Sicherheit: Zwei Probleme in apache und httpd

Lesezeichen hinzufügen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2005-81
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date: 09 Aug 2005
Last revised: 09 Aug 2005

Package: apache, httpd

Summary: Two vulnerabilities discovered in apache

More information:
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the Internet.

- A vulnerability in the manner in which mod_ssl handles CRL
could allow remote attackers to cause a denial of service.
- The apache, when acting as an HTTP proxy, allows remote attackers to
poison the web cache,
bypass web application firewall protection, and conduct XSS attacks via an
HTTP request.

Impact:
These vulerabilities allow remote attackers to cause a denial of service.

Affected Products:
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation

Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server]
# turbopkg
or
# zabom -u httpd httpd-debug httpd-devel httpd-manual mod_bwshare mod_ssl

[Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home,
Turbolinux Multimedia, Turbolinux Personal]
# turbopkg
or
# zabom -u httpd

[other]
# turbopkg
or
# zabom update apache apache-devel apache-manual mod_ssl
---------------------------------------------

<Turbolinux Appliance Server 1.0 Hosting Edition>

Source Packages
Size: MD5

apache-1.3.27-31.src.rpm
3109373 f3c422c3fd5937e982b055a56b8dfb7f

Binary Packages
Size: MD5

apache-1.3.27-31.i586.rpm
502063 9c3237f154eecbbcf843bfab043510d1
apache-devel-1.3.27-31.i586.rpm
94811 7f2ab013abbf2b4f8b897edfe847e877
mod_ssl-2.8.14-31.i586.rpm
182059 8136bef9d07bdef3794733003bd5bbb4

<Turbolinux Appliance Server 1.0 Workgroup Edition>

Source Packages
Size: MD5

apache-1.3.27-31.src.rpm
3109373 6f1b86ceef3c22a2aaf78ff5a0f268b2

Binary Packages
Size: MD5

apache-1.3.27-31.i586.rpm
502238 cdc276e4b1b03f0737154a11bc59aca0
apache-devel-1.3.27-31.i586.rpm
94998 d6c336e8d1c20ffda272cdc9bf618288
mod_ssl-2.8.14-31.i586.rpm
182145 c2cdd31b9d6a2a9124e5716250b1bf1b

<Turbolinux 10 Server>

Source Packages
Size: MD5

httpd-2.0.51-13.src.rpm
6845674 e0e80d62e9f6b1bb0d7f24c0d264b324

Binary Packages
Size: MD5

httpd-2.0.51-13.i586.rpm
1032364 73cd9f215eb7801e46ff8a613cb39c84
httpd-debug-2.0.51-13.i586.rpm
3240709 09c4172f27daa0cd2c8c7e41c84ca3c5
httpd-devel-2.0.51-13.i586.rpm
223780 574b59c43c30b3e0dfd909add88d8e60
httpd-manual-2.0.51-13.i586.rpm
1132138 7b681e4dedd57a8799c561f791000c78
mod_bwshare-2.0.51-13.i586.rpm
39858 21761ba8dd243c6b3a7eb2645d08b628
mod_ssl-2.0.51-13.i586.rpm
87816 78f8dea6f221c5b11b8e6f3028ebc68a

<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux
Multimedia, Turbolinux Personal>

Source Packages
Size: MD5

httpd-2.0.48-16.src.rpm
6317174 155e20c604e5fc909a5949ab1ec1d699

Binary Packages
Size: MD5

httpd-2.0.48-16.i586.rpm
892515 b753dd90453872d154ed3c6389c1aa0f

<Turbolinux 8 Server>

Source Packages
Size: MD5

apache-1.3.27-31.src.rpm
3109373 0dd83ad7d7074c99f16d2daffe916608

Binary Packages
Size: MD5

apache-1.3.27-31.i586.rpm
503183 0433a84107748e43b2ff841a8728a8a1
apache-devel-1.3.27-31.i586.rpm
94954 5441d2a424dd163eff80a5debdb42be4
apache-manual-1.3.27-31.i586.rpm
850909 383037e0cfe8d07f7463b6930d7a1fce
mod_ssl-2.8.14-31.i586.rpm
182224 1976847793c1c706dc3749153b2f73bf

<Turbolinux 8 Workstation>

Source Packages
Size: MD5

apache-1.3.27-31.src.rpm
3109373 0e9125ba1ee25bb38cf47eaea08b5f19

Binary Packages
Size: MD5

apache-1.3.27-31.i586.rpm
503125 e644eff23a0c14062066825f441a5bc1
apache-devel-1.3.27-31.i586.rpm
95144 e4e230ee2642ac7bada171568a00ed31
apache-manual-1.3.27-31.i586.rpm
851104 6596aef1907079a1f7b867dc5d61c4ef
mod_ssl-2.8.14-31.i586.rpm
182128 5961459b0ae85a25f9204fdd5e62f20c

<Turbolinux 7 Server>

Source Packages
Size: MD5

apache-1.3.27-31.src.rpm
3109373 ac3fd7f0b4e448afc6a3b31c9286c166

Binary Packages
Size: MD5

apache-1.3.27-31.i586.rpm
489948 3c357f8396a98919c5f1cb58df49a40e
apache-devel-1.3.27-31.i586.rpm
95166 d3e927c21f0092000bad1d3598cdb3e2
apache-manual-1.3.27-31.i586.rpm
851896 fe50d563c61f31759f61ae99ece5e4c1
mod_ssl-2.8.14-31.i586.rpm
179785 a3935782ffad1be2f624bca280651299

<Turbolinux 7 Workstation>

Source Packages
Size: MD5

apache-1.3.27-31.src.rpm
3109373 abb5e45b253f4c089d1bfb17f60c7986

Binary Packages
Size: MD5

apache-1.3.27-31.i586.rpm
489706 afc3cc31649c14b74c4591e742733003
apache-devel-1.3.27-31.i586.rpm
95164 88d57c6d8d07cab36b1d8710ea19cd70
apache-manual-1.3.27-31.i586.rpm
851886 5f3add0220a52daad36658de93eafeee
mod_ssl-2.8.14-31.i586.rpm
180083 5ff5110a64069eb39c4a28235ac4e626

References:

CVE
[CAN-2005-1268]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268
[CAN-2005-2088]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

--------------------------------------------------------------------------
Revision History
09 Aug 2005 Initial release
--------------------------------------------------------------------------

Copyright(C) 2005 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC+GizK0LzjOqIJMwRAtpgAJ9pjPIIP9KjKCN1umFnA0mh4t142wCfeQnP
nYCVuG8YQUIUm01GXChT1DU=
=UZ0q
-----END PGP SIGNATURE-----