Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0557 -- [Win][Linux][Solaris][AIX]
IBM HTTP Server V2.0.47 Cumulative Interim Fix
28 May 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM HTTP Server V2.0.47
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
Impact: Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2007-5000 CVE-2007-6203 CVE-2007-6388
Ref: ESB-2006.0430
Original Bulletin:
http://www-1.ibm.com/support/docview.wss?uid=swg24019245
- --------------------------BEGIN INCLUDED TEXT--------------------
PK65782; 2.0.47.1: IBM HTTP Server V2.0.47 Cumulative Interim Fix
Abstract
CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, and other fixes since PK53584
Download Description
PK65782 resolves the following problem:
ERROR DESCRIPTION:
This Interim Fix corrects multiple problems which were resolved after the
previous Interim Fix, PK53584, including security-related issues
CVE-2007-5000, CVE-2007-6203, and CVE-2007-6388.
USERS AFFECTED:
IBM HTTP SERVER V2.0.47 users
PROBLEM DESCRIPTION:
CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, and other fixes since PK53584
RECOMMENDATION:
All HTTP SERVER V2.0.47 users should apply this Cumulative Fix before
investigating any problem symptoms.
Customers using SSLFIPSEnable should refer to the special note below.
Address security issues and other defects corrected after the previous
Cumulative Fix for this release, PK53584.
- - PK66154 Incorrect Unix socket permissions on AIX and HP-UX
- - PK64092 SSL0409I is sometimes issued when SSL client disconnects on some
platforms
- - PK64089 access log displays incorrect timezone offset when offset is not
a multiple of 60 minutes
- - PK62242 incorrect error handling in IBM HTTP Server when sidd is not found
under server root
- - PK61452 HTTP: server side includes under mod_include are unreliable with
output filters
- - PK59667 CVE-2007-6388 mod_status cross-site scripting vulnerability
- - PK58884 IBM HTTP Server compression; AddOutputFilterByType directive did
not apply to proxy requests
- - PK58184 rotatelogs ignores -l option when rotating files based on size
- - PK58024 CVE-2007-5000 mod_imap cross-site scripting vulnerability
- - PK57952 Input method not escaped in default 413 error response
Note: This is not considered a vulnerability, but it was originally assigned
id CVE-2007-6203.
- - PK57680 High CPU loop in mod_ibm_ssl when poll returns unexpected events
- - PK52726 Allow Certificate Revocation List support to be used on HP-UX
Changes with previous Cumulative Fixes, included here:
- - PK49295 CVE-2006-5752 mod_status cross-site scripting vulnerability
- - PK49355 CVE-2007-1863 mod_cache crash with malicious request
- - PK50460 mod_deflate with vary headers doesn't work
- - PK50469 CVE-2007-3847 proxy buffer over-read vulnerability
- - PK50467 CVE-2007-3304 MPM signalling vulnerability
- - PK48505 HTTP status codes are changed to HTTP 500 when mod_deflate added and
SetOutputFilter directive specified
- - PK48412 IBM HTTP Server logs bad date when certificate has expired
- - PK44274 ProxyErrorOverride should not affect redirects
- - PK45328 Single DES is no longer an approved FIPS-140 security function
- - PK38839 Allow collection of coredumps and other serviceability data for
SIGFPE crashes
- - PK37809 Empty response was sent for cached static files after revalidation
timeout
- - PK39018 Restart SIDD if it exits or crashes unexpectedly
- - PK37731 No client certificate prompt occurred with multiple SSL vhosts
configured
- - PK35675 mod_mem_cache crashes when used with client certificate
authentication
- - PK33253 SSL virtualhosts unable to perform SSLV3 handshake when keyfile
directive has been specified with an invalid parameter
- - PK31460 Observed strange browser behavior when receiving an HTTP 302
response over SSL through the reverse proxy
- - PK34180 Fix incorrect 304 responses for expired cache objects
- - PK29156 mod_rewrite defect led to vulnerability with verions of IHS 2.0 or
higher on Windows and HP-UX
- - PK28359 mod_ibm_ssl crypto card initialization problem when SSLServerCert
directive is used
- - PK28348 mod_cgid misprocessing when ScriptLog is defined inside VirtualHost
- - CVE-2005-3352 mod_imap: Escape untrusted referer header in response to
prevent potential cross-site scripting vulnerability
- - PK21998 SSLProtocolDisable directive can disable specific protocols
(e.g., "SSLProtocolDisable SSLv2" in virtual host)
- - PK24631 HTML-escape the value of the Expect header in the error response to
a bad Expect value
- - PK24686 Fix missing path information in arg0 of CGI scripts spawned by
mod_cgid
- - PK22995 Fix excessive forking in worker MPM if child process startup is slow.
- - mod_cache: Fix inconsistent results from requests which are implemented as
subrequests.
- - PK22485 memory leak and crash if files being served are truncated
- - allow diagnostic modules to track activity in log-transaction hook
- - PK20184 crashes related to mod_ibm_ssl and mod_ext_filter; also, deadlock of
filter processes with mod_ext_filter
- - PK20050 status line problem with IBM WebSphere plug-in and byterange filter
- - PK17802 mod_speling crash with WebSphere request
- - PK19060 mod_ibm_ldap does not retry request when server timed out connection
- - PK18642 mod_ibm_ldap memory leak
- - mod_ibm_ssl now removes null ciphers from default list
- - Apache.exe -V on Windows and apachectl -V on other platforms now displays
CVE ids of applicable Apache vulnerabilities resolved in this level of IBM
HTTP Server
- - PK13858 Do not remove Content-Length header for a proxied HEAD request,
allowing Windows Update to work through an IBM HTTP Server proxy.
- - PK15553 multiple mod_include fixes, including a change to log a warning
mssage if mod_include is only partially configured (filter enabled but
option not enabled)
- - Prevent hosts with SSLProxyEngine On from covering up failed initialization
of primary SSL environment.
- - Enable TLS protocol in the GSKit proxy environment to allow for connections
to backends using FIPS ciphers.
- - PK13453 Allow SID reuse when SSLClientAuth is optional and client does not
provide certificate.
- - PK15926 Resolve conflict between mod_ibm_ldap and the use of ldap in
/etc/nsswitch.conf for system user authentication on Linux.
- - mod_ibm_ssl: improve logging of handshake errors
- - mod_ibm_ssl: improve accuracy of "Using xxx Cipher" message
- - PK13066 CAN-2005-2970 worker MPM memory leak after aborted connection
(non-Windows platforms)
- - Prevent double-free of GSKit memory during stop or restart which sometimes
caused a coredump (non-Windows platforms)
- - Prevent double-free when an error occurred reading data from sidd
(non-Windows platforms only).
- - PK11929 CAN-2005-2491 Fix integer overflow in PCRE which leads to a
heap-based buffer overflow.
- - PK11929 CAN-2005-2728 Fix byte-range filter which allowed remote attackers
to cause a denial of service (memory consumption) via an HTTP header with
large Range field
- - Handle strerror() returning NULL on Solaris, resolving possible crashes when
writing to the error log.
- - Handle SSL requests where FIN is received from the client on Keepalive
connections before the response is written.
- - sidd now reports specific error code and filename when its trace or error
log can't be opened.
- - Fixed swapped references to ciphers 62 and 64. This resulted in SSLCipher*
directives operating on the wrong cipher (i.e., using 64 if 62 had been
specified).
- - Fix SSL handling of Timeout values larger than 2000 seconds, resolving SSL
handshake failures
- - PK07831 Resolve incompatibility between IHS and certain GSKit levels
- - PK07747 Resolve incompatibility between AFPA support on Windows and
Microsoft Security Patch MS05-019
- - CAN-2005-2088 preventative measures to prevent HTTP request smuggling, from
Apache 2.1.6 and future Apache 2.0.55
- - mod_ibm_ssl: include client IP address on many messages
- - mod_ibm_ssl: improve reporting of many SSL communication errors
- - Fix a servlet timeout when a POST response page contains SSI tags
- - Set RH variable to indicate which module handled or failed the request
- - dbmmanage: Select the database format which is accepted by IBM HTTP Server
- - mod_rewrite: improve performance with large RewriteMap files
- - Fix memory leak in the cache handling of mod_rewrite
- - Fix storage corruption problem with mod_userdir+suexec processing
- - PK03603 worker mpm: don not take down the whole server for a transient
thread creation failure
- - PK05830 Prevent hangs of child processes when writing to piped loggers at
the time of graceful restart
- - PK05957 Support the suppress-error-charset setting, as with all versions
of Apache 1.3
- - Set REDIRECT_REMOTE_USER for redirection of authenticated requests
- - worker mpm: lower severity of mutex "error" message which can occur normally
during restart
- - display time taken to process request in mod_status
- - mod_proxy: Handle client-aborted connections correctly
- - mod_mime_magic on Windows: support magic files with native line endings
- - support SHA1 passwords for mod_auth and mod_auth_dbm
- - support SendBufferSize on Windows
- - start piped loggers via the shell on UNIX, to support redirection
- - mod_cgid: Fix buffer overflow processing ScriptSock directive
- - mod_ibm_ldap: put timestamp on ldap trace records for correlation with other
logs
- - mod_ibm_ldap: return authorization error instead of internal server error
when password has expired
- - mod_ibm_ldap: add configuration control over whether or not referrals are
chased via "LdapReferrals On|Off " and "LdapReferralHopLimit nnn"
- - mod_ibm_ldap: add rebind support for improved compatibility with Microsoft
Active Directory 2003
- - remove 2GB log file size restriction on Linux and UNIX systems
- - PQ98957 fix HTTP RFC violations with handling of request bodies by proxy
- - PQ97712 fix worker MPM problem which left stranded processes after shutdown
- - fix mod_deflate problems handling 304 or 204 responses
- - PK00175 mod_ibm_ssl corrupts LIBPATH, breaking startup of third-party module
- - fix mod_ibm_ssl storage leak during apachectl restart or apachectl graceful
processing
- - PQ86346 Seg fault with IHS ldap/nss ldap on 390
- - fix mod_fastcgi incompatibility with WebSphere plug-in
- - rename zlib symbols used by mod_deflate to avoid collision with third-party
modules
- - add "/server-status?showmodule" support for displaying name of module where
request is stuck; ihsdiag 1.4.0 also exploits this support
- - CAN-2003-0020 escape data before writing to error log
- - fix ownership of sidd socket if IHS started as non-root on HP-UX
- - resolve CAN-2004-0809 and CAN-2004-0942 vulnerabilities
- - handle rewrite rules in Location containers applying to WebSphere resources
- - shut down worker MPM more quickly when processes are slow to exit
- - fix Expires handling with mod_cache
- - reduce severity of message for TCP_NODELAY error
- - PQ97125 CAN-2004-0942 fix memory consumption dos for folded MIME headers
- - add fatal exception hook for use by diagnostic modules
- - log reason for failing to connect to session id cache
- - fixed invalid info messages about non-FIPS cipher if FIPS enabled
- - fixed timeout problem in mod_ibm_ssl under load
- - fixed LDAP not escaping ctrl chars \,(,), and * as required by RFC 2254
- - changed LDAP queries to request minimal set of attributes
- - Potential denial of service exposure, CAN-2004-0786
- - CAN-2004-0747 buffer overflow if extremely large environment variables are
referenced in httpd.conf or .htaccess
- - fix termination of long request lines
- - fix mod_headers functional regression since 1.3
- - fix mod_deflate large memory consumption
- - fix handling of "AllowEncodedSlashes On"
- - fix stranded piped logger processes on Windows
- - change default Windows service name to the same service name set by IHS
installer so that -n option is not required
- - improve compatibility with 3rd party layered service providers on Win32
- - fix crash in mod_ibm_ssl when using client auth
- - CAN-2004-0493 remote memory allocation vulnerability
- - rotatelogs ability to use local time
- - "VirtualHost myhost" now applies to all IP addresses for myhost
- - Fix mod_deflate to handle zero length responses (such as 304 responses)
- - PQ89510 PDF files corrupted with acrobat over SSL (Windows)
- - Unnecessary mod_expires error message in log
- - Microsoft Windows pool corruption at startup leading to restart
- - Some random storage logged for excessively long request line
(Fixes in PQ85834 are not listed here.)
Special note for customers with SSLFIPSEnable:
If a virtual host contains SSLFIPSEnable and some SSLCipherSpec other than
"SSLCipherSpec FF", check the current level of GSKit installed using gsk7ver
or, for Linux/x86, gsk7ver_gcc295.
If the GSKit level is 7.0.3.9 or earlier, also install PK13784.
PROBLEM CONCLUSION:
See APARs for individual fixes.
Prerequisites
This Interim Fix may be installed over 2.0.47-PQ85834, 2.0.47, or 2.0.47.1
(with subsequent Interim Fixes possibly applied).
Installation Instructions
Please review the readme.txt for detailed installation instructions.
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/readme.txt
URL LANGUAGE SIZE(Bytes)
Readme US English 16489
Download package
Download RELEASE DATE LANGUAGE SIZE(Bytes)
Download Options
2.0.47.1-PK65782.sun 05-21-2008 US English 18448896
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/2.0.47.1-PK65782.sun.tar
2.0.47.1-PK65782.aix 05-21-2008 US English 5877760
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/2.0.47.1-PK65782.aix.tar
2.0.47.1-PK65782.hpux 05-21-2008 US English 20439040
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/2.0.47.1-PK65782.hpux.tar
2.0.47.1-PK65782.linux 05-21-2008 US English 4761600
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/2.0.47.1-PK65782.linux.tar
2.0.47.1-PK65782.linux390 05-21-2008 US English 5529600
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/2.0.47.1-PK65782.linux390.tar
2.0.47.1-PK65782.linuxppc 05-21-2008 US English 6297600
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/2.0.47.1-PK65782.linuxppc.tar
2.0.47.1-PK65782.nt 05-21-2008 US English 4244092
ftp://ftp.software.ibm.com/software/websphere/ihs/support/fixes/PK65782/2.0.47.1-PK65782.nt.zip
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSDy1eSh9+71yA2DNAQIdbwP/QX/nQDXDEKUujhi59JoC5PBqNSvocmgp
i1xHzmNWLVEqriBq4FciKBvdw6QwhCATEjgz7nLAIJYybqKaD9Lb5KFNhverSP99
MJ1DQcDpaVU54zQRo1BxpL1krcEm7Rtcr6Wy0VAOLdtwpPNcMUpcsQnI8Ot9BA85
z/9P1D3rV+E=
=Gmml
-----END PGP SIGNATURE-----