mod_ssl, openssl security update for Stronghold

Advisory:	RHSA-2003:290-08
Type:	Security Advisory
Severity:	Moderate
Issued on:	2003-10-03
Last updated on:	2003-10-03
Affected Products:
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2003-0192 CVE-2003-0543 CVE-2003-0544

Details

Updated versions of Stronghold 4 cross-platform are available that fix
several security issues affecting OpenSSL and mod_ssl. A number of bug
fixes and new features are also included.

Stronghold 4 contains a number of open source technologies, including
OpenSSL 0.9.6 and mod_ssl.

NISCC testing of implementations of the SSL protocol uncovered two bugs in
OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL
to crash. A remote attacker could trigger this bug by sending a carefully
crafted SSL client certificate to the Stronghold Web server, which would
cause the server child process handling the request to terminate. The
effects of such an attack would be limited, as Apache is designed to handle
this situation. In most cases, an attack would simply cause increased
server load, which would only last as long as an attacker continues to make
malicious connections. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to
this issue.

Ben Laurie found a bug in the optional renegotiation code in mod_ssl
that can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.

Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.

Red Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their
work on these vulnerabilities.

Solution

Updated Stronghold 4 packages are now available via the update agent
service. Run the following command from the Stronghold 4 install root to
upgrade an existing Stronghold 4 installation to the new package versions:

$ bin/agent

The Stronghold 4.0g patch release which contains these updated packages is
also available from the download site.

After upgrading Stronghold, the server must be completely restarted by
running the following commands from the install root:

$ bin/stop-server
$ bin/start-server

For more information on how to upgrade between releases of Stronghold 4,
refer to http://stronghold.redhat.com/support/upgrade-sh4

Updated packages

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0544
http://www.niscc.gov.uk/
http://www.openssl.org/news/secadv_20030930.txt

Keywords

Enterprise, SH, XP

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/