SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Mod_ssl Vendors:   Modssl.org
(Fedora Issues Fix for FC2) Apache mod_ssl SSLCipherSuite Directive Can By Bypassed in Certain Cases
SecurityTracker Alert ID:  1012219
SecurityTracker URL:  http://securitytracker.com/id/1012219
CVE Reference:   CVE-2004-0885   (Links to External Site)
Date:  Nov 13 2004
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Apache mod_ssl when in a certain configuration. A remote user may be able to bypass the SSLCipherSuite directive settings.

It is reported that when the "SSLCipherSuite" directive is used in a directory or location context to require a restricted set of cipher suites, a remote user may be able to access the directory or location using any permitted cipher suites.

According to Red Hat, the vulnerable configuration is "fairly rare and uncommon."

Impact:   A remote user may be able to access a directory or location using any permitted cipher suites instead of the ones specified by the SSLCipherSuite directory.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

b202b93fa33a117c576f49b0b6ea8cce SRPMS/httpd-2.0.51-2.9.src.rpm
d44a26a035bef7f26249e1d0a7ae95b4 x86_64/httpd-2.0.51-2.9.x86_64.rpm
0920735cfe93100965958df44e6cca28 x86_64/httpd-devel-2.0.51-2.9.x86_64.rpm
50681f4ed4f3448fa1f8fd86ce41d749 x86_64/httpd-manual-2.0.51-2.9.x86_64.rpm
1b3230a8c205bdf96464d4ecc51bea40 x86_64/mod_ssl-2.0.51-2.9.x86_64.rpm
fae759a29d5ac1eacfb947ec4b447994 x86_64/debug/httpd-debuginfo-2.0.51-2.9.x86_64.rpm
d8e4ed9aafd639fdfab26e6fe3cd8c29 i386/httpd-2.0.51-2.9.i386.rpm
cd1ab7ce0fcc375de0d6db748babc753 i386/httpd-devel-2.0.51-2.9.i386.rpm
341a963e8ac8aba17c18eaebc7ac27c1 i386/httpd-manual-2.0.51-2.9.i386.rpm
f227c579f61c355c594f8e790695bcd8 i386/mod_ssl-2.0.51-2.9.i386.rpm
dc3be7afa997f09293b82caaae505f7b i386/debug/httpd-debuginfo-2.0.51-2.9.i386.rpm

Vendor URL:  www.modssl.org/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 6 2004 Apache mod_ssl SSLCipherSuite Directive Can By Bypassed in Certain Cases



 Source Message Contents

Subject:  [SECURITY] Fedora Core 2 Update: httpd-2.0.51-2.9



--===============1591218207==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG"
Content-Disposition: inline


--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-420
2004-11-12
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : httpd
Version     : 2.0.51                     =20
Release     : 2.9                 =20
Summary     : Apache HTTP Server
Description :
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.

---------------------------------------------------------------------

This update includes the fixes for an issue in mod_ssl which could
lead to a bypass of an SSLCipherSuite setting in directory or location
context (CVE CAN-2004-0885), and a memory consumption denial of
service issue in the handling of request header lines (CVE
CAN-2004-0942).

---------------------------------------------------------------------

* Thu Nov 11 2004 Joe Orton <jorton@redhat.com> 2.0.51-2.9

- add fix for memory consumption DoS, CAN-2004-0942
- mod_ssl: add fix for SSLCipherSuite bypass, CAN-2004-0885

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

b202b93fa33a117c576f49b0b6ea8cce  SRPMS/httpd-2.0.51-2.9.src.rpm
d44a26a035bef7f26249e1d0a7ae95b4  x86_64/httpd-2.0.51-2.9.x86_64.rpm
0920735cfe93100965958df44e6cca28  x86_64/httpd-devel-2.0.51-2.9.x86_64.rpm
50681f4ed4f3448fa1f8fd86ce41d749  x86_64/httpd-manual-2.0.51-2.9.x86_64.rpm
1b3230a8c205bdf96464d4ecc51bea40  x86_64/mod_ssl-2.0.51-2.9.x86_64.rpm
fae759a29d5ac1eacfb947ec4b447994  x86_64/debug/httpd-debuginfo-2.0.51-2.9.x=
86_64.rpm
d8e4ed9aafd639fdfab26e6fe3cd8c29  i386/httpd-2.0.51-2.9.i386.rpm
cd1ab7ce0fcc375de0d6db748babc753  i386/httpd-devel-2.0.51-2.9.i386.rpm
341a963e8ac8aba17c18eaebc7ac27c1  i386/httpd-manual-2.0.51-2.9.i386.rpm
f227c579f61c355c594f8e790695bcd8  i386/mod_ssl-2.0.51-2.9.i386.rpm
dc3be7afa997f09293b82caaae505f7b  i386/debug/httpd-debuginfo-2.0.51-2.9.i38=
6.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------

--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBlSiIR/aWnQ5EzwwRAvJnAJ4mh6JJdguxZynRTeIWkDADY4RTjACgwRsK
Bwgz3+RgPZS1R3RCoJ3PcDM=
=1RAL
-----END PGP SIGNATURE-----

--OgqxwSJOaUobr8KG--


--===============1591218207==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============1591218207==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC