--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-157701 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157701 2005-08-02 --------------------------------------------------------------------- Name : httpd Versions : rh73: apache-1.3.27-8.legacy Versions : rh9: httpd-2.0.40-21.18.legacy Versions : fc1: httpd-2.0.51-1.7.legacy Versions : fc2: httpd-2.0.51-2.9.2.legacy Summary : The httpd Web server Description : This package contains a powerful, full-featured, efficient, and freely-available Web server based on work done by the Apache Software Foundation. It is also the most popular Web server on the Internet. --------------------------------------------------------------------- Update Information: Updated Apache httpd packages to correct security issues are now available. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. Watchfire reported a flaw that occured when using the Apache server as an HTTP proxy. A remote attacker could send an HTTP request with both a "Transfer-Encoding: chunked" header and a "Content-Length" header. This caused Apache to incorrectly handle and forward the body of the request in a way that the receiving server processes it as a separate HTTP request. This could allow the bypass of Web application firewall protection or lead to cross-site scripting (XSS) attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-2088 to this issue. A buffer overflow was discovered in htdigest that may allow an attacker to execute arbitrary code. Since htdigest is usually only accessible locally, the impact of this issue is low. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1344 to this issue. Marc Stern reported an off-by-one overflow in the mod_ssl CRL verification callback. In order to exploit this issue the Apache server would need to be configured to use a malicious certificate revocation list (CRL). The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CAN-2005-1268 to this issue. Users of Apache httpd should update to these errata packages that contain backported patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Mon Aug 01 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.3.27-8.legacy - Added security patch for CAN-2005-2088 * Sun Jul 31 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.3.27-7.legacy - Added security patch for CAN-2005-1344 rh9: * Sun Jul 31 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.0.40-21.18.legacy - Added security patches for CAN-2005-1268, CAN-2005-1344 and CAN-2005-2088 fc1: * Sat Jul 30 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.0.51-1.7.legacy - Added security patches for CAN-2005-1268, CAN-2005-1344 and CAN-2005-2088 fc2: * Tue Aug 02 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.0.51-2.9.2.legacy - added missing autoconf, libtool, zlib-devel, gdbm-devel BuildRequires * Sat Jul 30 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 2.0.51-2.9.1.legacy - Added security patches for CAN-2005-1268, CAN-2005-1344 and CAN-2005-2088 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 0e3755cab97683d75987658b7de6ffe9c80a8b62 redhat/7.3/updates-testing/i386/apache-1.3.27-8.legacy.i386.rpm b9b201ebe088409ea9d8b0ea8437351744d8b03e redhat/7.3/updates-testing/i386/apache-devel-1.3.27-8.legacy.i386.rpm 9222e0121f0b39d336d5465967cc5e218a5487de redhat/7.3/updates-testing/i386/apache-manual-1.3.27-8.legacy.i386.rpm 3a6736e526c94f5e253860636a1986f8ca3cc972 redhat/7.3/updates-testing/SRPMS/apache-1.3.27-8.legacy.src.rpm rh9: cb1ae0ad7739bf0cd3eb7c56a8ba96a5bc7825e3 redhat/9/updates-testing/i386/httpd-2.0.40-21.18.legacy.i386.rpm 4468f5beed1cd89f0225bc8e253bfd4a73fb7732 redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.18.legacy.i386.rpm cf259929dd2acb5423f611dc5955e801f6bc85fe redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.18.legacy.i386.rpm 40ad84a4a01502aad2bccfbcd7fda81e8b24022b redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.18.legacy.src.rpm f34762e151a8cbbe4dcf926c66dce6392dbac970 redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.18.legacy.i386.rpm fc1: b19c5d34da8ef263e5b2f2dcfdd23b02a1a2dd36 fedora/1/updates-testing/i386/httpd-2.0.51-1.7.legacy.i386.rpm 3ca9ea9df6b5c4334909b8cbf63ea858385f81de fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.7.legacy.i386.rpm d2a69419b943944e0d7557a500f86eb470d2c5e9 fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.7.legacy.i386.rpm 3ff73a6a4607f5c7503ec36d9a3e901ab02131c2 fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.7.legacy.src.rpm 2667ac96d7749d32255702430c0d04cf40620972 fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.7.legacy.i386.rpm fc2: 6cf82576642dbb991a3253f4c2ef4ca485d7eea4 fedora/2/updates-testing/i386/httpd-2.0.51-2.9.2.legacy.i386.rpm e8ff1c406b0dd81c2e8f987df5b33dd6e56111e9 fedora/2/updates-testing/i386/httpd-devel-2.0.51-2.9.2.legacy.i386.rpm d432195a04f5423c0ca82c4fb99eff2a4efa04ee fedora/2/updates-testing/i386/httpd-manual-2.0.51-2.9.2.legacy.i386.rpm a041a7db3f6840e490c418856f86448b52769364 fedora/2/updates-testing/SRPMS/httpd-2.0.51-2.9.2.legacy.src.rpm a1d6ac70df1a9ac0eefa1d8c16078861cd61b282 fedora/2/updates-testing/i386/mod_ssl-2.0.51-2.9.2.legacy.i386.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list