apache, openssl security update for Stronghold

Updated versions of Stronghold 4 cross-platform are available that fix
security issues affecting OpenSSL and the Apache HTTP Server. A number
of bug fixes are also included.

Stronghold 4 contains a number of open source technologies, including
OpenSSL 0.9.6 and the Apache HTTP Server.

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that can
lead to a denial of service attack (infinite loop). The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0081 to this issue.

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a null-pointer assignment in the do_change_cipher_spec() function
in OpenSSL 0.9.6c-0.9.6k and 0.9.7a-0.9.7c. A remote attacker could
send a carefully crafted SSL/TLS handshake which could lead to a denial of
service attack. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0079 to this issue.

Testing performed by Novell using a test suite provided by NISCC uncovered
an issue in the ASN.1 parser in versions of OpenSSL 0.9.6 prior to 0.9.6l
which could cause large recursion and possibly lead to a denial of service
attack if used where stack space is limited. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0851
to this issue.

An issue in the handling of regular expressions from configuration files
was discovered in releases of the Apache HTTP Server version 1.3 prior to
1.3.29. To exploit this issue an attacker would need to have the ability
to write to Apache configuration files such as .htaccess or httpd.conf. A
carefully-crafted configuration file can cause an exploitable buffer
overflow and would allow the attacker to execute arbitrary code in the
context of the server. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0542 to this issue.

Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.

Updated Stronghold 4 packages are now available via the update agent
service. Run the following command from the Stronghold 4 install root to
upgrade an existing Stronghold 4 installation to the new package versions:

$ bin/agent

The Stronghold 4.0h patch release which contains these updated packages is
also available from the download site.

After upgrading Stronghold, the server must be completely restarted by
running the following commands from the install root:

$ bin/stop-server
$ bin/start-server

For more information on how to upgrade between releases of Stronghold 4,
refer to http://stronghold.redhat.com/support/upgrade-sh4

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0542
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0081
http://www.niscc.gov.uk/
http://www.codenomicon.com/testtools/tls/

Stronghold