RedHat: Moderate: httpd security update

    Date17 Jan 2006
    CategoryRed Hat
    5918
    Posted ByLinuxSecurity Advisories
    Updated Apache httpd packages that correct three security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team.
    
    - ---------------------------------------------------------------------
    Red Hat Security Advisory
    
    Synopsis: Moderate: httpd security update
    Advisory ID: RHSA-2006:0159-01
    Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0159.html
    Issue date: 2006-01-05
    Updated on: 2006-01-05
    Product: Red Hat Enterprise Linux
    CVE Names: CVE-2005-2970 CVE-2005-3352 CVE-2005-3357
    - ---------------------------------------------------------------------
    
    1. Summary:
    
    Updated Apache httpd packages that correct three security issues are now
    available for Red Hat Enterprise Linux 3 and 4.
    
    This update has been rated as having moderate security impact by the Red
    Hat Security Response Team.
    
    2. Relevant releases/architectures:
    
    Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
    Red Hat Desktop version 3 - i386, x86_64
    Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
    Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
    Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
    Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
    Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
    Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
    
    3. Problem description:
    
    The Apache HTTP Server is a popular and freely-available Web server.
    
    A memory leak in the worker MPM could allow remote attackers to cause a
    denial of service (memory consumption) via aborted connections, which
    prevents the memory for the transaction pool from being reused for other
    connections. The Common Vulnerabilities and Exposures project assigned the
    name CVE-2005-2970 to this issue. This vulnerability only affects users
    who are using the non-default worker MPM.
    
    A flaw in mod_imap when using the Referer directive with image maps was
    discovered. With certain site configurations, a remote attacker could
    perform a cross-site scripting attack if a victim can be forced to visit a
    malicious URL using certain web browsers. (CVE-2005-3352)
    
    A NULL pointer dereference flaw in mod_ssl was discovered affecting server
    configurations where an SSL virtual host is configured with access control
    and a custom 400 error document. A remote attacker could send a carefully
    crafted request to trigger this issue which would lead to a crash. This
    crash would only be a denial of service if using the non-default worker
    MPM. (CVE-2005-3357)
    
    Users of httpd should update to these erratum packages which contain
    backported patches to correct these issues along with some additional bugs.
    
    4. Solution:
    
    Before applying this update, make sure all previously released errata
    relevant to your system have been applied.
    
    This update is available via Red Hat Network. To use Red Hat Network,
    launch the Red Hat Update Agent with the following command:
    
    up2date
    
    This will start an interactive process that will result in the appropriate
    RPMs being upgraded on your system.
    
    5. Bug IDs fixed (http://bugzilla.redhat.com/):
    
    170383 - mod_ssl per-directory renegotiation with request body
    171756 - CVE-2005-2970 httpd worker MPM memory consumption DoS
    175602 - CVE-2005-3352 cross-site scripting flaw in mod_imap
    175720 - CVE-2005-3357 mod_ssl crash
    
    
    6. RPMs required:
    
    Red Hat Enterprise Linux AS version 3:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-56.ent.src.rpm
    5fb40d08b35daf0b9dca84bae2d807ad httpd-2.0.46-56.ent.src.rpm
    
    i386:
    58472c7851877c10d75fc11acc987690 httpd-2.0.46-56.ent.i386.rpm
    7c5a357dc808d626e84f0b811d875087 httpd-devel-2.0.46-56.ent.i386.rpm
    fd69217826949e34854440914919115d mod_ssl-2.0.46-56.ent.i386.rpm
    
    ia64:
    9ba4fcecc7a987e0095cab3f3097573e httpd-2.0.46-56.ent.ia64.rpm
    eaaa9f395d525f97d864fa8fb7abf0b3 httpd-devel-2.0.46-56.ent.ia64.rpm
    5c1958e1b3abe828ccc70ef6aed3bb64 mod_ssl-2.0.46-56.ent.ia64.rpm
    
    ppc:
    463c75e6ea66006c222c769c133bc4a0 httpd-2.0.46-56.ent.ppc.rpm
    fbfa43b0915f7593b0b53b060ccaa5f8 httpd-devel-2.0.46-56.ent.ppc.rpm
    a9c64df8a73025eca98e931dd074b69a mod_ssl-2.0.46-56.ent.ppc.rpm
    
    s390:
    fe25eb28019d8d9a3a75b87eb60dbfe9 httpd-2.0.46-56.ent.s390.rpm
    21a7aab2c525ea1f61528823f440c1ab httpd-devel-2.0.46-56.ent.s390.rpm
    4bec0fb1ba74b43121cba95fcbc54430 mod_ssl-2.0.46-56.ent.s390.rpm
    
    s390x:
    1f0093a5d44fa75ad8d5dff12f6a8f81 httpd-2.0.46-56.ent.s390x.rpm
    e005b654914be004d22d456c3f7cd9f1 httpd-devel-2.0.46-56.ent.s390x.rpm
    ed206f46043e55028a3a1ec63f516042 mod_ssl-2.0.46-56.ent.s390x.rpm
    
    x86_64:
    19e480d4aaf0e54cd1e8beb741081e1c httpd-2.0.46-56.ent.x86_64.rpm
    204c07d7e05a9d4b3292a5072d9c6f2a httpd-devel-2.0.46-56.ent.x86_64.rpm
    770cc4db896225d99e1df93a589a02b4 mod_ssl-2.0.46-56.ent.x86_64.rpm
    
    Red Hat Desktop version 3:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-56.ent.src.rpm
    5fb40d08b35daf0b9dca84bae2d807ad httpd-2.0.46-56.ent.src.rpm
    
    i386:
    58472c7851877c10d75fc11acc987690 httpd-2.0.46-56.ent.i386.rpm
    7c5a357dc808d626e84f0b811d875087 httpd-devel-2.0.46-56.ent.i386.rpm
    fd69217826949e34854440914919115d mod_ssl-2.0.46-56.ent.i386.rpm
    
    x86_64:
    19e480d4aaf0e54cd1e8beb741081e1c httpd-2.0.46-56.ent.x86_64.rpm
    204c07d7e05a9d4b3292a5072d9c6f2a httpd-devel-2.0.46-56.ent.x86_64.rpm
    770cc4db896225d99e1df93a589a02b4 mod_ssl-2.0.46-56.ent.x86_64.rpm
    
    Red Hat Enterprise Linux ES version 3:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-56.ent.src.rpm
    5fb40d08b35daf0b9dca84bae2d807ad httpd-2.0.46-56.ent.src.rpm
    
    i386:
    58472c7851877c10d75fc11acc987690 httpd-2.0.46-56.ent.i386.rpm
    7c5a357dc808d626e84f0b811d875087 httpd-devel-2.0.46-56.ent.i386.rpm
    fd69217826949e34854440914919115d mod_ssl-2.0.46-56.ent.i386.rpm
    
    ia64:
    9ba4fcecc7a987e0095cab3f3097573e httpd-2.0.46-56.ent.ia64.rpm
    eaaa9f395d525f97d864fa8fb7abf0b3 httpd-devel-2.0.46-56.ent.ia64.rpm
    5c1958e1b3abe828ccc70ef6aed3bb64 mod_ssl-2.0.46-56.ent.ia64.rpm
    
    x86_64:
    19e480d4aaf0e54cd1e8beb741081e1c httpd-2.0.46-56.ent.x86_64.rpm
    204c07d7e05a9d4b3292a5072d9c6f2a httpd-devel-2.0.46-56.ent.x86_64.rpm
    770cc4db896225d99e1df93a589a02b4 mod_ssl-2.0.46-56.ent.x86_64.rpm
    
    Red Hat Enterprise Linux WS version 3:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-56.ent.src.rpm
    5fb40d08b35daf0b9dca84bae2d807ad httpd-2.0.46-56.ent.src.rpm
    
    i386:
    58472c7851877c10d75fc11acc987690 httpd-2.0.46-56.ent.i386.rpm
    7c5a357dc808d626e84f0b811d875087 httpd-devel-2.0.46-56.ent.i386.rpm
    fd69217826949e34854440914919115d mod_ssl-2.0.46-56.ent.i386.rpm
    
    ia64:
    9ba4fcecc7a987e0095cab3f3097573e httpd-2.0.46-56.ent.ia64.rpm
    eaaa9f395d525f97d864fa8fb7abf0b3 httpd-devel-2.0.46-56.ent.ia64.rpm
    5c1958e1b3abe828ccc70ef6aed3bb64 mod_ssl-2.0.46-56.ent.ia64.rpm
    
    x86_64:
    19e480d4aaf0e54cd1e8beb741081e1c httpd-2.0.46-56.ent.x86_64.rpm
    204c07d7e05a9d4b3292a5072d9c6f2a httpd-devel-2.0.46-56.ent.x86_64.rpm
    770cc4db896225d99e1df93a589a02b4 mod_ssl-2.0.46-56.ent.x86_64.rpm
    
    Red Hat Enterprise Linux AS version 4:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-22.ent.src.rpm
    1758c0d1f6326b2f8d77885a351872a1 httpd-2.0.52-22.ent.src.rpm
    
    i386:
    64b2b544496645ed16ce4e7415b358b0 httpd-2.0.52-22.ent.i386.rpm
    7191377bec8fdd54c327830b05f74e7e httpd-devel-2.0.52-22.ent.i386.rpm
    5b69c82ad64cee1b4c46e9f814e88286 httpd-manual-2.0.52-22.ent.i386.rpm
    4cde89fc87b21feff51d54098fe4ed83 httpd-suexec-2.0.52-22.ent.i386.rpm
    97f4a87d758c4b84def3abf53e6293cc mod_ssl-2.0.52-22.ent.i386.rpm
    
    ia64:
    c7522babbf9b3a24f8c3bfaff8e2e10f httpd-2.0.52-22.ent.ia64.rpm
    10a317c00ae0e59b4f3071870f6d939a httpd-devel-2.0.52-22.ent.ia64.rpm
    adaf0ba8b49ee0ceb3469e1b5f67c339 httpd-manual-2.0.52-22.ent.ia64.rpm
    38dec291e729a7e69bdc9ba25cfca5be httpd-suexec-2.0.52-22.ent.ia64.rpm
    fa92eddcfe59311085ed2c0c7675380b mod_ssl-2.0.52-22.ent.ia64.rpm
    
    ppc:
    1fef1c2e4c3e8796c8d29f1a8b4288f2 httpd-2.0.52-22.ent.ppc.rpm
    756f217a147ae442b5b60612c42a6e80 httpd-devel-2.0.52-22.ent.ppc.rpm
    d8f0dd7e832cad4efa48333ed1d649af httpd-manual-2.0.52-22.ent.ppc.rpm
    3a466a4bceadf2fcc1994206481062a6 httpd-suexec-2.0.52-22.ent.ppc.rpm
    a293bf05ecae2c4b192d5ec3dfcbb98d mod_ssl-2.0.52-22.ent.ppc.rpm
    
    s390:
    c9aee197a528745c6c8590f7605b1643 httpd-2.0.52-22.ent.s390.rpm
    9f8f303a60b8b52a5a1c4be911df9212 httpd-devel-2.0.52-22.ent.s390.rpm
    f3107dc3d74f773f21854fc94e2eca2d httpd-manual-2.0.52-22.ent.s390.rpm
    4f3d8737a2656298e7b2b867b0f35d2a httpd-suexec-2.0.52-22.ent.s390.rpm
    e78eb4e3946b778fcd3a8fd650c1cc02 mod_ssl-2.0.52-22.ent.s390.rpm
    
    s390x:
    c175a4c5c89597afd57932e6e08f5755 httpd-2.0.52-22.ent.s390x.rpm
    f894f7f71f4ab719d09812bb794f37df httpd-devel-2.0.52-22.ent.s390x.rpm
    da94d5e68605db9f5c4c801e853e60ad httpd-manual-2.0.52-22.ent.s390x.rpm
    350bbc702110c42e1cf95787168d63b1 httpd-suexec-2.0.52-22.ent.s390x.rpm
    321b95391c4d73b76fb632db96fec976 mod_ssl-2.0.52-22.ent.s390x.rpm
    
    x86_64:
    e0c7651c64d7ba3c4c1e6e5b0296295c httpd-2.0.52-22.ent.x86_64.rpm
    95f9a419ba8d943c5a99fc750fc82176 httpd-devel-2.0.52-22.ent.x86_64.rpm
    f72c3a86cae6f4a2716e27d1e315797c httpd-manual-2.0.52-22.ent.x86_64.rpm
    dbbd0863f64a60bba95c0bd2164e4d17 httpd-suexec-2.0.52-22.ent.x86_64.rpm
    8ee3ac6dff631ffc1d2b645582b35cfb mod_ssl-2.0.52-22.ent.x86_64.rpm
    
    Red Hat Enterprise Linux Desktop version 4:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-22.ent.src.rpm
    1758c0d1f6326b2f8d77885a351872a1 httpd-2.0.52-22.ent.src.rpm
    
    i386:
    64b2b544496645ed16ce4e7415b358b0 httpd-2.0.52-22.ent.i386.rpm
    7191377bec8fdd54c327830b05f74e7e httpd-devel-2.0.52-22.ent.i386.rpm
    5b69c82ad64cee1b4c46e9f814e88286 httpd-manual-2.0.52-22.ent.i386.rpm
    4cde89fc87b21feff51d54098fe4ed83 httpd-suexec-2.0.52-22.ent.i386.rpm
    97f4a87d758c4b84def3abf53e6293cc mod_ssl-2.0.52-22.ent.i386.rpm
    
    x86_64:
    e0c7651c64d7ba3c4c1e6e5b0296295c httpd-2.0.52-22.ent.x86_64.rpm
    95f9a419ba8d943c5a99fc750fc82176 httpd-devel-2.0.52-22.ent.x86_64.rpm
    f72c3a86cae6f4a2716e27d1e315797c httpd-manual-2.0.52-22.ent.x86_64.rpm
    dbbd0863f64a60bba95c0bd2164e4d17 httpd-suexec-2.0.52-22.ent.x86_64.rpm
    8ee3ac6dff631ffc1d2b645582b35cfb mod_ssl-2.0.52-22.ent.x86_64.rpm
    
    Red Hat Enterprise Linux ES version 4:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-22.ent.src.rpm
    1758c0d1f6326b2f8d77885a351872a1 httpd-2.0.52-22.ent.src.rpm
    
    i386:
    64b2b544496645ed16ce4e7415b358b0 httpd-2.0.52-22.ent.i386.rpm
    7191377bec8fdd54c327830b05f74e7e httpd-devel-2.0.52-22.ent.i386.rpm
    5b69c82ad64cee1b4c46e9f814e88286 httpd-manual-2.0.52-22.ent.i386.rpm
    4cde89fc87b21feff51d54098fe4ed83 httpd-suexec-2.0.52-22.ent.i386.rpm
    97f4a87d758c4b84def3abf53e6293cc mod_ssl-2.0.52-22.ent.i386.rpm
    
    ia64:
    c7522babbf9b3a24f8c3bfaff8e2e10f httpd-2.0.52-22.ent.ia64.rpm
    10a317c00ae0e59b4f3071870f6d939a httpd-devel-2.0.52-22.ent.ia64.rpm
    adaf0ba8b49ee0ceb3469e1b5f67c339 httpd-manual-2.0.52-22.ent.ia64.rpm
    38dec291e729a7e69bdc9ba25cfca5be httpd-suexec-2.0.52-22.ent.ia64.rpm
    fa92eddcfe59311085ed2c0c7675380b mod_ssl-2.0.52-22.ent.ia64.rpm
    
    x86_64:
    e0c7651c64d7ba3c4c1e6e5b0296295c httpd-2.0.52-22.ent.x86_64.rpm
    95f9a419ba8d943c5a99fc750fc82176 httpd-devel-2.0.52-22.ent.x86_64.rpm
    f72c3a86cae6f4a2716e27d1e315797c httpd-manual-2.0.52-22.ent.x86_64.rpm
    dbbd0863f64a60bba95c0bd2164e4d17 httpd-suexec-2.0.52-22.ent.x86_64.rpm
    8ee3ac6dff631ffc1d2b645582b35cfb mod_ssl-2.0.52-22.ent.x86_64.rpm
    
    Red Hat Enterprise Linux WS version 4:
    
    SRPMS:
    ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-22.ent.src.rpm
    1758c0d1f6326b2f8d77885a351872a1 httpd-2.0.52-22.ent.src.rpm
    
    i386:
    64b2b544496645ed16ce4e7415b358b0 httpd-2.0.52-22.ent.i386.rpm
    7191377bec8fdd54c327830b05f74e7e httpd-devel-2.0.52-22.ent.i386.rpm
    5b69c82ad64cee1b4c46e9f814e88286 httpd-manual-2.0.52-22.ent.i386.rpm
    4cde89fc87b21feff51d54098fe4ed83 httpd-suexec-2.0.52-22.ent.i386.rpm
    97f4a87d758c4b84def3abf53e6293cc mod_ssl-2.0.52-22.ent.i386.rpm
    
    ia64:
    c7522babbf9b3a24f8c3bfaff8e2e10f httpd-2.0.52-22.ent.ia64.rpm
    10a317c00ae0e59b4f3071870f6d939a httpd-devel-2.0.52-22.ent.ia64.rpm
    adaf0ba8b49ee0ceb3469e1b5f67c339 httpd-manual-2.0.52-22.ent.ia64.rpm
    38dec291e729a7e69bdc9ba25cfca5be httpd-suexec-2.0.52-22.ent.ia64.rpm
    fa92eddcfe59311085ed2c0c7675380b mod_ssl-2.0.52-22.ent.ia64.rpm
    
    x86_64:
    e0c7651c64d7ba3c4c1e6e5b0296295c httpd-2.0.52-22.ent.x86_64.rpm
    95f9a419ba8d943c5a99fc750fc82176 httpd-devel-2.0.52-22.ent.x86_64.rpm
    f72c3a86cae6f4a2716e27d1e315797c httpd-manual-2.0.52-22.ent.x86_64.rpm
    dbbd0863f64a60bba95c0bd2164e4d17 httpd-suexec-2.0.52-22.ent.x86_64.rpm
    8ee3ac6dff631ffc1d2b645582b35cfb mod_ssl-2.0.52-22.ent.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security. Our key and
    details on how to verify the signature are available from
    https://www.redhat.com/security/team/key/#package
    
    7. References:
    
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2970
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://www.redhat.com/security/team/contact/
    
    Copyright 2006 Red Hat, Inc. 
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"38","type":"x","order":"1","pct":52.05,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.7,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.25,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.