N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities

N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities Privacy and Legal Notice INFORMATION BULLETIN N-146: Apache 2.0.47 Release Fixes Security Vulnerabilities [Apache 2.0.47 Released] September 4, 2003 20:00 GMT
[REVISED 22 Sept 2003]
[REVISED 27 Oct 2003]


PROBLEM:	There exist four security vulnerabilities: 1) Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. 2) Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. 3) Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. 4) The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests.
AFFECTED SOFTWARE:	Apache 2.0.46 and earlier Red Hat Linux 7.1, 7.2, 7.3 Red Hat Enterprise Linux products
DAMAGE:	A Weaker ciphersuite may be used that was negotiated and Denial-of-service attacks.
SOLUTION:	Upgrade to Apache 2.0.47 and upgrade Red Hat Linux.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. These vulnerabilities may cause a weaker ciphersuite to be used or a denial-of-service.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/n-146.shtml
ORIGINAL BULLETIN:	http://www.apache.org/dist/httpd/Announcement2.html
ADDITIONAL LINKS:	RED HAT RHSA-2003:240-09
	https://rhn.redhat.com/errata/RHSA-2003-240.html
	RED HAT RHSA-2003:243-07
	https://rhn.redhat.com/errata/RHSA-2003-243.html
	RED HAT RHSA-2003:244-07
	https://rhn.redhat.com/errata/RHSA-2003-244.html
	Visit HEWLETT PACKARD Subscription Service for:
	HPSBUX0307-269 (SSRT3587)
	HPSBUX0304-256 (SSRT3534)

REVISION HISTORY:
9/22/03 - Updated AFFECTED SOFTWARE section; updated SOLUTION section; and
added Red Hat RHSA-2003:243-03 link in ADDITIONAL LINKS section.
10/27/03 - Added additional link for Red Hat RHSA2003:244-07 which gives
information for the Red Hat Enterprise Linux products.

[***** Start Apache 2.0.47 Released *****]

Apache 2.0.47 Released

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce
the tenth public release of the Apache 2.0 HTTP Server. This Announcement notes the significant
changes in 2.0.47 as compared to 2.0.46.

This version of Apache is principally a security and bug fix release. A summary of the bug fixes
is given at the end of this document. Of particular note is that 2.0.47 addresses four security
vulnerabilities:

Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to
upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used
in place of the strong one.[CAN-2003-0192]

Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service,
due to a bug in the prefork MPM.
[CAN-2003-0253]

Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket.
[CAN-2003-0254]

The server would crash when going into an infinite loop due to too many subsequent internal redirects
and nested subrequests.
[VU#379828]

The Apache Software Foundation would like to thank Saheed Akhtar and Yoshioka Tsuneo for the responsible
reporting of two of these issues.

This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release
to be the best version of Apache available and encourage users of all prior versions to upgrade.

Apache 2.0.47 is available for download from

http://httpd.apache.org/download.cgi

Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes.

Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For
an overview of new features introduced after 1.3 please see

http://httpd.apache.org/docs-2.0/new_features_2_0.html

When upgrading or installing this version of Apache, please keep in mind the following:

If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the
libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.

Apache 2.0.47 Major changes
Security vulnerabilities closed since Apache 2.0.46

SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences of per-directory renegotiations and
the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result
in the weak ciphersuite being used in place of the strong one. [Ben Laurie]
SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing temporary denial of service when accept()
on a rarely accessed port returns certain errors. Reported by Saheed Akhtar . [Jeff
Trawick]
SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial of service when target host is IPv6
but proxy server can't create IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo ]
SECURITY [VU#379828] Prevent the server from crashing when entering infinite loops. The new
LimitInternalRecursion directive configures limits of subsequent internal redirects and nested subrequests,
after which the request will be aborted. PR 19753 (and probably others). [William Rowe, Jeff Trawick, André Malo]

Bugs fixed and features added since Apache 2.0.46

core_output_filter: don't split the brigade after a FLUSH bucket if it's the last bucket. This prevents
creating unneccessary empty brigades which may not be destroyed until the end of a keepalive connection.
[Juan Rivera ]
Add support for "streamy" PROPFIND responses. [Ben Collins-Sussman ]
mod_cgid: Eliminate a double-close of a socket. This resolves various operational problems in a threaded
MPM, since on the second attempt to close the socket, the same descriptor was often already in use by another
thread for another purpose. [Jeff Trawick]
mod_negotiation: Introduce "prefer-language" environment variable, which allows to influence the negotiation
process on request basis to prefer a certain language. [André Malo]
Make mod_expires' ExpiresByType work properly, including for dynamically-generated documents.
[Ken Coar, Bill Stoddard]

[***** End Apache 2.0.47 Released *****]

CIAC wishes to acknowledge the contributions of Apache for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/