You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Mark J Cox <ma...@awe.com> on 2005/09/09 11:22:21 UTC
Security release needed for 2.0
We've a few security issues fixed recently that haven't made it out into
releases from the ASF, but have made it out into releases from the various
OS vendors. One issue is "important" severity, and public now for 10
days.
I don't watch this list much, are there other things holding up a release?
If so we ought to consider doing a 2.0.55 with just fixes for these issues
over 2.0.54:
CAN-2005-2700 important: SSLVerifyClient bypass
A flaw in the mod_ssl handling of the "SSLVerifyClient"
directive. This flaw would occur if a virtual host has been
configured using "SSLVerifyClient optional" and further a
directive "SSLVerifyClient required" is set for a specific
location. For servers configured in this fashion, an attacker may
be able to access resources that should otherwise be protected, by
not supplying a client certificate when connecting.
public=20050830
[*** needs committing]
CAN-2005-2728 moderate: Byterange filter DoS
A flaw in the byterange filter would cause some responses to be
buffered into memory. If a server has a dynamic resource such as a
CGI script or PHP script which generates a large amount of data,
an attacker could send carefully crafted requests in order to
consume resources, potentially leading to a Denial of Service.
public=20050707
[committed]
CAN-2005-2088 moderate: HTTP Request Spoofing
A flaw occured when using the Apache server as a HTTP proxy. A
remote attacker could send a HTTP request with both a
"Transfer-Encoding: chunked" header and a Content-Length header,
causing Apache to incorrectly handle and forward the body of the
request in a way that causes the receiving server to process it as
a separate HTTP request. This could allow the bypass of web
application firewall protection or lead to cross-site scripting
(XSS) attacks.
public=20050611
[committed]
CAN-2005-1268 low: Malicious CRL off-by-one
An off-by-one stack overflow was discovered in the mod_ssl CRL
verification callback. In order to exploit this issue the Apache
server would need to be configured to use a malicious certificate
revocation list (CRL)
public=200506085~
[committed]
CAN-2005-2491 low: PCRE overflow
An integer overflow flaw was found in PCRE, a Perl-compatible
regular expression library included within httpd. A local user
who has the ability to create .htaccess files could create a
maliciously crafted regular expression in such as way that they
could gain the privileges of a httpd child.
public=20050801
[*** needs committing]
Re: Security release needed for 2.0
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
> CAN-2005-2088 moderate: HTTP Request Spoofing
>
> A flaw occured when using the Apache server as a HTTP proxy. A
> remote attacker could send a HTTP request with both a
> "Transfer-Encoding: chunked" header and a Content-Length header,
> causing Apache to incorrectly handle and forward the body of the
> request in a way that causes the receiving server to process it as
> a separate HTTP request. This could allow the bypass of web
> application firewall protection or lead to cross-site scripting
> (XSS) attacks.
> public=20050611
> [committed]
Actually this isn't complete as the proxy body handling patch
illustrates. There is a gross hack in the core, but that's only
triggered at the initial acceptance of the request headers, and
is subject to 'mutation' by *any* module or filter in the processing
chain. The backport of mod_http_proxy.c needs review, if you are
voulenteering.
Also our TRACE implementation in proxy allows request bodies in 2.0.x,
while I'm not aware of a direct implication, it's unfair to blame client
exploits when we violated the RFC in the first place.
See STATUS/showstoppers.
I see no reason not to ship 2.0.55 complete once the last security
patches have been applied. In fact, I'll RM a candidate 2.0 tarball
on Sunday if these showstoppers have been reviewed.
Thanks for joining the small chorus, Mark!
Bill