apache, openssl, php, tomcat security update for Stronghold

Updated versions of Stronghold 4 cross-platform are available to fix a
number of vulnerabilities in OpenSSL, Apache, PHP, and Tomcat.

Also included in this update are bug fixes for mod_proxy and the
mod_authz_ldap package.

Stronghold 4 cross platform contains a number of open source technologies
such as OpenSSL, Apache, and PHP. A number of issues have been found in
versions of these projects:

In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin
Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites
in SSL and TLS. An active attacker may be able to use timing observations
to distinguish between two different error cases: cipher padding errors and
MAC verification errors. Over multiple connections this can leak
sufficient information to be able to retrieve the plain text of a common,
fixed block. In order for an attack to be successful an attacker must be
able to act as a man-in-the-middle to intercept and modify multiple
connections which all involve a common fixed plain text block (such as a
password), and have good network conditions that allow small changes in
timing to be reliably observed.

The Apache Web server does not prevent escape sequences from being written
to the error log. This could allow an attacker to embed arbitrary escape
sequences into the log file. A recent paper by HD Moore highlighted
several issues where common terminal emulator software (such as xterm) can
be remotely abused or exploited by displaying arbitrary escape sequences.

The MySQL client library (libmysqlclient) used in the PHP MySQL extension
in PHP versions earlier than 4.3.0 does not properly verify length fields
for certain responses in the read_rows or read_one_row routines, which
allows a malicious server to cause a denial of service and possibly execute
arbitrary code.

A source code exposure vulnerability has been found that affects Tomcat
versions 4.0.0 through 4.0.5 and 4.1.0 through 4.1.12, in a variant of
the issue addressed in RHSA-2002:217. Using a carefully crafted request, a
remote attacker can read the source code of any deployed JSP file.

In addition to the security fixes, two bug fixes have also been applied:

If Apache is configured to act as a reverse proxy by specifying the backend
server using a numeric IP address, the mod_proxy module will perform a
redundant reverse DNS lookup on the IP address, causing a delay in request
processing.

A bug in mod_authz_ldap version 0.21 and earlier prevent
authentication being performed by other Apache modules (such as
filed-based authentication using mod_auth) when the mod_authz_ldap module
is loaded.

Stronghold 4 cross platform contains OpenSSL 0.9.6c, Apache 1.3.22, PHP
4.1.2, Tomcat 4.0.5, and mod_authz_ldap 0.19, and is therefore vulnerable
to these issues. Users of Stronghold are advised to update to the errata
versions of Stronghold 4 which contain backported security fixes and are
not vulnerable to these issues.

Fixed Stronghold 4 packages are now available via the update agent service; run

$ bin/agent

from the Stronghold 4 install root to upgrade an existing Stronghold 4
installation to the new package versions. After upgrading Stronghold, the
server must be completely restarted by running the following commands from
the install root:

$ bin/stop-server
$ bin/stop-tomcat
$ bin/start-tomcat
$ bin/start-server

For more information on how to upgrade between releases of Stronghold 4,
see http://stronghold.redhat.com/support/upgrade-sh4

56580 - mod_proxy does reverse DNS lookups
80057 - mod_authz_ldap prevents use of other auth mechanisms if loaded

https://www.redhat.com/security/data/cve/CVE-2002-1376.html
https://www.redhat.com/security/data/cve/CVE-2002-1394.html
https://www.redhat.com/security/data/cve/CVE-2003-0020.html
https://www.redhat.com/security/data/cve/CVE-2003-0078.html
http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps
http://www.digitaldefense.net/labs/papers/Termulation.txt

Apache, escape, log, MySQL, OpenSSL, PHP, timing, Tomcat