I've got a few questions about this release of mod_ssl. 1) why is it bundled w/ httpd v2.0 and not a separate bug? 2) does anything in this apply to apache v1.3? 3) why was it never tracked in Pekka's issues list? 4) why am I the only one inquiring about this. :-) -Jim P. Marc Deslauriers wrote:
--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-166941 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166941 2005-10-22 --------------------------------------------------------------------- Name : httpd and mod_ssl Versions : rh73: mod_ssl-2.8.12-8.legacy Versions : rh9: httpd-2.0.40-21.20.legacy Versions : fc1: httpd-2.0.51-1.9.legacy Versions : fc2: httpd-2.0.51-2.9.4.legacy Summary : The httpd Web server Description : This package contains a powerful, full-featured, efficient, and freely-available Web server based on work done by the Apache Software Foundation. It is also the most popular Web server on the Internet. --------------------------------------------------------------------- Update Information: Updated mod_ssl and Apache httpd packages that correct two security issues are now available. The Apache HTTP Server is a popular and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient" directive. This flaw occurs if a virtual host is configured using "SSLVerifyClient optional" and a directive "SSLVerifyClient required" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-2700 to this issue. A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CAN-2005-2728) Users of mod_ssl and Apache httpd should update to these errata packages that contain backported patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Fri Sep 23 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 2.8.12-8.legacy - patch CAN-2005-2700 (#166941) rh9: * Fri Sep 30 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 2.0.40-21.20.legacy - change 'serial' tag to 'epoch' for mod_ssl package * Fri Sep 23 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 2.0.40-21.19.legacy - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941) fc1: * Fri Sep 30 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 2.0.51-1.9.legacy - Change 'serial' tag to 'epoch' for mod_ssl package * Fri Sep 23 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 2.0.51-1.8.legacy - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941) fc2: * Fri Sep 30 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 2.0.51-2.9.4.legacy - Change 'serial' tag to 'epoch' for mod_ssl package * Fri Sep 23 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 2.0.51-2.9.3.legacy - Patches for CAN-2005-2700 and CAN-2005-2728 (#166941) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 670aa135fb5073b29e94f0a3fe2db9e592b40558 redhat/7.3/updates-testing/i386/mod_ssl-2.8.12-8.legacy.i386.rpm 3442b014c181d2d1d791e8c743b4e627c87e35dc redhat/7.3/updates-testing/SRPMS/mod_ssl-2.8.12-8.legacy.src.rpm rh9: 2e1f513ec64bc94dd087138282fb0e868a1a3abe redhat/9/updates-testing/i386/httpd-2.0.40-21.20.legacy.i386.rpm 8fbff503cd3bf5ce657dbd977b063437775750f7 redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.20.legacy.i386.rpm b0313b4f0203cd03c84facefb1eebdb4ed928c26 redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.20.legacy.i386.rpm 54b412d5bb90f1e649f838b41b1dd4c34ea93c90 redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.20.legacy.src.rpm cface2ec6aca89b8c4641055cabd14a7b37a4ebf redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.20.legacy.i386.rpm fc1: d5cbd7cfdd31b1a6222727f99366407eb06e53e7 fedora/1/updates-testing/i386/httpd-2.0.51-1.9.legacy.i386.rpm 994e4b34b91ae60eb7f632dc50b39c1f5e89aca4 fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.9.legacy.i386.rpm b75c88ba3deda8aed4cb3d6e5d4ea55141554723 fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.9.legacy.i386.rpm 2bd06a4df99b703eea8f882d87b812713e5fa1c2 fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.9.legacy.src.rpm 465efbcc39ef52325928c2dc8093fc6447c33477 fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.9.legacy.i386.rpm fc2: 0f4333e775c1b7b6f5af6e5cf092fa69606766c4 fedora/2/updates-testing/i386/httpd-2.0.51-2.9.4.legacy.i386.rpm 59a54683c490ecfcea66fe0134c9ed6130905602 fedora/2/updates-testing/i386/httpd-devel-2.0.51-2.9.4.legacy.i386.rpm 9a4e89cc67e268424b9eaa4c2183332e8f6f0d0e fedora/2/updates-testing/i386/httpd-manual-2.0.51-2.9.4.legacy.i386.rpm db6c3e2bb4470e592cb74bf3e986ae426010dfaf fedora/2/updates-testing/SRPMS/httpd-2.0.51-2.9.4.legacy.src.rpm a102640b8af24ddaa57ebfbb0e1e78a8a17adbc1 fedora/2/updates-testing/i386/mod_ssl-2.0.51-2.9.4.legacy.i386.rpm --------------------------------------------------------------------- Please test and comment in bugzilla. ------------------------------------------------------------------------ -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
