Updated versions of cross-platform Stronghold that fix security issues in
mod_ssl, PHP, and the Apache HTTP Server are now available.
Stronghold 4 contains a number of open source technologies, including
PHP, mod_ssl and the Apache HTTP Server.
Stefan Esser discovered a flaw when the memory_limit configuration setting
was enabled in PHP 4 versions prior to 4.3.8. If a remote attacker could
force the PHP interpreter to allocate more memory than the memory_limit
setting before script execution begins, then the attacker may be able to
supply the contents of a PHP hash table remotely. This hash table could
then be used to execute arbitrary code as the 'apache' user. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0594 to this issue.
It may be possible to exploit this issue if using a non-default PHP
configuration with the "register_defaults" setting is changed to "On". Red
Hat does not believe that this flaw is exploitable in the default
configuration of Stronghold 4.
Stefan Esser discovered a flaw in the strip_tags function in versions of
PHP prior to 4.3.8. The strip_tags function is commonly used by PHP scripts
to prevent cross-site scripting attacks by removing HTML tags from
user-supplied form data. By embedding NUL bytes into form data, HTML tags
can in some cases be passed intact through the strip_tags function, which
may allow a cross-site scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to
this issue.
A stack buffer overflow was discovered in mod_ssl which can be triggered if
using the FakeBasicAuth option. If mod_ssl is sent a client certificate
with a subject DN field longer than 6000 characters, a stack overflow can
occur if FakeBasicAuth has been enabled. In order to exploit this issue,
the carefully crafted malicious certificate would have to be signed by a
Certificate Authority which mod_ssl is configured to trust. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0488 to this issue.
A format string issue was discovered in mod_ssl which can be triggered if
mod_ssl is configured to allow a client to proxy to remote SSL sites.
If mod_ssl is forced to connect to a remote SSL server using a
carefully crafted hostname, an attacker may be able to crash an Apache
child process. This issue is not known to allow arbitrary execution of
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0700 to this issue.
A denial of service issue was discovered which affects versions of the
Apache HTTP Server prior to 1.3.30. On some platforms, when Apache is
configured with multiple listening sockets, a short-lived connection to
one socket may temporarily block new connections to other sockets. This
issue does not affect Stronghold if running on Linux, FreeBSD or HP-UX
platforms. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0174 to this issue.
Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.
Updated Stronghold 4 packages are now available via the update agent
service. Run the following command from the Stronghold 4 install root to
upgrade an existing Stronghold 4 installation to the new package versions:
$ bin/agent
The Stronghold 4.0i patch release which contains these updated packages is
also available from the download site.
After upgrading Stronghold, the server must be completely restarted by
running the following commands from the install root:
$ bin/stop-server
$ bin/start-server
For more information on how to upgrade between releases of Stronghold 4,
refer to
http://stronghold.redhat.com/support/upgrade-sh4
127703 - CAN-2004-0594 PHP memory_limit issue
apache, mod_ssl, php security update for Stronghold