apache, mod_ssl security update for Stronghold

Advisory:	RHSA-2004:653-02
Type:	Security Advisory
Severity:	Moderate
Issued on:	2004-12-20
Last updated on:	2004-12-20
Affected Products:
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2003-0987 CVE-2004-0885 CVE-2004-0940

Details

Updated versions of cross-platform Stronghold that fix security issues in
mod_ssl and the Apache HTTP Server are now available.

Stronghold 4 contains a number of open source technologies, including
mod_ssl and the Apache HTTP Server.

A buffer overflow in the get_tag function in mod_include for Apache 1.3.x
to 1.3.32 allows local users who can create SSI documents to execute
arbitrary code as the apache user via SSI (XSSI) documents that trigger a
length calculation error. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0940 to this issue.

mod_digest does not properly verify the nonce of a client response by using
a AuthNonce secret. This could allow a malicious user who is able to sniff
network traffic to conduct a replay attack against a website using Digest
protection. Note that mod_digest implements an older version of the MD5
Digest Authentication specification which is known not to work with modern
browsers. This issue does not affect mod_auth_digest. (CAN-2003-0987)

The mod_ssl module, when using the "SSLCipherSuite" directive in directory
or location context, allows remote clients to bypass intended restrictions
by using any cipher suite that is allowed by the virtual host
configuration. (CAN-2004-0885)

Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.

Solution

Updated Stronghold 4 packages are now available via the update agent
service. Run the following command from the Stronghold 4 install root to
upgrade an existing Stronghold 4 installation to the new package versions:

$ bin/agent

The Stronghold 4.0j patch release which contains these updated packages is
also available from the download site.

After upgrading Stronghold, the server must be completely restarted by
running the following commands from the install root:

$ bin/stop-server
$ bin/start-server

For more information on how to upgrade between releases of Stronghold 4,
refer to http://stronghold.redhat.com/support/upgrade-sh4

Updated packages

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940
http://stronghold.redhat.com/support/upgrade-sh4

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/