PDA

View Full Version : SLES-SP4 Apache vunrablility to SSL-RENEGOTIATION



vhbsles
02-Nov-2011, 09:46
As it seems Suse did not backport the SSLinsecureRenegotiation directive
into the SLES10-SP4 Apache for now
They did backport the option into the openssl package thoucht, but how
could i use it on sles-stock apache?
With the open access to the THC DOS tool it's getting very risky to
have a ssl server on SLES10:
http://www.thc.org/thc-ssl-dos/


Code:
--------------------
apache2-2.2.3-16.36.1 - The Apache Web Server Version 2.0

Mi 31 Aug 2011 14:00:00 CEST
draht@suse.de
- httpd-2.2.x-bnc713966-CVE-2011-3192.patch fixes byterange remote
DoS vulnerability known as CVE-2011-3192. [bnc#713966]
Di 28 Jun 2011 14:00:00 CEST
draht@suse.de
- httpd-2.2.x-bnc690734.patch: take LimitRequestFieldsize config
option into account when parsing headers from backend. Thereby
avoid that the receiving buffers are too small. bnc#690734.
Mi 19 Jan 2011 13:00:00 CET
draht@suse.de
- httpd-2.2.x-bnc661597-add-root-to-path.patch: add / when on a
directory to feed correctly linked listings. bnc#661597
Di 11 Jan 2011 13:00:00 CET
draht@suse.de
- a2enmod shalt not disable a module in query mode. bnc#663359
Mi 08 Dez 2010 13:00:00 CET
draht@suse.de
- httpd-2.2.x-bnc555098-new_option_SSLRenegBufferSize.dif fixes
"413 Request Entity Too Large occur" problem. From L3:28789 and
bnc#555098.
- httpd-2.2.x-bnc527440-prefork_graceful_restart_hang.patch
fixes graceful restart hangs, bnc#555098.
- unified into httpd-2.2.x-CVE-2007-6420-6421-6422.patch:
httpd-2.2.x-CVE-2007-6420.patch
httpd-2.2.x-CVE-2007-6421.patch
httpd-2.2.x-CVE-2007-6422.patch for --fuzz=0 conflicts.
all patches apply to httpd-2.2.3/modules/proxy/mod_proxy_balancer.c
- unified into httpd-2.2.3-CVE-2009-1195-0.patch:
httpd-2.2.3-CVE-2009-1195.patch
httpd-2.2.3-CVE-2009-1195-2.patch for --fuzz=0 conflicts.
Di 17 Aug 2010 14:00:00 CEST
draht@suse.de
- httpd-2.2.10-bnc627030-CVE-2010-1452.patch fixes CVE-2010-1452
from [bnc#627030]. This _only_ affects mod_dav. CVE-2010-1452
also refers to mod_cache, but SLES is not affected as the error
was introduced into a newer version of apache. For completeness:
CVE-2010-2068 (information disclosure by mod_proxy_http)
does not affect Linux.
Fr 09 Apr 2010 14:00:00 CEST
draht@suse.de
- httpd-2.2.10-bnc570127.patch [bnc#570127]: fix for mod_ssl buffer
flushing problems causing hangs between browser and server, as
both are waiting for each other.
- httpd-2.2.10-bnc586572-CVE-2010-0434.patch [bnc#586572]: fix for
CVE-2010-0434 subrequest header handling information disclosure
with multithreaded MPM; remote attackers may obtain information
that is related to an earlier request.
- httpd-2.2.x-bnc586572-CVE-2010-0408.patch fix for CVE-2010-0408
DoS caused by wrong status code in mod_proxy_ajp
Fr 16 Okt 2009 14:00:00 CEST
meissner@suse.de
- fixed CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
mod_proxy_ftp module allows remote FTP servers to cause a denial
of service (NULL pointer dereference and child process crash) via a
malformed reply to an EPSV command.)
- fixed CVE-2009-3095 (access restriction bypass in mod_proxy_ftp module)
bnc#538322
Di 13 Okt 2009 14:00:00 CEST
meissner@suse.de
- The CVE-2009-1191 patch should have been labeled CVE-2009-1195,
renamed. (bnc#513080)
- The CVE-2009-1195 patch was incomplete and lead to failures
with SSI scripts. (bnc#512583, bnc#539571)
- Fixed mod_proxy reverse denial of service (CVE-2009-1890, bnc#519194)
Fr 24 Jul 2009 14:00:00 CEST
crrodriguez@suse.de
- VUL-0: apache mod_deflate DoS [bnc#521906]
- VUL-0: apache - another issue similar to CVE-2009-1195 [bnc#513080]
- VUL-0: apache2: does not properly handle Options=IncludesNOEXEC [bnc#512583]
Mi 27 Mai 2009 14:00:00 CEST
crrodriguez@suse.de
- mod_cache and mod_rewrite incompatible with each other [bnc#482633]
Mo 02 Mär 2009 13:00:00 CET
crrodriguez@suse.de
- fix CVE-2008-2364 [bnc#408832]
Fr 19 Sep 2008 14:00:00 CEST
skh@suse.de
- add httpd-2.2.x-CVE-2007-6420.patch [bnc#373903]:
mod_proxy_balancer: Prevent CSRF attacks against the
balancer-manager interface. [Joe Orton]
- add httpd-2.0.x-CVE-2008-2939.patch [bnc#415061]:
mod_proxy_ftp: Prevent XSS attacks when using wildcards in
the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
[Ruediger Pluem]
- fix httpd-2.2.x-CVE-2007-3304.patch:
do not bump MODULE_MAGIC_NUMBER_MINOR to 5 as the security fix
only provides part of the api
Di 25 Mär 2008 13:00:00 CET
skh@suse.de
- bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
(menu_header): Fix cross-site-scripting issue by escaping the URI,
and ensure that a charset parameter is sent in the content-type to
prevent autodetection by broken browsers.
- bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
request method in 413 error reporting. Determined to be not
generally exploitable, but a flaw in any case.
- bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
is numeric to prevent a possible XSS attack caused by redirecting
to other URLs. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
the worker route and the worker redirect string in the HTML output
of the balancer manager. Reported by SecurityReason.
- bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
invalid balancer name is passed as parameter. Reported by
SecurityReason.
- bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
various modules to work around possible cross-site scripting flaws
affecting web browsers that do not derive the response character
set as required by RFC2616. One of these reported by
SecurityReason
- Add Requires: ed [bnc #363611]
--------------------





Code:
--------------------
openssl-0.9.8a-18.54.1 - Secure Sockets and Transport Layer Security



Mo 19 Sep 2011 14:00:00 CEST
gjhe@suse.com
- fix bug[bnc#716144]- VUL-0: openssl ECDH crash
CVE-2011-3210
Di 31 Mai 2011 14:00:00 CEST
gjhe@novell.com
- update cyclic dependency with package openssl-certs.
Mo 30 Mai 2011 14:00:00 CEST
gjhe@novell.com
- fix bug[bnc#693027].
Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Mo 11 Apr 2011 14:00:00 CEST
gjhe@novell.com
- fix bug [bnc#657663]
CVE-2010-4180
for CVE-2010-4252,no patch is added(for the J-PAKE
implementaion is not compiled in by default).
Di 15 Feb 2011 13:00:00 CET
lnussel@suse.de
- run c_rehash in %post to make sure cert links are there
Di 15 Feb 2011 13:00:00 CET
gjhe@novell.com
- fix bug[bnc#659128], add '-extensions v3_ca' option to both
demo scripts CA.sh and CA.pl
Do 10 Feb 2011 13:00:00 CET
kukuk@suse.de
- Require openssl-certs [bnc#670623]
Fr 10 Dez 2010 13:00:00 CET
gjhe@novell.com
- out of date CA list, bug[bnc#638744]
Mo 27 Sep 2010 14:00:00 CEST
gjhe@novell.com
- fix bug [bnc#608666]
So 26 Sep 2010 14:00:00 CEST
gjhe@novell.com
- fix bug [bnc#629905]
CVE-2010-2939
Do 25 Mär 2010 13:00:00 CET
meissner@suse.de
- Added tls/ssl secure renegotiation feature backport from 0.9.8m.
CVE-2009-3555 [bnc#584292]
- refreshed some patches for fuzz=0
Di 23 Mär 2010 13:00:00 CET
gjhe@novell.com
- fix security bug [bnc#597379]
CVE-2009-3245
Fr 15 Jan 2010 13:00:00 CET
gjhe@suse.de
- fix security bug [bnc#566238]
CVE-2009-4355
Do 12 Nov 2009 13:00:00 CET
gjhe@suse.de
- fix security bug [bnc#553641]
CVE-2009-3555
Di 21 Jul 2009 14:00:00 CEST
gjhe@suse.de
-add Entrust_net_Premium_2048_Secure_Server_CA.pem [bnc#522175]
Mi 10 Jun 2009 14:00:00 CEST
gjhe@suse.de
- fix security bug [bnc#509031]
CVE-2009-1386
CVE-2009-1387


--------------------


--
vhbsles
------------------------------------------------------------------------
vhbsles's Profile: http://forums.novell.com/member.php?userid=101902
View this thread: http://forums.novell.com/showthread.php?t=447649

dirkmueller
04-Nov-2011, 10:26
Thanks for considering the security of your system. Unfortunately this
topic is a bit tricky. We did not backport the SSLInsecureRenegotiation
option, but we disabled insecure renegotiations completely (without an
option to turn it back on). This is however unrelated to the DoS issue
you're talking about. that one is not about insecure renegotiations, but
about being able to trigger excessive amount of secure renegotiations
continuously on the server, so even if the option would be available, it
would not help.

We're working with high priority on an update that will address the DoS
issue. The links to that will appear here:
http://support.novell.com/security/cve/CVE-2011-1473.html and here:
https://bugzilla.novell.com/show_bug.cgi?id=727993 and can be installed
like normal via your regular maintenance update methods or 'NOVELL:
Patch Finder'
(http://download.novell.com/patch/finder/#familyId=7261&productId=36423&dateRange=&startDate=&endDate=&priority=&distribution=&architecture=&keywords=)


--
dirkmueller
------------------------------------------------------------------------
dirkmueller's Profile: http://forums.novell.com/member.php?userid=21451
View this thread: http://forums.novell.com/showthread.php?t=447649