Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0841 -- PK13230; 2.0.47.1: IBM HTTP Server V2.0.47
and V2.0.42 cumulative securit e-fix
24 October 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM HTTP Server V2.0.47 and V2.0.42
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2005-2970 CAN-2005-2728 CAN-2005-2491
CAN-2005-2088 CAN-2004-0942 CAN-2004-0809
CAN-2004-0786 CAN-2004-0747 CAN-2004-0493
CAN-2003-0020
Ref: AA-2005.0015
AL-2004.029
ESB-2005.0836
Original Bulletin:
http://www-1.ibm.com/support/docview.wss?uid=swg24010709
- --------------------------BEGIN INCLUDED TEXT--------------------
PK13230; 2.0.47.1: IBM HTTP Server V2.0.47 and V2.0.42 cumulative security
e-fix
Abstract
CAN-2005-2970, CAN-2005-2491, CAN-2005-2728 security exposures
Download Description
PK13230 resolves the following problem:
ERROR DESCRIPTION:
This interim fix corrects several security vulnerabilities and other
problems which were resolved after the previous interim fix, PK07831.
LOCAL FIX:
PROBLEM SUMMARY
USERS AFFECTED:
IBM HTTP Server V2.0.42/2.0.47 users
PROBLEM DESCRIPTION:
CAN-2005-2970, CAN-2005-2491,
CAN-2005-2728 security exposures
RECOMMENDATION:
None
Address several IBM HTTP Server security issues
- PK13066 CAN-2005-2970 worker MPM memory leak after aborted
connection (non-Windows platforms)
- Prevent double-free of GSKit memory during stop or restart which
sometimes caused a coredump (non-Windows platforms)
- Prevent double-free when an error occurred reading data from sidd
(non-Windows platforms only).
- PK11929 CAN-2005-2491 Fix integer overflow in PCRE which leads to a
heap-based buffer overflow.
- PK11929 CAN-2005-2728 Fix byte-range filter which allowed
remote attackers to cause a denial of service (memory consumption) via
an IBM HTTP Server header with large Range field
- Handle strerror() returning NULL on Solaris, resolving possible
crashes when writing to the error log.
- Handle SSL requests where FIN is received from the client on
Keepalive connections before the response is written.
- sidd now reports specific error code and filename when its trace or
error log can't be opened.
- Fixed swapped references to ciphers 62 and 64. This resulted in
SSLCipher* directives operating on the wrong cipher (i.e.,using 64 if
62 had been specified).
- Fix SSL handling of Timeout values larger than 2000 seconds,
resolving SSL handshake failures Changes in previous interim fixes,
included here
- PK07831 Resolve incompatibility between IBM HTTP Server and certain
GSKit levels
- PK07747 Resolve incompatibility between AFPA support on
Windows and Microsoft Security Patch MS05-019 - CAN-2005-2088
preventative measures to prevent IBM HTTP Server request smuggling,
from Apache 2.1.6 and future Apache 2.0.55
- mod_ibm_ssl: include client IP address on many messages
- mod_ibm_ssl: improve reporting of many SSL communication errors
- Fix a servlet timeout when a POST response page contains SSI tags
- Set RH variable to indicate which module handled or failed the
request
- dbmmanage: Select the database format which is accepted by IBM HTTP
Server
- mod_rewrite: improve performance with large RewriteMap files
- Fix memory leak in the cache handling of mod_rewrite
- Fix storage corruption problem with mod_userdir+suexec processing
- PK03603 worker mpm: don't take down the whole server for a transient
thread creation failure
- PK05830 Prevent hangs of child processes when writing to piped
loggers at the time of graceful restart
- PK05957 Support the suppress-error-charset setting, as with Apache
1.3.
- Set REDIRECT_REMOTE_USER for redirection of authenticated requests
- worker mpm: lower severity of mutex "error" message which can occur
normally during restart
- display time taken to process request in mod_status
- mod_proxy: Handle client-aborted connections correctly
- mod_mime_magic on Windows: support magic files with native line
endings
- support SHA1 passwords for mod_auth and mod_auth_dbm
- support SendBufferSize on Windows
- start piped loggers via the shell on Unix, to support redirection
- mod_cgid: Fix buffer overflow processing ScriptSock directive
- mod_ibm_ldap: put timestamp on ldap trace records for correlation
with other logs
- mod_ibm_ldap: return authorization error instead of internal server
error when password has expired
- mod_ibm_ldap: add configuration control over whether or not
referrals are chased via "LdapReferrals [On|Off]" and
"LdapReferralHopLimit nnn"
- mod_ibm_ldap: add rebind support for improved compatibility with
Microsoft Active Directory 2003
- remove 2GB log file size restriction on Linux and Unix systems
- PQ98957 fix IBM HTTP Server RFC violations with handling of request
bodies by proxy
- PQ97712 fix worker MPM problem which left stranded processes after
shutdown
- fix mod_deflate problems handling 304 or 204 responses
- PK00175 mod_ibm_ssl corrupts LIBPATH, breaking startup of
third-party module
- fix mod_ibm_ssl storage leak during apachectl restart or apachectl
graceful processing
- PQ86346 Seg fault with IHS ldap/nss ldap on 390
- fix mod_fastcgi incompatibility with WebSphere plug-in
- rename zlib symbols used by mod_deflate to avoid collision with
third-party modules
- add "/server-status?showmodule" support for displaying name of
module where request is stuck; ihsdiag 1.4.0 also exploits this
support
- CAN-2003-0020 escape data before writing to error log
- fix ownership of sidd socket if IBM HTTP Server started as non-root
on HP-UX
- resolve CAN-2004-0809 and CAN-2004-0942 vulnerabilities
- handle rewrite rules in <Location > applying to WebSphere resource
- shut down worker MPM more quickly when processes are slow to exit
- fix Expires handling with mod_cache
- reduce severity of message for TCP_NODELAY error
- PQ97125 CAN-2004-0942 fix memory consumption dos for folded MIME
headers
- add fatal exception hook for use by diagnostic modules
- log reason for failing to connect to session id cache
- fixed invalid info messages about non-FIPS cipher if FIPS enabled
- fixed timeout problem in mod_ibm_ssl under load
- fixed LDAP not escaping ctrl chars \,(,), and * as requred by RFC
2254
- changed LDAP queries to request minimal set of attributes
- Potential denial of service exposure, CAN-2004-0786
- CAN-2004-0747 buffer overflow if extremely large environment
variables are referenced in httpd.conf or .htaccess
- fix termination of long request lines
- fix mod_headers functional regression since 1.3
- fix mod_deflate large memory consumption
- fix handling of "AllowEncodedSlashes On"
- fix stranded piped logger processes on Windows
- change default Windows service name to the same service name set by
IHS installer so that -n option is not required
- improve compatibility with 3rd party layered service providers on
Win32
- fix crash in mod_ibm_ssl when using client auth
- CAN-2004-0493 remote memory allocation vulnerability
- rotatelogs ability to use local time
- <VirtualHost myhost> now applies to all IP addresses for myhost
- Fix mod_deflate to handle zero length responses (such as 304
response codes) Windows)
- Unnecessary mod_expires error message in log
- Microsoft Windows pool corruption at startup leading to restart
problems
- Some random storage logged for excessively long request line
(Fixes in PQ85834 are not listed here.)
Checksum of e-fix files is as follows:
2235690824 5427200 2.0.42.2-PK13230.aix.tar
939210679 19537920 2.0.42.2-PK13230.hpux.tar
854827529 4474880 2.0.42.2-PK13230.linux.tar
3035375644 4904960 2.0.42.2-PK13230.linux390.tar
218954935 6502400 2.0.42.2-PK13230.linuxppc.tar
2142785978 3932767 2.0.42.2-PK13230.nt.zip
3619888137 18137088 2.0.42.2-PK13230.sun.tar
1195706654 5304320 2.0.47.1-PK13230.aix.tar
3981623684 19752960 2.0.47.1-PK13230.hpux.tar
1282754306 4106240 2.0.47.1-PK13230.linux.tar
920133865 4874240 2.0.47.1-PK13230.linux390.tar
844387247 5683200 2.0.47.1-PK13230.linuxppc.tar
3545755713 4019142 2.0.47.1-PK13230.nt.zip
508704124 17763328 2.0.47.1-PK13230.sun.tar
PROBLEM CONCLUSION:
Comments:
Special note:
- mod_whatkilledus users: Upgrade to mod_whatkilledus.so from ihsdiag
1.4.2 or later to correct a problem in mod_whatkilledus.so which can
be encountered with this level of IBM HTTP Server.
The latest ihsdiag package can be downloaded here: latest ihsdiag
package can be downloaded here:
ftp://ftp.software.ibm.com/software/websphere/ihs/support/Tools/ihsdiag/
Prerequisites
You ma apply this e-fix if you performed a full IBM HTTP Server
install using one of the following versions:
2.0.42.2-PQ85834
2.0.42.2-PQ87339
2.0.47-PQ85834
2.0.47.1
Any e-fixes you applied after the full IBM HTTP Server install
are incorporated in this cumulative e-fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical support
1-800-IBM-SERV (U.S. Only)
Problems (APARS) fixed Problems (APARS) fixed
PK13230, PK07831, PQ88381, PQ90698, PQ94086, PQ94389, PK01070
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ1w4BCh9+71yA2DNAQL/rAP/dtCWYi2IrHsPCFVAch7WDeu25LTu5VeU
qz5g0cYmg7EzjdmAEGpx/JCQfn2vgnZcQI3S2u65bNhV9Xpc/x6qHD2QvTZQQ23H
E0MiZkFQ1VJXTVerbFUvJ8J79wpIg1u2LhZlKlCQsbM4SDeQMv9HwkjeXZ6FTpwI
o9XBugdgRek=
=fJ4O
-----END PGP SIGNATURE-----