apache, openssl security update for Stronghold

Advisory:	RHSA-2003:116-03
Type:	Security Advisory
Severity:	Important
Issued on:	2003-03-28
Last updated on:	2003-03-28
Affected Products:
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2003-0083 CVE-2003-0131 CVE-2003-0147

Details

Updated versions of cross-platform Stronghold 4 are available to fix a
number of vulnerabilities in OpenSSL and Apache.

Stronghold 4 contains various open source technologies such as OpenSSL and
Apache. A number of issues have been found in versions of these projects:

Researchers discovered a timing attack on RSA keys that affects OpenSSL.
A local or remote attacker could use this attack to obtain the server's
private key by determining factors using timing differences on (1) the
number of extra reductions during Montgomery reduction; and (2) the use of
different integer multiplication algorithms (Karatsuba and normal).
Stronghold does not enable RSA blinding by default and is, therefore,
vulnerable to this attack.

The SSL and TLS components for OpenSSL allow remote attackers to perform an
unauthorized RSA private key operation via a modified Bleichenbacher
attack. This attack (also known as the Klima-Pokorny-Rosa attack) uses a
large number of SSL or TLS connections, using PKCS #1 v1.5 padding, and
causes OpenSSL to leak information regarding the relationship between
ciphertext and the associated plaintext.

Versions of Apache 1.3 before 1.3.25 do not filter terminal escape
sequences from its access logs, which could make it easier for attackers to
insert those sequences into terminal emulators containing vulnerabilities
related to escape sequences.

These erratum packages contain a patch provided by the OpenSSL group that
enables RSA blinding by default, thereby protecting against the
Klima-Pokorny-Rosa attack, and a patch to filter escape sequences from
Apache access logs.

Solution

Fixed Stronghold 4 packages are now available via the update agent service; run

$ bin/agent

from the Stronghold 4 install root to upgrade an existing Stronghold 4
installation to the new package versions. After upgrading Stronghold, the
server must be completely restarted by running the following commands from
the install root:

$ bin/stop-server
$ bin/start-server

For more information on how to upgrade between releases of Stronghold 4,
see http://stronghold.redhat.com/support/upgrade-sh4

Updated packages

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0147
http://www.openssl.org/news/secadv_20030319.txt
http://www.openssl.org/news/secadv_20030317.txt

Keywords

Apache, OpenSSL, Stronghold

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/