-46.2.ent.src.rpm
2485d59f9189bb5a5e9463867cb00937  httpd-2.0.46-46.2.ent.src.rpm

i386:
5915db1d48c7e002164887a49156f038  httpd-2.0.46-46.2.ent.i386.rpm
dcd3540ca04584c48b126d19b4d02f00  httpd-devel-2.0.46-46.2.ent.i386.rpm
16497b8e37ecefc801109a3aafe9e2cd  mod_ssl-2.0.46-46.2.ent.i386.rpm

ia64:
fe914bbf691939bfb2f87a002ec2e7a8  httpd-2.0.46-46.2.ent.ia64.rpm
e3f48f063d1eec644797347299ebd317  httpd-devel-2.0.46-46.2.ent.ia64.rpm
b8fc362a02f2d1a74ebd1e8573288831  mod_ssl-2.0.46-46.2.ent.ia64.rpm

x86_64:
ceff2faef7e7761e0c3af1afddd90089  httpd-2.0.46-46.2.ent.x86_64.rpm
36d38f054073c6ba6fe191661e5a3262  httpd-devel-2.0.46-46.2.ent.x86_64.rpm
3364d1be17046cf4b34e2d07eb480c0c  mod_ssl-2.0.46-46.2.ent.x86_64.rpm

Red Hat Enterprise Linux AS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-12.1.ent.src.rpm
4bf86a415d443e3f9e82a8655f70491d  httpd-2.0.52-12.1.ent.src.rpm

i386:
f0ff91d7729f04fcb6b772f87b01c179  httpd-2.0.52-12.1.ent.i386.rpm
5bfd6d2f6c3b1da7dd0e49ff845ec22c  httpd-devel-2.0.52-12.1.ent.i386.rpm
5cd0e2f836bca3d18cd85d580b1df21d  httpd-manual-2.0.52-12.1.ent.i386.rpm
5eeef4820af8a522e0cd8c38dd50705c  httpd-suexec-2.0.52-12.1.ent.i386.rpm
8c88eec014875998f0d61ed71005d764  mod_ssl-2.0.52-12.1.ent.i386.rpm

ia64:
d461e0a6b0b00511f55f2407e466ce46  httpd-2.0.52-12.1.ent.ia64.rpm
97d80a559ec7287d2d5f5f2d2c6ad358  httpd-devel-2.0.52-12.1.ent.ia64.rpm
718fd0a64412ade9e587ecb2efec2f8d  httpd-manual-2.0.52-12.1.ent.ia64.rpm
ca9b95e1307733fb7405ee2637d258b3  httpd-suexec-2.0.52-12.1.ent.ia64.rpm
10d218820e3916ea405c487f00b2adef  mod_ssl-2.0.52-12.1.ent.ia64.rpm

ppc:
1a5a5c16643d4dde9cbb7b91da6ee148  httpd-2.0.52-12.1.ent.ppc.rpm
d7394c176ccf80e7e5b5349d7ea56849  httpd-devel-2.0.52-12.1.ent.ppc.rpm
021f850d3602a95333c4bd09a5157f3a  httpd-manual-2.0.52-12.1.ent.ppc.rpm
86bc7a492b98346c43e9896c2ba69e42  httpd-suexec-2.0.52-12.1.ent.ppc.rpm
9d8b653242aa26be29c935821d69a3d7  mod_ssl-2.0.52-12.1.ent.ppc.rpm

s390:
49b18d9f25642358fc51b9ee899ce821  httpd-2.0.52-12.1.ent.s390.rpm
134b801a276e12c3c18cf8c3224de76b  httpd-devel-2.0.52-12.1.ent.s390.rpm
b83871e54a55b528bfd721d09a3750c7  httpd-manual-2.0.52-12.1.ent.s390.rpm
787d97aa79b2e56baa3f0e32a4381ede  httpd-suexec-2.0.52-12.1.ent.s390.rpm
387c3be4fbe49a71c1b25692d195bb25  mod_ssl-2.0.52-12.1.ent.s390.rpm

s390x:
b332322b6ab797bba039212403240cb9  httpd-2.0.52-12.1.ent.s390x.rpm
67b79e022ea14b19e5c6a50862db2b36  httpd-devel-2.0.52-12.1.ent.s390x.rpm
b09d1feaa0370a17d629ab0e2499ff33  httpd-manual-2.0.52-12.1.ent.s390x.rpm
dad3f84731db6346251bcae31528b8fa  httpd-suexec-2.0.52-12.1.ent.s390x.rpm
a0c61974562e85e3b89957d478be6c42  mod_ssl-2.0.52-12.1.ent.s390x.rpm

x86_64:
8a92e250417a3dee66927f566c04becd  httpd-2.0.52-12.1.ent.x86_64.rpm
84ad072a58b1410ece325c35b3b4b07f  httpd-devel-2.0.52-12.1.ent.x86_64.rpm
d3ca7c4932a1004b5f009b4ddc9d8895  httpd-manual-2.0.52-12.1.ent.x86_64.rpm
bd5ac6d9149784138adbaf6172602998  httpd-suexec-2.0.52-12.1.ent.x86_64.rpm
7912fac9169ce5071198c3503566cbaf  mod_ssl-2.0.52-12.1.ent.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-12.1.ent.src.rpm
4bf86a415d443e3f9e82a8655f70491d  httpd-2.0.52-12.1.ent.src.rpm

i386:
f0ff91d7729f04fcb6b772f87b01c179  httpd-2.0.52-12.1.ent.i386.rpm
5bfd6d2f6c3b1da7dd0e49ff845ec22c  httpd-devel-2.0.52-12.1.ent.i386.rpm
5cd0e2f836bca3d18cd85d580b1df21d  httpd-manual-2.0.52-12.1.ent.i386.rpm
5eeef4820af8a522e0cd8c38dd50705c  httpd-suexec-2.0.52-12.1.ent.i386.rpm
8c88eec014875998f0d61ed71005d764  mod_ssl-2.0.52-12.1.ent.i386.rpm

x86_64:
8a92e250417a3dee66927f566c04becd  httpd-2.0.52-12.1.ent.x86_64.rpm
84ad072a58b1410ece325c35b3b4b07f  httpd-devel-2.0.52-12.1.ent.x86_64.rpm
d3ca7c4932a1004b5f009b4ddc9d8895  httpd-manual-2.0.52-12.1.ent.x86_64.rpm
bd5ac6d9149784138adbaf6172602998  httpd-suexec-2.0.52-12.1.ent.x86_64.rpm
7912fac9169ce5071198c3503566cbaf  mod_ssl-2.0.52-12.1.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-12.1.ent.src.rpm
4bf86a415d443e3f9e82a8655f70491d  httpd-2.0.52-12.1.ent.src.rpm

i386:
f0ff91d7729f04fcb6b772f87b01c179  httpd-2.0.52-12.1.ent.i386.rpm
5bfd6d2f6c3b1da7dd0e49ff845ec22c  httpd-devel-2.0.52-12.1.ent.i386.rpm
5cd0e2f836bca3d18cd85d580b1df21d  httpd-manual-2.0.52-12.1.ent.i386.rpm
5eeef4820af8a522e0cd8c38dd50705c  httpd-suexec-2.0.52-12.1.ent.i386.rpm
8c88eec014875998f0d61ed71005d764  mod_ssl-2.0.52-12.1.ent.i386.rpm

ia64:
d461e0a6b0b00511f55f2407e466ce46  httpd-2.0.52-12.1.ent.ia64.rpm
97d80a559ec7287d2d5f5f2d2c6ad358  httpd-devel-2.0.52-12.1.ent.ia64.rpm
718fd0a64412ade9e587ecb2efec2f8d  httpd-manual-2.0.52-12.1.ent.ia64.rpm
ca9b95e1307733fb7405ee2637d258b3  httpd-suexec-2.0.52-12.1.ent.ia64.rpm
10d218820e3916ea405c487f00b2adef  mod_ssl-2.0.52-12.1.ent.ia64.rpm

x86_64:
8a92e250417a3dee66927f566c04becd  httpd-2.0.52-12.1.ent.x86_64.rpm
84ad072a58b1410ece325c35b3b4b07f  httpd-devel-2.0.52-12.1.ent.x86_64.rpm
d3ca7c4932a1004b5f009b4ddc9d8895  httpd-manual-2.0.52-12.1.ent.x86_64.rpm
bd5ac6d9149784138adbaf6172602998  httpd-suexec-2.0.52-12.1.ent.x86_64.rpm
7912fac9169ce5071198c3503566cbaf  mod_ssl-2.0.52-12.1.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-12.1.ent.src.rpm
4bf86a415d443e3f9e82a8655f70491d  httpd-2.0.52-12.1.ent.src.rpm

i386:
f0ff91d7729f04fcb6b772f87b01c179  httpd-2.0.52-12.1.ent.i386.rpm
5bfd6d2f6c3b1da7dd0e49ff845ec22c  httpd-devel-2.0.52-12.1.ent.i386.rpm
5cd0e2f836bca3d18cd85d580b1df21d  httpd-manual-2.0.52-12.1.ent.i386.rpm
5eeef4820af8a522e0cd8c38dd50705c  httpd-suexec-2.0.52-12.1.ent.i386.rpm
8c88eec014875998f0d61ed71005d764  mod_ssl-2.0.52-12.1.ent.i386.rpm

ia64:
d461e0a6b0b00511f55f2407e466ce46  httpd-2.0.52-12.1.ent.ia64.rpm
97d80a559ec7287d2d5f5f2d2c6ad358  httpd-devel-2.0.52-12.1.ent.ia64.rpm
718fd0a64412ade9e587ecb2efec2f8d  httpd-manual-2.0.52-12.1.ent.ia64.rpm
ca9b95e1307733fb7405ee2637d258b3  httpd-suexec-2.0.52-12.1.ent.ia64.rpm
10d218820e3916ea405c487f00b2adef  mod_ssl-2.0.52-12.1.ent.ia64.rpm

x86_64:
8a92e250417a3dee66927f566c04becd  httpd-2.0.52-12.1.ent.x86_64.rpm
84ad072a58b1410ece325c35b3b4b07f  httpd-devel-2.0.52-12.1.ent.x86_64.rpm
d3ca7c4932a1004b5f009b4ddc9d8895  httpd-manual-2.0.52-12.1.ent.x86_64.rpm
bd5ac6d9149784138adbaf6172602998  httpd-suexec-2.0.52-12.1.ent.x86_64.rpm
7912fac9169ce5071198c3503566cbaf  mod_ssl-2.0.52-12.1.ent.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
http://issues.apache.org/bugzilla/show_bug.cgi?id=35081
http://issues.apache.org/bugzilla/show_bug.cgi?id=34588
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFC5JrDXlSAg2UNWIIRAnFCAKC51oPUM9bRwwvU7+E+pGrt75yiOQCfeL/i
TYL5ModguxnNAWldSyIGvm0=
=EmRB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQuWKGyh9+71yA2DNAQLPeAP+K8zc3WMws3Bx+H0Hu/+Hk7yxCpsybPBO
upldMpK7RwjbWUWehDY8KWZw/Cgf5LT76ebkfD3RJt2raI5A9kW7nv2SwgewlxTb
rC87SmWbZfys/FCjwQiZ9K/i0FtNVnqYRp0lR87K+NdfJbA9Y10rDlGbSL9/vx6S
FjQSpPKjB2E=
=UsLO
-----END PGP SIGNATURE-----