Security Advisory httpd security update

Advisory: RHSA-2004:084-14
Type: Security Advisory
Severity: Important
Issued on: 2004-03-23
Last updated on: 2004-03-23
Affected Products: Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2004-0113

Details

Updated httpd packages are now available that fix a denial of service
vulnerability in mod_ssl and include various other bug fixes.

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49
allows a remote denial of service attack against an SSL-enabled server. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0113 to this issue.

This update also includes various bug fixes, including:

- improvements to the mod_expires, mod_dav, mod_ssl and mod_proxy modules

- a fix for a bug causing core dumps during configuration parsing on the
IA64 platform

- an updated version of mod_include fixing several edge cases in the SSI parser

Additionally, the mod_logio module is now included.

Users of the Apache HTTP server should upgrade to these updated packages,
which contain backported patches that address these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 3)
SRPMS:
httpd-2.0.46-32.ent.src.rpm
File outdated by:  RHSA-2008:0967		     0578bb679d25664d60a396216751c52b
 
IA-32:
httpd-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     a4e26276faa96ae744b8584dfca9d0a8
httpd-devel-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     f16f311cb4a04b0eebfc0fb05841f4b1
mod_ssl-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     c83676811d1ad92f94332defca06562d
 
IA-64:
httpd-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2008:0967		     88f10b3263638bad5f25d8e2f466f577
httpd-devel-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2008:0967		     1f64367942fe38a883716f907aafdd2e
mod_ssl-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2008:0967		     fc2b50541e485d2b8c67c3ddc28596ab
 
PPC:
httpd-2.0.46-32.ent.ppc.rpm
File outdated by:  RHSA-2008:0967		     e5784963d08a8f2a1b1c2ebca88b495a
httpd-2.0.46-32.ent.ppc64.rpm     6baf583f19a9f90d57e30fe8719c2fed
httpd-devel-2.0.46-32.ent.ppc.rpm
File outdated by:  RHSA-2008:0967		     7f0c9424b7f5cda0a021cf3fb0f5dd80
httpd-devel-2.0.46-32.ent.ppc64.rpm     e0df7bcb18320e5d5e18f1d15f4e8848
mod_ssl-2.0.46-32.ent.ppc.rpm
File outdated by:  RHSA-2008:0967		     bb809b4751b8d1bcdbfba8402b79de75
mod_ssl-2.0.46-32.ent.ppc64.rpm     5cd9bca47c0fd7593d24a23cfdefe492
 
s390:
httpd-2.0.46-32.ent.s390.rpm
File outdated by:  RHSA-2008:0967		     d31e82269a2b465b04871ef442fbf2d5
httpd-devel-2.0.46-32.ent.s390.rpm
File outdated by:  RHSA-2008:0967		     6306426ed7de562c25f431a7f46bd893
mod_ssl-2.0.46-32.ent.s390.rpm
File outdated by:  RHSA-2008:0967		     5da65fff9b14a7f4d39c9550bafda627
 
s390x:
httpd-2.0.46-32.ent.s390x.rpm
File outdated by:  RHSA-2008:0967		     20ffb2d9fbdfdc4b9c31d3568f2db55c
httpd-devel-2.0.46-32.ent.s390x.rpm
File outdated by:  RHSA-2008:0967		     20bebf1f27b1dcac4691292bb7689dc2
mod_ssl-2.0.46-32.ent.s390x.rpm
File outdated by:  RHSA-2008:0967		     be4e2faaa60b8ecbe22dc79342df1e07
 
x86_64:
httpd-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2008:0967		     c4109535a41be2dbdd7f522f1a70e4a7
httpd-devel-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2008:0967		     f95dc1f95b509ef64666c232c1758b92
mod_ssl-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2008:0967		     37dff057ab1b6ddc96488e207c5bbc22
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
httpd-2.0.46-32.ent.src.rpm
File outdated by:  RHSA-2008:0967		     0578bb679d25664d60a396216751c52b
 
IA-32:
httpd-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     a4e26276faa96ae744b8584dfca9d0a8
httpd-devel-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     f16f311cb4a04b0eebfc0fb05841f4b1
mod_ssl-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     c83676811d1ad92f94332defca06562d
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
httpd-2.0.46-32.ent.src.rpm
File outdated by:  RHSA-2008:0967		     0578bb679d25664d60a396216751c52b
 
IA-32:
httpd-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     a4e26276faa96ae744b8584dfca9d0a8
httpd-devel-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     f16f311cb4a04b0eebfc0fb05841f4b1
mod_ssl-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2008:0967		     c83676811d1ad92f94332defca06562d
 
IA-64:
httpd-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2008:0967		     88f10b3263638bad5f25d8e2f466f577
httpd-devel-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2008:0967		     1f64367942fe38a883716f907aafdd2e
mod_ssl-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2008:0967		     fc2b50541e485d2b8c67c3ddc28596ab
 
x86_64:
httpd-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2008:0967		     c4109535a41be2dbdd7f522f1a70e4a7
httpd-devel-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2008:0967		     f95dc1f95b509ef64666c232c1758b92
mod_ssl-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2008:0967		     37dff057ab1b6ddc96488e207c5bbc22
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

112771 - Invalid paths in config_vars.mk crash build of mod_jk
113929 - mod_expires headers not set when used in conjunction with mod_proxy
113934 - SRPMS: test for MMN version it too fragile
115328 - Satisfy keyword in httpd.conf causes apache to segfault on load
115379 - pcre conflict between httpd and php
117280 - CAN-2004-0113 mod_ssl Denial of Service attack


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0113
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106
http://www.apacheweek.com/features/security-20

Keywords

Apache, DoS, httpd, SSL

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/