apache, mod_ssl, php security update for Stronghold

Updated versions of the Apache HTTP server, PHP, and mod_ssl are now
available which close possible buffer overflows in the Apache HTTP server
benchmarking tool, fixes two cross-site scripting vulnerabilities in the
error pages, and fix possible local privilege escalation. These updates
also fix vulnerabilities in the PHP mail() function that allows script
authors to bypass safe mode restrictions, and possibly allow remote
attackers to insert arbitrary mail headers and content into messages.

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server. PHP is an HTML-embedded scripting language
commonly used with the Apache HTTP server.

Buffer overflows in the ApacheBench support program (ab.c) in Apache
versions prior to 1.3.27, allow a malicious Web server to cause a denial of
service and possibly execute arbitrary code via a long response. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2002-0843 to this issue.

Two cross-site scripting vulnerabilities are present in the error pages
for the default "404 Not Found" error, and for the error response when a
plain HTTP request is received on an SSL port. Both of these issues are
only exploitable if the "UseCanonicalName" setting has been changed to
"Off", and wildcard DNS is in use, and would allow remote attackers
to execute scripts as other Web page visitors, for instance, to steal
cookies. These issues affect Apache versions 1.3 to 1.3.26,
and mod_ssl versions before 2.8.12. The Common Vulnerabilities and
Exposures project has assigned the names CAN-2002-0840 and
CAN-2002-1157 to these issues.

The shared memory scoreboard in the HTTP daemon for Apache 1.3.x, prior to
version 1.3.27, allowed a user running as the web server user to send a
SIGUSR1 signal to any process as root, resulting in a denial of service
(process kill) or other such behavior that would not normally be allowed.
The Common Vulnerabilities and Exposures project has assigned the name
CAN-2002-839 to this issue.

The mail function in PHP 4.x to 4.2.2 may allow local script authors to
bypass safe mode restrictions and modify command line arguments to the
MTA (such as Sendmail) in the fifth argument to mail(), altering MTA
behavior and possibly executing arbitrary local commands. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2002-0985
to this issue.

The mail function in PHP 4.x to 4.2.2 does not filter ASCII control
characters from its arguments, which could allow remote attackers to
modify mail message content, including mail headers, and possibly use
PHP as a "spam proxy". The Common Vulnerabilities and Exposures project has
assigned the name CAN-2002-0986 to this issue.

Stronghold contains Apache 1.3.22, mod_ssl 2.8.7, and PHP 4.1.2, and
is therefore vulnerable to these issues. Users of Stronghold are advised to
patch or upgrade their servers.

Backported fixes are available for the versions of Apache, mod_ssl, and PHP
included in Stronghold 3. Stronghold 3 build code 3020 is now available
which includes this fix, and can be downloaded from the following URL:

http://stronghold.redhat.com/sh3/

For information on how to upgrade between releases of Stronghold 3, refer
to the following URL:

http://stronghold.redhat.com/support/upgrade-sh3.xml

https://www.redhat.com/security/data/cve/CVE-2002-0839.html
https://www.redhat.com/security/data/cve/CVE-2002-0840.html
https://www.redhat.com/security/data/cve/CVE-2002-0843.html
https://www.redhat.com/security/data/cve/CVE-2002-0985.html
https://www.redhat.com/security/data/cve/CVE-2002-0986.html
https://www.redhat.com/security/data/cve/CVE-2002-1157.html
http://www.apacheweek.com/issues/02-10-04

ab, apache, mode, mod_ssl, php, safe, scoreboard, xss