FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Enterprise Watch List

 
 
LinkBack Thread Tools
 
Old 01-15-2008, 08:18 AM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2008:0005-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0005.html
Issue date: 2008-01-15
CVE Names: CVE-2007-3847 CVE-2007-4465 CVE-2007-5000
CVE-2007-6388 CVE-2008-0005
================================================== ===================

1. Summary:

Updated Apache httpd packages that fix several security issues are now
available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Description:

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)

A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the "AddDefaultCharset" directive has been removed
from the configuration, a cross-site scripting attack was possible against
Web browsers which did not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465)

A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)

Users of Apache httpd should upgrade to these updated packages, which
contain backported patches to resolve these issues. Users should restart
httpd after installing this update.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

250731 - CVE-2007-3847 httpd out of bounds read
289511 - CVE-2007-4465 mod_autoindex XSS
419931 - CVE-2007-5000 mod_imagemap XSS
427228 - CVE-2007-6388 apache mod_status cross-site scripting
427739 - CVE-2008-0005 mod_proxy_ftp XSS

6. Package List:

Red Hat Enterprise Linux AS version 3:

Source:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-70.ent.src.rpm

i386:
httpd-2.0.46-70.ent.i386.rpm
httpd-debuginfo-2.0.46-70.ent.i386.rpm
httpd-devel-2.0.46-70.ent.i386.rpm
mod_ssl-2.0.46-70.ent.i386.rpm

ia64:
httpd-2.0.46-70.ent.ia64.rpm
httpd-debuginfo-2.0.46-70.ent.ia64.rpm
httpd-devel-2.0.46-70.ent.ia64.rpm
mod_ssl-2.0.46-70.ent.ia64.rpm

ppc:
httpd-2.0.46-70.ent.ppc.rpm
httpd-debuginfo-2.0.46-70.ent.ppc.rpm
httpd-devel-2.0.46-70.ent.ppc.rpm
mod_ssl-2.0.46-70.ent.ppc.rpm

s390:
httpd-2.0.46-70.ent.s390.rpm
httpd-debuginfo-2.0.46-70.ent.s390.rpm
httpd-devel-2.0.46-70.ent.s390.rpm
mod_ssl-2.0.46-70.ent.s390.rpm

s390x:
httpd-2.0.46-70.ent.s390x.rpm
httpd-debuginfo-2.0.46-70.ent.s390x.rpm
httpd-devel-2.0.46-70.ent.s390x.rpm
mod_ssl-2.0.46-70.ent.s390x.rpm

x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
httpd-debuginfo-2.0.46-70.ent.x86_64.rpm
httpd-devel-2.0.46-70.ent.x86_64.rpm
mod_ssl-2.0.46-70.ent.x86_64.rpm

Red Hat Desktop version 3:

Source:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-70.ent.src.rpm

i386:
httpd-2.0.46-70.ent.i386.rpm
httpd-debuginfo-2.0.46-70.ent.i386.rpm
httpd-devel-2.0.46-70.ent.i386.rpm
mod_ssl-2.0.46-70.ent.i386.rpm

x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
httpd-debuginfo-2.0.46-70.ent.x86_64.rpm
httpd-devel-2.0.46-70.ent.x86_64.rpm
mod_ssl-2.0.46-70.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

Source:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-70.ent.src.rpm

i386:
httpd-2.0.46-70.ent.i386.rpm
httpd-debuginfo-2.0.46-70.ent.i386.rpm
httpd-devel-2.0.46-70.ent.i386.rpm
mod_ssl-2.0.46-70.ent.i386.rpm

ia64:
httpd-2.0.46-70.ent.ia64.rpm
httpd-debuginfo-2.0.46-70.ent.ia64.rpm
httpd-devel-2.0.46-70.ent.ia64.rpm
mod_ssl-2.0.46-70.ent.ia64.rpm

x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
httpd-debuginfo-2.0.46-70.ent.x86_64.rpm
httpd-devel-2.0.46-70.ent.x86_64.rpm
mod_ssl-2.0.46-70.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

Source:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-70.ent.src.rpm

i386:
httpd-2.0.46-70.ent.i386.rpm
httpd-debuginfo-2.0.46-70.ent.i386.rpm
httpd-devel-2.0.46-70.ent.i386.rpm
mod_ssl-2.0.46-70.ent.i386.rpm

ia64:
httpd-2.0.46-70.ent.ia64.rpm
httpd-debuginfo-2.0.46-70.ent.ia64.rpm
httpd-devel-2.0.46-70.ent.ia64.rpm
mod_ssl-2.0.46-70.ent.ia64.rpm

x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
httpd-debuginfo-2.0.46-70.ent.x86_64.rpm
httpd-devel-2.0.46-70.ent.x86_64.rpm
mod_ssl-2.0.46-70.ent.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2008 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHjHorXlSAg2UNWIIRAthqAJ9ccWDS7KBOtnNNDXOwUr LWAq8mmwCgki6X
YtwmKKsjeNme4CwQsbO2z8g=
=Bzlo
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 01-15-2008, 08:33 AM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2008:0006-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0006.html
Issue date: 2008-01-15
CVE Names: CVE-2007-4465 CVE-2007-5000 CVE-2007-6388
CVE-2008-0005
================================================== ===================

1. Summary:

Updated Apache httpd packages that fix several security issues are now
available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)

A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the "AddDefaultCharset" directive has been removed
from the configuration, a cross-site scripting attack was possible against
Web browsers which do not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465)

A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which do not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)

Users of Apache httpd should upgrade to these updated packages, which
contain backported patches to resolve these issues. Users should restart
httpd after installing this update.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

289511 - CVE-2007-4465 mod_autoindex XSS
419931 - CVE-2007-5000 mod_imagemap XSS
427228 - CVE-2007-6388 apache mod_status cross-site scripting
427739 - CVE-2008-0005 mod_proxy_ftp XSS

6. Package List:

Red Hat Enterprise Linux AS version 4:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-38.ent.2.src.rpm

i386:
httpd-2.0.52-38.ent.2.i386.rpm
httpd-debuginfo-2.0.52-38.ent.2.i386.rpm
httpd-devel-2.0.52-38.ent.2.i386.rpm
httpd-manual-2.0.52-38.ent.2.i386.rpm
httpd-suexec-2.0.52-38.ent.2.i386.rpm
mod_ssl-2.0.52-38.ent.2.i386.rpm

ia64:
httpd-2.0.52-38.ent.2.ia64.rpm
httpd-debuginfo-2.0.52-38.ent.2.ia64.rpm
httpd-devel-2.0.52-38.ent.2.ia64.rpm
httpd-manual-2.0.52-38.ent.2.ia64.rpm
httpd-suexec-2.0.52-38.ent.2.ia64.rpm
mod_ssl-2.0.52-38.ent.2.ia64.rpm

ppc:
httpd-2.0.52-38.ent.2.ppc.rpm
httpd-debuginfo-2.0.52-38.ent.2.ppc.rpm
httpd-devel-2.0.52-38.ent.2.ppc.rpm
httpd-manual-2.0.52-38.ent.2.ppc.rpm
httpd-suexec-2.0.52-38.ent.2.ppc.rpm
mod_ssl-2.0.52-38.ent.2.ppc.rpm

s390:
httpd-2.0.52-38.ent.2.s390.rpm
httpd-debuginfo-2.0.52-38.ent.2.s390.rpm
httpd-devel-2.0.52-38.ent.2.s390.rpm
httpd-manual-2.0.52-38.ent.2.s390.rpm
httpd-suexec-2.0.52-38.ent.2.s390.rpm
mod_ssl-2.0.52-38.ent.2.s390.rpm

s390x:
httpd-2.0.52-38.ent.2.s390x.rpm
httpd-debuginfo-2.0.52-38.ent.2.s390x.rpm
httpd-devel-2.0.52-38.ent.2.s390x.rpm
httpd-manual-2.0.52-38.ent.2.s390x.rpm
httpd-suexec-2.0.52-38.ent.2.s390x.rpm
mod_ssl-2.0.52-38.ent.2.s390x.rpm

x86_64:
httpd-2.0.52-38.ent.2.x86_64.rpm
httpd-debuginfo-2.0.52-38.ent.2.x86_64.rpm
httpd-devel-2.0.52-38.ent.2.x86_64.rpm
httpd-manual-2.0.52-38.ent.2.x86_64.rpm
httpd-suexec-2.0.52-38.ent.2.x86_64.rpm
mod_ssl-2.0.52-38.ent.2.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-38.ent.2.src.rpm

i386:
httpd-2.0.52-38.ent.2.i386.rpm
httpd-debuginfo-2.0.52-38.ent.2.i386.rpm
httpd-devel-2.0.52-38.ent.2.i386.rpm
httpd-manual-2.0.52-38.ent.2.i386.rpm
httpd-suexec-2.0.52-38.ent.2.i386.rpm
mod_ssl-2.0.52-38.ent.2.i386.rpm

x86_64:
httpd-2.0.52-38.ent.2.x86_64.rpm
httpd-debuginfo-2.0.52-38.ent.2.x86_64.rpm
httpd-devel-2.0.52-38.ent.2.x86_64.rpm
httpd-manual-2.0.52-38.ent.2.x86_64.rpm
httpd-suexec-2.0.52-38.ent.2.x86_64.rpm
mod_ssl-2.0.52-38.ent.2.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-38.ent.2.src.rpm

i386:
httpd-2.0.52-38.ent.2.i386.rpm
httpd-debuginfo-2.0.52-38.ent.2.i386.rpm
httpd-devel-2.0.52-38.ent.2.i386.rpm
httpd-manual-2.0.52-38.ent.2.i386.rpm
httpd-suexec-2.0.52-38.ent.2.i386.rpm
mod_ssl-2.0.52-38.ent.2.i386.rpm

ia64:
httpd-2.0.52-38.ent.2.ia64.rpm
httpd-debuginfo-2.0.52-38.ent.2.ia64.rpm
httpd-devel-2.0.52-38.ent.2.ia64.rpm
httpd-manual-2.0.52-38.ent.2.ia64.rpm
httpd-suexec-2.0.52-38.ent.2.ia64.rpm
mod_ssl-2.0.52-38.ent.2.ia64.rpm

x86_64:
httpd-2.0.52-38.ent.2.x86_64.rpm
httpd-debuginfo-2.0.52-38.ent.2.x86_64.rpm
httpd-devel-2.0.52-38.ent.2.x86_64.rpm
httpd-manual-2.0.52-38.ent.2.x86_64.rpm
httpd-suexec-2.0.52-38.ent.2.x86_64.rpm
mod_ssl-2.0.52-38.ent.2.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-38.ent.2.src.rpm

i386:
httpd-2.0.52-38.ent.2.i386.rpm
httpd-debuginfo-2.0.52-38.ent.2.i386.rpm
httpd-devel-2.0.52-38.ent.2.i386.rpm
httpd-manual-2.0.52-38.ent.2.i386.rpm
httpd-suexec-2.0.52-38.ent.2.i386.rpm
mod_ssl-2.0.52-38.ent.2.i386.rpm

ia64:
httpd-2.0.52-38.ent.2.ia64.rpm
httpd-debuginfo-2.0.52-38.ent.2.ia64.rpm
httpd-devel-2.0.52-38.ent.2.ia64.rpm
httpd-manual-2.0.52-38.ent.2.ia64.rpm
httpd-suexec-2.0.52-38.ent.2.ia64.rpm
mod_ssl-2.0.52-38.ent.2.ia64.rpm

x86_64:
httpd-2.0.52-38.ent.2.x86_64.rpm
httpd-debuginfo-2.0.52-38.ent.2.x86_64.rpm
httpd-devel-2.0.52-38.ent.2.x86_64.rpm
httpd-manual-2.0.52-38.ent.2.x86_64.rpm
httpd-suexec-2.0.52-38.ent.2.x86_64.rpm
mod_ssl-2.0.52-38.ent.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2008 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHjHzzXlSAg2UNWIIRAqJwAJ9KPmvF2i3h+6OiwTSAO1 L2YS7VkQCghE5P
MnPVTs7wDnBRHtBOuXQltqg=
=r6g/
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 01-15-2008, 08:37 AM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2008:0007-01
Product: Red Hat Application Stack
Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0007.html
Issue date: 2008-01-15
CVE Names: CVE-2007-5000 CVE-2007-6388 CVE-2008-0005
================================================== ===================

1. Summary:

Updated Apache httpd packages that correct security issues are now
available for Red Hat Application Stack v1

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64

3. Description:

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_imagemap module. On sites where mod_imagemap
was enabled and an imagemap file was publicly available, a cross-site
scripting attack was possible. (CVE-2007-5000)

A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly accessible, a cross-site
scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_ftp module. On sites where
mod_proxy_ftp was enabled and a forward proxy was configured, a
cross-site scripting attack was possible against browsers which do not
correctly derive the response character set following the rules in RFC
2616. (CVE-2008-0005)

Users of httpd should upgrade to these updated packages, which contain
backported patches to correct these issues. Users should restart httpd
after installing this update.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

419931 - CVE-2007-5000 mod_imagemap XSS
427228 - CVE-2007-6388 apache mod_status cross-site scripting
427739 - CVE-2008-0005 mod_proxy_ftp XSS

6. Package List:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4):

Source:
ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/httpd-2.0.59-1.el4s1.10.src.rpm

i386:
httpd-2.0.59-1.el4s1.10.i386.rpm
httpd-debuginfo-2.0.59-1.el4s1.10.i386.rpm
httpd-devel-2.0.59-1.el4s1.10.i386.rpm
httpd-manual-2.0.59-1.el4s1.10.i386.rpm
mod_ssl-2.0.59-1.el4s1.10.i386.rpm

x86_64:
httpd-2.0.59-1.el4s1.10.x86_64.rpm
httpd-debuginfo-2.0.59-1.el4s1.10.x86_64.rpm
httpd-devel-2.0.59-1.el4s1.10.x86_64.rpm
httpd-manual-2.0.59-1.el4s1.10.x86_64.rpm
mod_ssl-2.0.59-1.el4s1.10.x86_64.rpm

Red Hat Application Stack v1 for Enterprise Linux ES (v.4):

Source:
ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/httpd-2.0.59-1.el4s1.10.src.rpm

i386:
httpd-2.0.59-1.el4s1.10.i386.rpm
httpd-debuginfo-2.0.59-1.el4s1.10.i386.rpm
httpd-devel-2.0.59-1.el4s1.10.i386.rpm
httpd-manual-2.0.59-1.el4s1.10.i386.rpm
mod_ssl-2.0.59-1.el4s1.10.i386.rpm

x86_64:
httpd-2.0.59-1.el4s1.10.x86_64.rpm
httpd-debuginfo-2.0.59-1.el4s1.10.x86_64.rpm
httpd-devel-2.0.59-1.el4s1.10.x86_64.rpm
httpd-manual-2.0.59-1.el4s1.10.x86_64.rpm
mod_ssl-2.0.59-1.el4s1.10.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2008 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHjH6QXlSAg2UNWIIRAgJhAJ96i8tWHYzR+WW7M7BEmE Y3ixhFTwCgrdoP
7tLxvhnU9bORvH6WPvgOo0g=
=0DXv
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 01-15-2008, 08:39 AM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2008:0008-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0008.html
Issue date: 2008-01-15
CVE Names: CVE-2007-4465 CVE-2007-5000 CVE-2007-6388
CVE-2007-6421 CVE-2007-6422 CVE-2008-0005
================================================== ===================

1. Summary:

Updated Apache httpd packages that fix several security issues are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Description:

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_imagemap module. On sites where mod_imagemap
was enabled and an imagemap file was publicly available, a cross-site
scripting attack was possible. (CVE-2007-5000)

A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the "AddDefaultCharset" directive has been removed
from the configuration, a cross-site scripting attack might have been
possible against Web browsers which do not correctly derive the response
character set following the rules in RFC 2616. (CVE-2007-4465)

A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)

A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which do not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)

Users of Apache httpd should upgrade to these updated packages, which
contain backported patches to resolve these issues. Users should restart
httpd after installing this update.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

289511 - CVE-2007-4465 mod_autoindex XSS
419931 - CVE-2007-5000 mod_imagemap XSS
427228 - CVE-2007-6388 apache mod_status cross-site scripting
427229 - CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting
427230 - CVE-2007-6422 httpd mod_proxy_balancer crash
427739 - CVE-2008-0005 mod_proxy_ftp XSS

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-11.el5_1.3.src.rpm

i386:
httpd-2.2.3-11.el5_1.3.i386.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.i386.rpm
mod_ssl-2.2.3-11.el5_1.3.i386.rpm

x86_64:
httpd-2.2.3-11.el5_1.3.x86_64.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.x86_64.rpm
mod_ssl-2.2.3-11.el5_1.3.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-11.el5_1.3.src.rpm

i386:
httpd-debuginfo-2.2.3-11.el5_1.3.i386.rpm
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
httpd-manual-2.2.3-11.el5_1.3.i386.rpm

x86_64:
httpd-debuginfo-2.2.3-11.el5_1.3.i386.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.x86_64.rpm
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
httpd-devel-2.2.3-11.el5_1.3.x86_64.rpm
httpd-manual-2.2.3-11.el5_1.3.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-11.el5_1.3.src.rpm

i386:
httpd-2.2.3-11.el5_1.3.i386.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.i386.rpm
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
httpd-manual-2.2.3-11.el5_1.3.i386.rpm
mod_ssl-2.2.3-11.el5_1.3.i386.rpm

ia64:
httpd-2.2.3-11.el5_1.3.ia64.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.ia64.rpm
httpd-devel-2.2.3-11.el5_1.3.ia64.rpm
httpd-manual-2.2.3-11.el5_1.3.ia64.rpm
mod_ssl-2.2.3-11.el5_1.3.ia64.rpm

ppc:
httpd-2.2.3-11.el5_1.3.ppc.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.ppc.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.ppc64.rpm
httpd-devel-2.2.3-11.el5_1.3.ppc.rpm
httpd-devel-2.2.3-11.el5_1.3.ppc64.rpm
httpd-manual-2.2.3-11.el5_1.3.ppc.rpm
mod_ssl-2.2.3-11.el5_1.3.ppc.rpm

s390x:
httpd-2.2.3-11.el5_1.3.s390x.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.s390.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.s390x.rpm
httpd-devel-2.2.3-11.el5_1.3.s390.rpm
httpd-devel-2.2.3-11.el5_1.3.s390x.rpm
httpd-manual-2.2.3-11.el5_1.3.s390x.rpm
mod_ssl-2.2.3-11.el5_1.3.s390x.rpm

x86_64:
httpd-2.2.3-11.el5_1.3.x86_64.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.i386.rpm
httpd-debuginfo-2.2.3-11.el5_1.3.x86_64.rpm
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
httpd-devel-2.2.3-11.el5_1.3.x86_64.rpm
httpd-manual-2.2.3-11.el5_1.3.x86_64.rpm
mod_ssl-2.2.3-11.el5_1.3.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2008 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHjH9QXlSAg2UNWIIRAup2AKCQZbTcXjbAwNNkdLETMM HU0Xie+gCffxCx
5gj8X5pq55bntO796SHHFTg=
=nZWz
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 01-21-2008, 08:37 AM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2008:0009-01
Product: Red Hat Application Stack
Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0009.html
Issue date: 2008-01-21
CVE Names: CVE-2007-5000 CVE-2007-6388 CVE-2007-6421
CVE-2007-6422 CVE-2008-0005
================================================== ===================

1. Summary:

Updated Apache httpd packages that correct several security issues are now
available for Red Hat Application Stack v2.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, x86_64

3. Description:

The Apache HTTP Server is a popular and freely-available Web server.

These updated httpd packages resolve the following security issues:

A flaw was found in the mod_imagemap module. On sites where mod_imagemap
was enabled and an imagemap file was publicly available, a cross-site
scripting attack was possible. (CVE-2007-5000)

A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly accessible, a cross-site
scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)

A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against browsers which do not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)

Users of httpd should upgrade to these updated packages, which contain
backported patches to correct these issues. Users should restart httpd
after installing this update.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bugs fixed (http://bugzilla.redhat.com/):

419931 - CVE-2007-5000 mod_imagemap XSS
427228 - CVE-2007-6388 apache mod_status cross-site scripting
427229 - CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting
427230 - CVE-2007-6422 httpd mod_proxy_balancer crash
427739 - CVE-2008-0005 mod_proxy_ftp XSS

6. Package List:

Red Hat Application Stack v2 for Enterprise Linux (v.5):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHWAS/SRPMS/httpd-2.2.4-9.el5s2.src.rpm

i386:
httpd-2.2.4-9.el5s2.i386.rpm
httpd-debuginfo-2.2.4-9.el5s2.i386.rpm
httpd-devel-2.2.4-9.el5s2.i386.rpm
httpd-manual-2.2.4-9.el5s2.i386.rpm
mod_ssl-2.2.4-9.el5s2.i386.rpm

x86_64:
httpd-2.2.4-9.el5s2.x86_64.rpm
httpd-debuginfo-2.2.4-9.el5s2.i386.rpm
httpd-debuginfo-2.2.4-9.el5s2.x86_64.rpm
httpd-devel-2.2.4-9.el5s2.i386.rpm
httpd-devel-2.2.4-9.el5s2.x86_64.rpm
httpd-manual-2.2.4-9.el5s2.x86_64.rpm
mod_ssl-2.2.4-9.el5s2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2008 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHlGfRXlSAg2UNWIIRAkt5AKCW7qsZBohWNbrrypotgG ZYm9qhXgCdFyGl
F7bbGztZDmBq6N1jmTIwOD8=
=ani9
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 11-11-2009, 09:13 PM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2009:1579-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1579.html
Issue date: 2009-11-11
CVE Names: CVE-2009-3094 CVE-2009-3095 CVE-2009-3555
================================================== ===================

1. Summary:

Updated httpd packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 3 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Description:

The Apache HTTP Server is a popular Web server.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handle session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update partially mitigates this flaw for SSL
sessions to HTTP servers using mod_ssl by rejecting client-requested
renegotiation. (CVE-2009-3555)

Note: This update does not fully resolve the issue for HTTPS servers. An
attack is still possible in configurations that require a server-initiated
renegotiation. Refer to the following Knowledgebase article for further
information: http://kbase.redhat.com/faq/docs/DOC-20491

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
module. A malicious FTP server to which requests are being proxied could
use this flaw to crash an httpd child process via a malformed reply to the
EPSV or PASV commands, resulting in a limited denial of service.
(CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse
proxy configuration, a remote attacker could use this flaw to bypass
intended access restrictions by creating a carefully-crafted HTTP
Authorization header, allowing the attacker to send arbitrary commands to
the FTP server. (CVE-2009-3095)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

521619 - CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply
522209 - CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation

6. Package List:

Red Hat Enterprise Linux AS version 3:

Source:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/httpd-2.0.46-77.ent.src.rpm

i386:
httpd-2.0.46-77.ent.i386.rpm
httpd-debuginfo-2.0.46-77.ent.i386.rpm
httpd-devel-2.0.46-77.ent.i386.rpm
mod_ssl-2.0.46-77.ent.i386.rpm

ia64:
httpd-2.0.46-77.ent.ia64.rpm
httpd-debuginfo-2.0.46-77.ent.ia64.rpm
httpd-devel-2.0.46-77.ent.ia64.rpm
mod_ssl-2.0.46-77.ent.ia64.rpm

ppc:
httpd-2.0.46-77.ent.ppc.rpm
httpd-debuginfo-2.0.46-77.ent.ppc.rpm
httpd-devel-2.0.46-77.ent.ppc.rpm
mod_ssl-2.0.46-77.ent.ppc.rpm

s390:
httpd-2.0.46-77.ent.s390.rpm
httpd-debuginfo-2.0.46-77.ent.s390.rpm
httpd-devel-2.0.46-77.ent.s390.rpm
mod_ssl-2.0.46-77.ent.s390.rpm

s390x:
httpd-2.0.46-77.ent.s390x.rpm
httpd-debuginfo-2.0.46-77.ent.s390x.rpm
httpd-devel-2.0.46-77.ent.s390x.rpm
mod_ssl-2.0.46-77.ent.s390x.rpm

x86_64:
httpd-2.0.46-77.ent.x86_64.rpm
httpd-debuginfo-2.0.46-77.ent.x86_64.rpm
httpd-devel-2.0.46-77.ent.x86_64.rpm
mod_ssl-2.0.46-77.ent.x86_64.rpm

Red Hat Desktop version 3:

Source:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/httpd-2.0.46-77.ent.src.rpm

i386:
httpd-2.0.46-77.ent.i386.rpm
httpd-debuginfo-2.0.46-77.ent.i386.rpm
httpd-devel-2.0.46-77.ent.i386.rpm
mod_ssl-2.0.46-77.ent.i386.rpm

x86_64:
httpd-2.0.46-77.ent.x86_64.rpm
httpd-debuginfo-2.0.46-77.ent.x86_64.rpm
httpd-devel-2.0.46-77.ent.x86_64.rpm
mod_ssl-2.0.46-77.ent.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

Source:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-77.ent.src.rpm

i386:
httpd-2.0.46-77.ent.i386.rpm
httpd-debuginfo-2.0.46-77.ent.i386.rpm
httpd-devel-2.0.46-77.ent.i386.rpm
mod_ssl-2.0.46-77.ent.i386.rpm

ia64:
httpd-2.0.46-77.ent.ia64.rpm
httpd-debuginfo-2.0.46-77.ent.ia64.rpm
httpd-devel-2.0.46-77.ent.ia64.rpm
mod_ssl-2.0.46-77.ent.ia64.rpm

x86_64:
httpd-2.0.46-77.ent.x86_64.rpm
httpd-debuginfo-2.0.46-77.ent.x86_64.rpm
httpd-devel-2.0.46-77.ent.x86_64.rpm
mod_ssl-2.0.46-77.ent.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

Source:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/httpd-2.0.46-77.ent.src.rpm

i386:
httpd-2.0.46-77.ent.i386.rpm
httpd-debuginfo-2.0.46-77.ent.i386.rpm
httpd-devel-2.0.46-77.ent.i386.rpm
mod_ssl-2.0.46-77.ent.i386.rpm

ia64:
httpd-2.0.46-77.ent.ia64.rpm
httpd-debuginfo-2.0.46-77.ent.ia64.rpm
httpd-devel-2.0.46-77.ent.ia64.rpm
mod_ssl-2.0.46-77.ent.ia64.rpm

x86_64:
httpd-2.0.46-77.ent.x86_64.rpm
httpd-debuginfo-2.0.46-77.ent.x86_64.rpm
httpd-devel-2.0.46-77.ent.x86_64.rpm
mod_ssl-2.0.46-77.ent.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-31.el5_4.2.src.rpm

i386:
httpd-2.2.3-31.el5_4.2.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.i386.rpm
mod_ssl-2.2.3-31.el5_4.2.i386.rpm

x86_64:
httpd-2.2.3-31.el5_4.2.x86_64.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.x86_64.rpm
mod_ssl-2.2.3-31.el5_4.2.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-31.el5_4.2.src.rpm

i386:
httpd-debuginfo-2.2.3-31.el5_4.2.i386.rpm
httpd-devel-2.2.3-31.el5_4.2.i386.rpm
httpd-manual-2.2.3-31.el5_4.2.i386.rpm

x86_64:
httpd-debuginfo-2.2.3-31.el5_4.2.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.x86_64.rpm
httpd-devel-2.2.3-31.el5_4.2.i386.rpm
httpd-devel-2.2.3-31.el5_4.2.x86_64.rpm
httpd-manual-2.2.3-31.el5_4.2.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-31.el5_4.2.src.rpm

i386:
httpd-2.2.3-31.el5_4.2.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.i386.rpm
httpd-devel-2.2.3-31.el5_4.2.i386.rpm
httpd-manual-2.2.3-31.el5_4.2.i386.rpm
mod_ssl-2.2.3-31.el5_4.2.i386.rpm

ia64:
httpd-2.2.3-31.el5_4.2.ia64.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.ia64.rpm
httpd-devel-2.2.3-31.el5_4.2.ia64.rpm
httpd-manual-2.2.3-31.el5_4.2.ia64.rpm
mod_ssl-2.2.3-31.el5_4.2.ia64.rpm

ppc:
httpd-2.2.3-31.el5_4.2.ppc.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.ppc.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.ppc64.rpm
httpd-devel-2.2.3-31.el5_4.2.ppc.rpm
httpd-devel-2.2.3-31.el5_4.2.ppc64.rpm
httpd-manual-2.2.3-31.el5_4.2.ppc.rpm
mod_ssl-2.2.3-31.el5_4.2.ppc.rpm

s390x:
httpd-2.2.3-31.el5_4.2.s390x.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.s390.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.s390x.rpm
httpd-devel-2.2.3-31.el5_4.2.s390.rpm
httpd-devel-2.2.3-31.el5_4.2.s390x.rpm
httpd-manual-2.2.3-31.el5_4.2.s390x.rpm
mod_ssl-2.2.3-31.el5_4.2.s390x.rpm

x86_64:
httpd-2.2.3-31.el5_4.2.x86_64.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.i386.rpm
httpd-debuginfo-2.2.3-31.el5_4.2.x86_64.rpm
httpd-devel-2.2.3-31.el5_4.2.i386.rpm
httpd-devel-2.2.3-31.el5_4.2.x86_64.rpm
httpd-manual-2.2.3-31.el5_4.2.x86_64.rpm
mod_ssl-2.2.3-31.el5_4.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://www.redhat.com/security/updates/classification/#moderate
http://kbase.redhat.com/faq/docs/DOC-20491

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFK+zb/XlSAg2UNWIIRAmwYAKC0f8RduYXFgbsf6oC7QCyjT2bvRACff3 ty
zuZc7hPPvh0QopUIr2V974o=
=Go9J
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 11-11-2009, 09:13 PM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2009:1580-02
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1580.html
Issue date: 2009-11-11
CVE Names: CVE-2009-1891 CVE-2009-3094 CVE-2009-3095
CVE-2009-3555
================================================== ===================

1. Summary:

Updated httpd packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

The Apache HTTP Server is a popular Web server.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handle session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update partially mitigates this flaw for SSL
sessions to HTTP servers using mod_ssl by rejecting client-requested
renegotiation. (CVE-2009-3555)

Note: This update does not fully resolve the issue for HTTPS servers. An
attack is still possible in configurations that require a server-initiated
renegotiation. Refer to the following Knowledgebase article for further
information: http://kbase.redhat.com/faq/docs/DOC-20491

A denial of service flaw was found in the Apache mod_deflate module. This
module continued to compress large files until compression was complete,
even if the network connection that requested the content was closed before
compression completed. This would cause mod_deflate to consume large
amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
module. A malicious FTP server to which requests are being proxied could
use this flaw to crash an httpd child process via a malformed reply to the
EPSV or PASV commands, resulting in a limited denial of service.
(CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse
proxy configuration, a remote attacker could use this flaw to bypass
intended access restrictions by creating a carefully-crafted HTTP
Authorization header, allowing the attacker to send arbitrary commands to
the FTP server. (CVE-2009-3095)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

509125 - CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate
521619 - CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply
522209 - CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation

6. Package List:

Red Hat Enterprise Linux AS version 4:

Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/httpd-2.0.52-41.ent.6.src.rpm

i386:
httpd-2.0.52-41.ent.6.i386.rpm
httpd-debuginfo-2.0.52-41.ent.6.i386.rpm
httpd-devel-2.0.52-41.ent.6.i386.rpm
httpd-manual-2.0.52-41.ent.6.i386.rpm
httpd-suexec-2.0.52-41.ent.6.i386.rpm
mod_ssl-2.0.52-41.ent.6.i386.rpm

ia64:
httpd-2.0.52-41.ent.6.ia64.rpm
httpd-debuginfo-2.0.52-41.ent.6.ia64.rpm
httpd-devel-2.0.52-41.ent.6.ia64.rpm
httpd-manual-2.0.52-41.ent.6.ia64.rpm
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
mod_ssl-2.0.52-41.ent.6.ia64.rpm

ppc:
httpd-2.0.52-41.ent.6.ppc.rpm
httpd-debuginfo-2.0.52-41.ent.6.ppc.rpm
httpd-devel-2.0.52-41.ent.6.ppc.rpm
httpd-manual-2.0.52-41.ent.6.ppc.rpm
httpd-suexec-2.0.52-41.ent.6.ppc.rpm
mod_ssl-2.0.52-41.ent.6.ppc.rpm

s390:
httpd-2.0.52-41.ent.6.s390.rpm
httpd-debuginfo-2.0.52-41.ent.6.s390.rpm
httpd-devel-2.0.52-41.ent.6.s390.rpm
httpd-manual-2.0.52-41.ent.6.s390.rpm
httpd-suexec-2.0.52-41.ent.6.s390.rpm
mod_ssl-2.0.52-41.ent.6.s390.rpm

s390x:
httpd-2.0.52-41.ent.6.s390x.rpm
httpd-debuginfo-2.0.52-41.ent.6.s390x.rpm
httpd-devel-2.0.52-41.ent.6.s390x.rpm
httpd-manual-2.0.52-41.ent.6.s390x.rpm
httpd-suexec-2.0.52-41.ent.6.s390x.rpm
mod_ssl-2.0.52-41.ent.6.s390x.rpm

x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.6.x86_64.rpm
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
mod_ssl-2.0.52-41.ent.6.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/httpd-2.0.52-41.ent.6.src.rpm

i386:
httpd-2.0.52-41.ent.6.i386.rpm
httpd-debuginfo-2.0.52-41.ent.6.i386.rpm
httpd-devel-2.0.52-41.ent.6.i386.rpm
httpd-manual-2.0.52-41.ent.6.i386.rpm
httpd-suexec-2.0.52-41.ent.6.i386.rpm
mod_ssl-2.0.52-41.ent.6.i386.rpm

x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.6.x86_64.rpm
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
mod_ssl-2.0.52-41.ent.6.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/httpd-2.0.52-41.ent.6.src.rpm

i386:
httpd-2.0.52-41.ent.6.i386.rpm
httpd-debuginfo-2.0.52-41.ent.6.i386.rpm
httpd-devel-2.0.52-41.ent.6.i386.rpm
httpd-manual-2.0.52-41.ent.6.i386.rpm
httpd-suexec-2.0.52-41.ent.6.i386.rpm
mod_ssl-2.0.52-41.ent.6.i386.rpm

ia64:
httpd-2.0.52-41.ent.6.ia64.rpm
httpd-debuginfo-2.0.52-41.ent.6.ia64.rpm
httpd-devel-2.0.52-41.ent.6.ia64.rpm
httpd-manual-2.0.52-41.ent.6.ia64.rpm
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
mod_ssl-2.0.52-41.ent.6.ia64.rpm

x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.6.x86_64.rpm
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
mod_ssl-2.0.52-41.ent.6.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/httpd-2.0.52-41.ent.6.src.rpm

i386:
httpd-2.0.52-41.ent.6.i386.rpm
httpd-debuginfo-2.0.52-41.ent.6.i386.rpm
httpd-devel-2.0.52-41.ent.6.i386.rpm
httpd-manual-2.0.52-41.ent.6.i386.rpm
httpd-suexec-2.0.52-41.ent.6.i386.rpm
mod_ssl-2.0.52-41.ent.6.i386.rpm

ia64:
httpd-2.0.52-41.ent.6.ia64.rpm
httpd-debuginfo-2.0.52-41.ent.6.ia64.rpm
httpd-devel-2.0.52-41.ent.6.ia64.rpm
httpd-manual-2.0.52-41.ent.6.ia64.rpm
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
mod_ssl-2.0.52-41.ent.6.ia64.rpm

x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
httpd-debuginfo-2.0.52-41.ent.6.x86_64.rpm
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
mod_ssl-2.0.52-41.ent.6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://www.redhat.com/security/updates/classification/#moderate
http://kbase.redhat.com/faq/docs/DOC-20491

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFK+zcXXlSAg2UNWIIRAmhLAJ9+HITyv4ZwC5nF35t2XM mgf5AG6gCgjTdd
lcPWpMmXTzMisGRs8R20I4M=
=Gnpp
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 02-13-2012, 07:39 PM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2012:0128-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0128.html
Issue date: 2012-02-13
CVE Names: CVE-2011-3607 CVE-2011-3639 CVE-2011-4317
CVE-2012-0031 CVE-2012-0053
================================================== ===================

1. Summary:

Updated httpd packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64

3. Description:

The Apache HTTP Server is a popular web server.

It was discovered that the fix for CVE-2011-3368 (released via
RHSA-2011:1391) did not completely address the problem. An attacker could
bypass the fix and make a reverse proxy connect to an arbitrary server not
directly accessible to the attacker by sending an HTTP version 0.9 request,
or by using a specially-crafted URI. (CVE-2011-3639, CVE-2011-4317)

The httpd server included the full HTTP header line in the default error
page generated when receiving an excessively long or malformed header.
Malicious JavaScript running in the server's domain context could use this
flaw to gain access to httpOnly cookies. (CVE-2012-0053)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way httpd performed substitutions in regular expressions. An
attacker able to set certain httpd settings, such as a user permitted to
override the httpd configuration for a specific directory using a
".htaccess" file, could use this flaw to crash the httpd child process or,
possibly, execute arbitrary code with the privileges of the "apache" user.
(CVE-2011-3607)

A flaw was found in the way httpd handled child process status information.
A malicious program running with httpd child process privileges (such as a
PHP or CGI script) could use this flaw to cause the parent httpd process to
crash during httpd service shutdown. (CVE-2012-0031)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon will be restarted automatically.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

752080 - CVE-2011-3639 httpd: http 0.9 request bypass of the reverse proxy vulnerability CVE-2011-3368 fix
756483 - CVE-2011-4317 httpd: uri scheme bypass of the reverse proxy vulnerability CVE-2011-3368 fix
769844 - CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow
773744 - CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling
785069 - CVE-2012-0053 httpd: cookie exposure due to error responses

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/httpd-2.2.15-15.el6_2.1.src.rpm

i386:
httpd-2.2.15-15.el6_2.1.i686.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-tools-2.2.15-15.el6_2.1.i686.rpm

x86_64:
httpd-2.2.15-15.el6_2.1.x86_64.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.x86_64.rpm
httpd-tools-2.2.15-15.el6_2.1.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/httpd-2.2.15-15.el6_2.1.src.rpm

i386:
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-devel-2.2.15-15.el6_2.1.i686.rpm
mod_ssl-2.2.15-15.el6_2.1.i686.rpm

noarch:
httpd-manual-2.2.15-15.el6_2.1.noarch.rpm

x86_64:
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.x86_64.rpm
httpd-devel-2.2.15-15.el6_2.1.i686.rpm
httpd-devel-2.2.15-15.el6_2.1.x86_64.rpm
mod_ssl-2.2.15-15.el6_2.1.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/httpd-2.2.15-15.el6_2.1.src.rpm

x86_64:
httpd-2.2.15-15.el6_2.1.x86_64.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.x86_64.rpm
httpd-tools-2.2.15-15.el6_2.1.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/httpd-2.2.15-15.el6_2.1.src.rpm

noarch:
httpd-manual-2.2.15-15.el6_2.1.noarch.rpm

x86_64:
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.x86_64.rpm
httpd-devel-2.2.15-15.el6_2.1.i686.rpm
httpd-devel-2.2.15-15.el6_2.1.x86_64.rpm
mod_ssl-2.2.15-15.el6_2.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/httpd-2.2.15-15.el6_2.1.src.rpm

i386:
httpd-2.2.15-15.el6_2.1.i686.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-devel-2.2.15-15.el6_2.1.i686.rpm
httpd-tools-2.2.15-15.el6_2.1.i686.rpm
mod_ssl-2.2.15-15.el6_2.1.i686.rpm

noarch:
httpd-manual-2.2.15-15.el6_2.1.noarch.rpm

ppc64:
httpd-2.2.15-15.el6_2.1.ppc64.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.ppc.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.ppc64.rpm
httpd-devel-2.2.15-15.el6_2.1.ppc.rpm
httpd-devel-2.2.15-15.el6_2.1.ppc64.rpm
httpd-tools-2.2.15-15.el6_2.1.ppc64.rpm
mod_ssl-2.2.15-15.el6_2.1.ppc64.rpm

s390x:
httpd-2.2.15-15.el6_2.1.s390x.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.s390.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.s390x.rpm
httpd-devel-2.2.15-15.el6_2.1.s390.rpm
httpd-devel-2.2.15-15.el6_2.1.s390x.rpm
httpd-tools-2.2.15-15.el6_2.1.s390x.rpm
mod_ssl-2.2.15-15.el6_2.1.s390x.rpm

x86_64:
httpd-2.2.15-15.el6_2.1.x86_64.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.x86_64.rpm
httpd-devel-2.2.15-15.el6_2.1.i686.rpm
httpd-devel-2.2.15-15.el6_2.1.x86_64.rpm
httpd-tools-2.2.15-15.el6_2.1.x86_64.rpm
mod_ssl-2.2.15-15.el6_2.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/httpd-2.2.15-15.el6_2.1.src.rpm

i386:
httpd-2.2.15-15.el6_2.1.i686.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-devel-2.2.15-15.el6_2.1.i686.rpm
httpd-tools-2.2.15-15.el6_2.1.i686.rpm
mod_ssl-2.2.15-15.el6_2.1.i686.rpm

noarch:
httpd-manual-2.2.15-15.el6_2.1.noarch.rpm

x86_64:
httpd-2.2.15-15.el6_2.1.x86_64.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.i686.rpm
httpd-debuginfo-2.2.15-15.el6_2.1.x86_64.rpm
httpd-devel-2.2.15-15.el6_2.1.i686.rpm
httpd-devel-2.2.15-15.el6_2.1.x86_64.rpm
httpd-tools-2.2.15-15.el6_2.1.x86_64.rpm
mod_ssl-2.2.15-15.el6_2.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2011-3607.html
https://www.redhat.com/security/data/cve/CVE-2011-3639.html
https://www.redhat.com/security/data/cve/CVE-2011-4317.html
https://www.redhat.com/security/data/cve/CVE-2012-0031.html
https://www.redhat.com/security/data/cve/CVE-2012-0053.html
https://access.redhat.com/security/updates/classification/#moderate
https://rhn.redhat.com/errata/RHSA-2011-1391.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFPOXUIXlSAg2UNWIIRAg4AAJ9vTPttyKrbHbaSV7xCAz G89ytZgACfTSq+
HOLS5+cKusdo+jUiYKIV4mw=
=fM2U
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
Old 02-21-2012, 09:35 PM
 
Default Moderate: httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================================== ===================
Red Hat Security Advisory

Synopsis: Moderate: httpd security update
Advisory ID: RHSA-2012:0323-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0323.html
Issue date: 2012-02-21
CVE Names: CVE-2011-3607 CVE-2011-3639 CVE-2012-0031
CVE-2012-0053
================================================== ===================

1. Summary:

Updated httpd packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The Apache HTTP Server is a popular web server.

It was discovered that the fix for CVE-2011-3368 (released via
RHSA-2011:1392) did not completely address the problem. An attacker could
bypass the fix and make a reverse proxy connect to an arbitrary server not
directly accessible to the attacker by sending an HTTP version 0.9 request.
(CVE-2011-3639)

The httpd server included the full HTTP header line in the default error
page generated when receiving an excessively long or malformed header.
Malicious JavaScript running in the server's domain context could use this
flaw to gain access to httpOnly cookies. (CVE-2012-0053)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way httpd performed substitutions in regular expressions. An
attacker able to set certain httpd settings, such as a user permitted to
override the httpd configuration for a specific directory using a
".htaccess" file, could use this flaw to crash the httpd child process or,
possibly, execute arbitrary code with the privileges of the "apache" user.
(CVE-2011-3607)

A flaw was found in the way httpd handled child process status information.
A malicious program running with httpd child process privileges (such as a
PHP or CGI script) could use this flaw to cause the parent httpd process to
crash during httpd service shutdown. (CVE-2012-0031)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon will be restarted automatically.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

752080 - CVE-2011-3639 httpd: http 0.9 request bypass of the reverse proxy vulnerability CVE-2011-3368 fix
769844 - CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow
773744 - CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling
785069 - CVE-2012-0053 httpd: cookie exposure due to error responses

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-63.el5_8.1.src.rpm

i386:
httpd-2.2.3-63.el5_8.1.i386.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
mod_ssl-2.2.3-63.el5_8.1.i386.rpm

x86_64:
httpd-2.2.3-63.el5_8.1.x86_64.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.x86_64.rpm
mod_ssl-2.2.3-63.el5_8.1.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/httpd-2.2.3-63.el5_8.1.src.rpm

i386:
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
httpd-manual-2.2.3-63.el5_8.1.i386.rpm

x86_64:
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.x86_64.rpm
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
httpd-devel-2.2.3-63.el5_8.1.x86_64.rpm
httpd-manual-2.2.3-63.el5_8.1.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-63.el5_8.1.src.rpm

i386:
httpd-2.2.3-63.el5_8.1.i386.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
httpd-manual-2.2.3-63.el5_8.1.i386.rpm
mod_ssl-2.2.3-63.el5_8.1.i386.rpm

ia64:
httpd-2.2.3-63.el5_8.1.ia64.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.ia64.rpm
httpd-devel-2.2.3-63.el5_8.1.ia64.rpm
httpd-manual-2.2.3-63.el5_8.1.ia64.rpm
mod_ssl-2.2.3-63.el5_8.1.ia64.rpm

ppc:
httpd-2.2.3-63.el5_8.1.ppc.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.ppc.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.ppc64.rpm
httpd-devel-2.2.3-63.el5_8.1.ppc.rpm
httpd-devel-2.2.3-63.el5_8.1.ppc64.rpm
httpd-manual-2.2.3-63.el5_8.1.ppc.rpm
mod_ssl-2.2.3-63.el5_8.1.ppc.rpm

s390x:
httpd-2.2.3-63.el5_8.1.s390x.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.s390.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.s390x.rpm
httpd-devel-2.2.3-63.el5_8.1.s390.rpm
httpd-devel-2.2.3-63.el5_8.1.s390x.rpm
httpd-manual-2.2.3-63.el5_8.1.s390x.rpm
mod_ssl-2.2.3-63.el5_8.1.s390x.rpm

x86_64:
httpd-2.2.3-63.el5_8.1.x86_64.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.i386.rpm
httpd-debuginfo-2.2.3-63.el5_8.1.x86_64.rpm
httpd-devel-2.2.3-63.el5_8.1.i386.rpm
httpd-devel-2.2.3-63.el5_8.1.x86_64.rpm
httpd-manual-2.2.3-63.el5_8.1.x86_64.rpm
mod_ssl-2.2.3-63.el5_8.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2011-3607.html
https://www.redhat.com/security/data/cve/CVE-2011-3639.html
https://www.redhat.com/security/data/cve/CVE-2012-0031.html
https://www.redhat.com/security/data/cve/CVE-2012-0053.html
https://access.redhat.com/security/updates/classification/#moderate
https://rhn.redhat.com/errata/RHSA-2011-1392.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFPRBwPXlSAg2UNWIIRAlvJAJ0TMniw4hLPlG+CAhF6cZ d3RqTH3QCfVlvK
6HtbvIeYuOnRkg4sqECy22U=
=UZwj
-----END PGP SIGNATURE-----


--
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 

Thread Tools




All times are GMT. The time now is 12:20 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org