Updated apache and mod_ssl packages available

Updated Apache and mod_ssl packages which fix a number of security issues
are now available for iSeries and pSeries systems.

The Apache HTTP Web Server is a secure, efficient, and extensible web
server. This erratum provides updated Apache and mod_ssl packages for
iSeries and pSeries that correct a number of security issues:

Versions of the Apache Web server up to and including 1.3.24 contain a bug
in the routines which deal with requests using "chunked" encoding.
A carefully crafted invalid request can cause an Apache child process to
call the memcpy() function in a way that will write past the end of its
buffer, corrupting the stack. On some platforms this can be remotely
exploited -- allowing arbitrary code to be run on the server. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2002-0392 to this issue.

Buffer overflows in the ApacheBench support program (ab.c) in Apache
versions prior to 1.3.27, and Apache versions 2.x prior to 2.0.43, allow a
malicious Web server to cause a denial of service (DoS) and possibly
execute arbitrary code via a long response. (CAN-2002-0843)

Two cross-site scripting (XSS) vulnerabilities are present in the error
pages for the default "404 Not Found" error and for the error response
when a plain HTTP request is received on an SSL port. Both of these issues
are only exploitable if the "UseCanonicalName" setting has been changed to
"Off" and wildcard DNS is in use. These issues could allow remote
attackers to execute scripts as other webpage visitors, for instance, to
steal cookies. These issues affect versions of Apache 1.3 before 1.3.26,
versions of Apache 2.0 before 2.0.43, and versions of mod_ssl before
2.8.12. (CAN-2002-0840, CAN-2002-1157)

The mod_ssl module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols. Versions of mod_ssl prior to 2.8.10 are subject to a
single NULL overflow that can cause arbitrary code execution. (CAN-2002-0653)

The shared memory scoreboard in the HTTP daemon for Apache 1.3, prior to
version 1.3.27, allows a user running as the "apache" UID to send a
SIGUSR1 signal to any process as root, resulting in a denial of service
(process kill) or other such behavior that would not normally be allowed.
(CAN-2002-0839).

After the updated packages are installed, restart the httpd service by
running the following command:

/sbin/service httpd restart

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1157
http://httpd.apache.org/info/security_bulletin_20020620.txt
http://www.apacheweek.com/issues/02-06-21#security
http://marc.theaimsgroup.com/?l=apache-modssl&m=102491918531562
http://www.apacheweek.com/issues/02-10-04

ab, apache, chunked, DoS, encoding, mod_ssl, overflow, scoreboard, xss