Skip to navigation

Security Advisory Updated apache, httpd, and mod_ssl packages available

Advisory: RHSA-2002:222-21
Type: Security Advisory
Severity: N/A
Issued on: 2002-12-12
Last updated on: 2002-11-25
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
Red Hat Linux 8.0
CVEs (cve.mitre.org): CVE-2002-0839
CVE-2002-0840
CVE-2002-0843
CVE-2002-1157

Details

Updated apache and httpd packages which fix a number of security issues are
now available for Red Hat Linux 6.2, 7, 7.1, 7.2, 7.3, and 8.0.

The Apache HTTP Web Server is a secure, efficient, and extensible web
server that provides HTTP services.

Buffer overflows in the ApacheBench support program (ab.c) in Apache
versions prior to 1.3.27, and Apache versions 2.x prior to 2.0.43, allow a
malicious Web server to cause a denial of service (DoS) and possibly
execute arbitrary code via a long response. The Common Vulnerabilities and
Exposures project has assigned the name CAN-2002-0843 to this issue.

Two cross-site scripting (XSS) vulnerabilities are present in the error
pages for the default "404 Not Found" error and for the error response
when a plain HTTP request is received on an SSL port. Both of these issues
are only exploitable if the "UseCanonicalName" setting has been changed to
"Off", and wildcard DNS is in use. These issues could allow remote
attackers to execute scripts as other webpage visitors, for instance, to
steal cookies. These issues affect versions of Apache 1.3 before 1.3.26,
versions of Apache 2.0 before 2.0.43, and versions of mod_ssl before
2.8.12. (CAN-2002-0840, CAN-2002-1157)

The shared memory scoreboard in the HTTP daemon for Apache 1.3, prior to
version 1.3.27, allows a user running as the "apache" UID to send a
SIGUSR1 signal to any process as root, resulting in a denial of service
(process kill) or other such behavior that would not normally be allowed.
(CAN-2002-0839). Note that this issue does not affect Red Hat
Linux 8.0.

All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages. For Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3,
these packages include Apache version 1.3.27 which is not vulnerable to
these issues. For Red Hat Linux 8.0, the fixes have been back-ported and
applied to Apache version 2.0.40.

Note that the instructions in the "Solution" section of this errata contain
additional steps required to complete the upgrade process.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

After the errata packages are installed, restart the Web service by running
the following command:

/sbin/service httpd restart

Updated packages

Red Hat Linux 6.2

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.6.2/SRPMS/apache-1.3.27-1.6.2.src.rpm
Missing file
    MD5: 941bd10cf20ffb98e05b6b62eb868ac6
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.6.2/alpha/apache-1.3.27-1.6.2.alpha.rpm
Missing file
    MD5: 2a13bd7501151a73bf307f5d5501ed9e
ftp://updates.redhat.com/rhn/repository/NULL/apache-devel/1.3.27-1.6.2/alpha/apache-devel-1.3.27-1.6.2.alpha.rpm
Missing file
    MD5: 21673918d3e0ab20ff2d2c214d3512d7
ftp://updates.redhat.com/rhn/repository/NULL/apache-manual/1.3.27-1.6.2/alpha/apache-manual-1.3.27-1.6.2.alpha.rpm
Missing file
    MD5: a0179b768549d18cb3247942846a7e83
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.6.2/i386/apache-1.3.27-1.6.2.i386.rpm
Missing file
    MD5: 1e3b0db6a15b806d73ae068374be7059
ftp://updates.redhat.com/rhn/repository/NULL/apache-devel/1.3.27-1.6.2/i386/apache-devel-1.3.27-1.6.2.i386.rpm
Missing file
    MD5: 62bfe25eacbccab63c7c1ec7823b1a0c
ftp://updates.redhat.com/rhn/repository/NULL/apache-manual/1.3.27-1.6.2/i386/apache-manual-1.3.27-1.6.2.i386.rpm
Missing file
    MD5: 7de68537d0bfdd3c5276c7a26c10fb86
 
Sparc:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.6.2/sparc/apache-1.3.27-1.6.2.sparc.rpm
Missing file
    MD5: bf83e969b350c3bde5d5c637f6d97d4e
ftp://updates.redhat.com/rhn/repository/NULL/apache-devel/1.3.27-1.6.2/sparc/apache-devel-1.3.27-1.6.2.sparc.rpm
Missing file
    MD5: 1845941d496068449d918ab125481994
ftp://updates.redhat.com/rhn/repository/NULL/apache-manual/1.3.27-1.6.2/sparc/apache-manual-1.3.27-1.6.2.sparc.rpm
Missing file
    MD5: 0218ec56fda57c6518236915edad8fe3
 
Red Hat Linux 7.0

SRPMS:
apache-1.3.27-1.7.1.src.rpm
File outdated by:  RHSA-2003:405
    MD5: a450f8cee1c9916d6c4662dd01791360
mod_ssl-2.8.12-1.7.src.rpm
File outdated by:  RHSA-2003:243
    MD5: cfb81a125517bc44e8382d249db1d7a9
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.7.1/alpha/apache-1.3.27-1.7.1.alpha.rpm
Missing file
    MD5: c7fc8714af3bde967998c0f39506ebf4
ftp://updates.redhat.com/rhn/repository/NULL/apache-devel/1.3.27-1.7.1/alpha/apache-devel-1.3.27-1.7.1.alpha.rpm
Missing file
    MD5: c080c8c829aa670575612b1377951118
ftp://updates.redhat.com/rhn/repository/NULL/apache-manual/1.3.27-1.7.1/alpha/apache-manual-1.3.27-1.7.1.alpha.rpm
Missing file
    MD5: 7d1d023e3981c3336e1225827bef138c
ftp://updates.redhat.com/rhn/repository/NULL/mod_ssl/2.8.12-1.7/alpha/mod_ssl-2.8.12-1.7.alpha.rpm
Missing file
    MD5: ffb847c9445946d5b7ad6c6226a7c559
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.7.1/i386/apache-1.3.27-1.7.1.i386.rpm
Missing file
    MD5: be954ca5a23c7a929a9cf53fa9901f8d
ftp://updates.redhat.com/rhn/repository/NULL/apache-devel/1.3.27-1.7.1/i386/apache-devel-1.3.27-1.7.1.i386.rpm
Missing file
    MD5: cc14aa8ad1ad26fb870bf8d61a32d144
ftp://updates.redhat.com/rhn/repository/NULL/apache-manual/1.3.27-1.7.1/i386/apache-manual-1.3.27-1.7.1.i386.rpm
Missing file
    MD5: 6136b6d40563a8df1b18fbd725caaf9e
ftp://updates.redhat.com/rhn/repository/NULL/mod_ssl/2.8.12-1.7/i386/mod_ssl-2.8.12-1.7.i386.rpm
Missing file
    MD5: 994ae80126430f7c1c32fdc37856665c
 
Red Hat Linux 7.1

SRPMS:
apache-1.3.27-1.7.1.src.rpm
File outdated by:  RHSA-2003:405
    MD5: a450f8cee1c9916d6c4662dd01791360
mod_ssl-2.8.12-1.7.src.rpm
File outdated by:  RHSA-2003:243
    MD5: cfb81a125517bc44e8382d249db1d7a9
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.7.1/alpha/apache-1.3.27-1.7.1.alpha.rpm
Missing file
    MD5: c7fc8714af3bde967998c0f39506ebf4
ftp://updates.redhat.com/rhn/repository/NULL/apache-devel/1.3.27-1.7.1/alpha/apache-devel-1.3.27-1.7.1.alpha.rpm
Missing file
    MD5: c080c8c829aa670575612b1377951118
ftp://updates.redhat.com/rhn/repository/NULL/apache-manual/1.3.27-1.7.1/alpha/apache-manual-1.3.27-1.7.1.alpha.rpm
Missing file
    MD5: 7d1d023e3981c3336e1225827bef138c
ftp://updates.redhat.com/rhn/repository/NULL/mod_ssl/2.8.12-1.7/alpha/mod_ssl-2.8.12-1.7.alpha.rpm
Missing file
    MD5: ffb847c9445946d5b7ad6c6226a7c559
 
IA-32:
apache-1.3.27-1.7.1.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: be954ca5a23c7a929a9cf53fa9901f8d
apache-devel-1.3.27-1.7.1.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: cc14aa8ad1ad26fb870bf8d61a32d144
apache-manual-1.3.27-1.7.1.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: 6136b6d40563a8df1b18fbd725caaf9e
mod_ssl-2.8.12-1.7.i386.rpm
File outdated by:  RHSA-2003:243
    MD5: 994ae80126430f7c1c32fdc37856665c
 
IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/apache/1.3.27-1.7.1/ia64/apache-1.3.27-1.7.1.ia64.rpm
Missing file
    MD5: f839f3628c96dd69598199c1f8ec5c20
ftp://updates.redhat.com/rhn/repository/NULL/apache-devel/1.3.27-1.7.1/ia64/apache-devel-1.3.27-1.7.1.ia64.rpm
Missing file
    MD5: dfbb2a56685059e50facb5e214f0db89
ftp://updates.redhat.com/rhn/repository/NULL/apache-manual/1.3.27-1.7.1/ia64/apache-manual-1.3.27-1.7.1.ia64.rpm
Missing file
    MD5: db0cf12c6d9c4c79c874efe165a043f9
ftp://updates.redhat.com/rhn/repository/NULL/mod_ssl/2.8.12-1.7/ia64/mod_ssl-2.8.12-1.7.ia64.rpm
Missing file
    MD5: baabf87a3644eba5c9ed35c5f0d380b9
 
Red Hat Linux 7.2

SRPMS:
apache-1.3.27-1.7.2.src.rpm
File outdated by:  RHSA-2003:405
    MD5: fb310f9f6bdbef9015813c927f7a3aed
mod_ssl-2.8.12-2.src.rpm
File outdated by:  RHSA-2003:243
    MD5: cae24f57f879b6a61818ac8f10e853f0
 
IA-32:
apache-1.3.27-1.7.2.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: 937277dd20dc1378abcd94f3f3aea90d
apache-devel-1.3.27-1.7.2.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: 616a8185b386c4e2fc2c302f80267437
apache-manual-1.3.27-1.7.2.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: 1bdcb4382d32ccf8184b16bdebd11093
mod_ssl-2.8.12-2.i386.rpm
File outdated by:  RHSA-2003:243
    MD5: e83635604fb16d3d8bc5dd37b0afa0f4
 
IA-64:
apache-1.3.27-1.7.2.ia64.rpm
File outdated by:  RHSA-2003:405
    MD5: 055f5ad5af3b1459c7ad327c37137f69
apache-devel-1.3.27-1.7.2.ia64.rpm
File outdated by:  RHSA-2003:405
    MD5: 6c35060e59e833f1bc4a760ca90d0654
apache-manual-1.3.27-1.7.2.ia64.rpm
File outdated by:  RHSA-2003:405
    MD5: c918d22e8a736f2bf59125b67297d140
mod_ssl-2.8.12-2.ia64.rpm
File outdated by:  RHSA-2003:243
    MD5: 11bfa3ba16c8cb8e2a9af4655284584a
 
Red Hat Linux 7.3

SRPMS:
apache-1.3.27-2.src.rpm
File outdated by:  RHSA-2003:405
    MD5: 7ba20ebb306ecdd655ad8d5ce37af121
mod_ssl-2.8.12-2.src.rpm
File outdated by:  RHSA-2003:243
    MD5: cae24f57f879b6a61818ac8f10e853f0
 
IA-32:
apache-1.3.27-2.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: 6eb4e656c5310116e0cccc4e09002d2c
apache-devel-1.3.27-2.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: 7990f8d8ed4846704e468c9390618731
apache-manual-1.3.27-2.i386.rpm
File outdated by:  RHSA-2003:405
    MD5: c91ec30aaede3d3ed691dc83c6869a99
mod_ssl-2.8.12-2.i386.rpm
File outdated by:  RHSA-2003:243
    MD5: e83635604fb16d3d8bc5dd37b0afa0f4
 
Red Hat Linux 8.0

SRPMS:
httpd-2.0.40-11.src.rpm
File outdated by:  RHSA-2003:320
    MD5: 33769c1c143f43c234015fcacc06b3c0
 
IA-32:
httpd-2.0.40-11.i386.rpm
File outdated by:  RHSA-2003:320
    MD5: f2e8238119ae05619a1647e51584a42c
httpd-devel-2.0.40-11.i386.rpm
File outdated by:  RHSA-2003:320
    MD5: 61c76135fbe88268244920b130eb03af
httpd-manual-2.0.40-11.i386.rpm
File outdated by:  RHSA-2003:320
    MD5: d2146865eb81e380d848d458b254e661
mod_ssl-2.0.40-11.i386.rpm
File outdated by:  RHSA-2003:320
    MD5: 8f2aab8716f5d28f7e49f145bd78cc12
 

Bugs fixed (see bugzilla for more information)

74882 - XSS vulnerabilities
76327 - Apache 1.3.27 released fixing multiple security issues


References


Keywords

ab, apache, mod_ssl, scoreboard, xss


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/