[gentoo-announce] [ GLSA 200509-12 ] Apache, mod_ssl: Multiple vulnerabilities - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200509-12 ] Apache, mod_ssl: Multiple vulnerabilities
Date:	Mon, 19 Sep 2005 08:37:24
Message-Id:	`432E75D7.3020702@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200509-12

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Apache, mod_ssl: Multiple vulnerabilities

9

      Date: September 19, 2005

10

      Bugs: #103554, #104807

11

        ID: 200509-12

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

mod_ssl and Apache are vulnerable to a restriction bypass and a

19

potential local privilege escalation.

20

21

Background

22

==========

23

24

The Apache HTTP server is one of the most popular web servers on the

25

Internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3

26

and is also included in Apache 2.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package          /   Vulnerable   /                    Unaffected

33

    -------------------------------------------------------------------

34

  1  net-www/mod_ssl       < 2.8.24                          >= 2.8.24

35

  2  net-www/apache      < 2.0.54-r15                    >= 2.0.54-r15

36

    -------------------------------------------------------------------

37

     2 affected packages on all of their supported architectures.

38

    -------------------------------------------------------------------

39

40

Description

41

===========

42

43

mod_ssl contains a security issue when "SSLVerifyClient optional" is

44

configured in the global virtual host configuration (CAN-2005-2700).

45

Also, Apache's httpd includes a PCRE library, which makes it vulnerable

46

to an integer overflow (CAN-2005-2491).

47

48

Impact

49

======

50

51

Under a specific configuration, mod_ssl does not properly enforce the

52

client-based certificate authentication directive, "SSLVerifyClient

53

require", in a per-location context, which could be potentially used by

54

a remote attacker to bypass some restrictions. By creating a specially

55

crafted ".htaccess" file, a local attacker could possibly exploit

56

Apache's vulnerability, which would result in a local privilege

57

escalation.

58

59

Workaround

60

==========

61

62

There is no known workaround at this time.

63

64

Resolution

65

==========

66

67

All mod_ssl users should upgrade to the latest version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose ">=net-www/mod_ssl-2.8.24"

71

72

All Apache 2 users should upgrade to the latest version:

73

74

    # emerge --sync

75

    # emerge --ask --oneshot --verbose ">=net-www/apache-2.0.54-r15"

76

77

References

78

==========

79

80

  [ 1 ] CAN-2005-2491

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

82

  [ 2 ] CAN-2005-2700

83

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700

84

85

Availability

86

============

87

88

This GLSA and any updates to it are available for viewing at

89

the Gentoo Security Website:

90

91

  http://security.gentoo.org/glsa/glsa-200509-12.xml

92

93

Concerns?

94

=========

95

96

Security is a primary focus of Gentoo Linux and ensuring the

97

confidentiality and security of our users machines is of utmost

98

importance to us. Any security concerns should be addressed to

99

security@g.o or alternatively, you may file a bug at

100

http://bugs.gentoo.org.

101

102

License

103

=======

104

105

Copyright 2005 Gentoo Foundation, Inc; referenced text

106

belongs to its owner(s).

107

108

The contents of this document are licensed under the

109

Creative Commons - Attribution / Share Alike license.

110

111

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200509-12
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Apache, mod_ssl: Multiple vulnerabilities
9	Date: September 19, 2005
10	Bugs: #103554, #104807
11	ID: 200509-12
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	mod_ssl and Apache are vulnerable to a restriction bypass and a
19	potential local privilege escalation.
20
21	Background
22	==========
23
24	The Apache HTTP server is one of the most popular web servers on the
25	Internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3
26	and is also included in Apache 2.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 net-www/mod_ssl < 2.8.24 >= 2.8.24
35	2 net-www/apache < 2.0.54-r15 >= 2.0.54-r15
36	-------------------------------------------------------------------
37	2 affected packages on all of their supported architectures.
38	-------------------------------------------------------------------
39
40	Description
41	===========
42
43	mod_ssl contains a security issue when "SSLVerifyClient optional" is
44	configured in the global virtual host configuration (CAN-2005-2700).
45	Also, Apache's httpd includes a PCRE library, which makes it vulnerable
46	to an integer overflow (CAN-2005-2491).
47
48	Impact
49	======
50
51	Under a specific configuration, mod_ssl does not properly enforce the
52	client-based certificate authentication directive, "SSLVerifyClient
53	require", in a per-location context, which could be potentially used by
54	a remote attacker to bypass some restrictions. By creating a specially
55	crafted ".htaccess" file, a local attacker could possibly exploit
56	Apache's vulnerability, which would result in a local privilege
57	escalation.
58
59	Workaround
60	==========
61
62	There is no known workaround at this time.
63
64	Resolution
65	==========
66
67	All mod_ssl users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=net-www/mod_ssl-2.8.24"
71
72	All Apache 2 users should upgrade to the latest version:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose ">=net-www/apache-2.0.54-r15"
76
77	References
78	==========
79
80	[ 1 ] CAN-2005-2491
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
82	[ 2 ] CAN-2005-2700
83	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
84
85	Availability
86	============
87
88	This GLSA and any updates to it are available for viewing at
89	the Gentoo Security Website:
90
91	http://security.gentoo.org/glsa/glsa-200509-12.xml
92
93	Concerns?
94	=========
95
96	Security is a primary focus of Gentoo Linux and ensuring the
97	confidentiality and security of our users machines is of utmost
98	importance to us. Any security concerns should be addressed to
99	security@g.o or alternatively, you may file a bug at
100	http://bugs.gentoo.org.
101
102	License
103	=======
104
105	Copyright 2005 Gentoo Foundation, Inc; referenced text
106	belongs to its owner(s).
107
108	The contents of this document are licensed under the
109	Creative Commons - Attribution / Share Alike license.
110
111	http://creativecommons.org/licenses/by-sa/2.0