[RHSA-2004:405-02] Stronghold 4: New release fixes Apache, mod_ssl, and PHP issues

bugzilla at redhat.com bugzilla at redhat.com
Fri Jul 23 09:29:00 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Stronghold 4: New release fixes Apache, mod_ssl, and PHP issues
Advisory ID:       RHSA-2004:405-02
Issue date:        2004-07-23
Updated on:        2004-07-23
Product:           Stronghold Cross Platform
Keywords:          Apache DoS PHP memory_limit mod_ssl
CVE Names:         CAN-2004-0174 CAN-2004-0488 CAN-2004-0594 CAN-2004-0595 CAN-2004-0700
- ---------------------------------------------------------------------

1. Summary:

Updated versions of cross-platform Stronghold that fix security issues in
mod_ssl, PHP, and the Apache HTTP Server are now available.

2. Problem description:

Stronghold 4 contains a number of open source technologies, including
PHP, mod_ssl and the Apache HTTP Server.

Stefan Esser discovered a flaw when the memory_limit configuration setting
was enabled in PHP 4 versions prior to 4.3.8. If a remote attacker could
force the PHP interpreter to allocate more memory than the memory_limit
setting before script execution begins, then the attacker may be able to
supply the contents of a PHP hash table remotely. This hash table could
then be used to execute arbitrary code as the 'apache' user. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0594 to this issue.

It may be possible to exploit this issue if using a non-default PHP
configuration with the "register_defaults" setting is changed to "On".  Red
Hat does not believe that this flaw is exploitable in the default
configuration of Stronghold 4.

Stefan Esser discovered a flaw in the strip_tags function in versions of
PHP prior to 4.3.8. The strip_tags function is commonly used by PHP scripts
to prevent cross-site scripting attacks by removing HTML tags from
user-supplied form data. By embedding NUL bytes into form data, HTML tags
can in some cases be passed intact through the strip_tags function, which
may allow a cross-site scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to
this issue.

A stack buffer overflow was discovered in mod_ssl which can be triggered if
using the FakeBasicAuth option. If mod_ssl is sent a client certificate
with a subject DN field longer than 6000 characters, a stack overflow can
occur if FakeBasicAuth has been enabled. In order to exploit this issue,
the carefully crafted malicious certificate would have to be signed by a
Certificate Authority which mod_ssl is configured to trust. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0488 to this issue.

A format string issue was discovered in mod_ssl which can be triggered if 
mod_ssl is configured to allow a client to proxy to remote SSL sites. 
If mod_ssl is forced to connect to a remote SSL server using a
carefully crafted hostname, an attacker may be able to crash an Apache
child process.  This issue is not known to allow arbitrary execution of
code.  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0700 to this issue.

A denial of service issue was discovered which affects versions of the
Apache HTTP Server prior to 1.3.30.  On some platforms, when Apache is
configured with multiple listening sockets, a short-lived connection to
one socket may temporarily block new connections to other sockets.  This
issue does not affect Stronghold if running on Linux, FreeBSD or HP-UX
platforms.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0174 to this issue.

Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.

3. Solution:

Updated Stronghold 4 packages are now available via the update agent
service. Run the following command from the Stronghold 4 install root to
upgrade an existing Stronghold 4 installation to the new package versions:

$ bin/agent

The Stronghold 4.0i patch release which contains these updated packages is
also available from the download site.

After upgrading Stronghold, the server must be completely restarted by
running the following commands from the install root:

$ bin/stop-server
$ bin/start-server

For more information on how to upgrade between releases of Stronghold 4,
refer to http://stronghold.redhat.com/support/upgrade-sh4

4. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

127703 - CAN-2004-0594 PHP memory_limit issue

5. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0700

6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBANp0XlSAg2UNWIIRAjdHAJwOaqdJnJdSk+dOwcbs/9ZhAKfjlQCgumnc
7yfQ1H1QWoB6G6MyAs6PfT8=
=dku+
-----END PGP SIGNATURE-----





More information about the Stronghold-watch-list mailing list