Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2003-0192
Vulnerability from cvelistv5
Published
2003-07-10 04:00
Modified
2024-08-08 01:43
Severity ?
EPSS score ?
Summary
Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T01:43:36.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "MDKSA-2003:075",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"name": "RHSA-2003:240",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"name": "SCOSA-2004.6",
"tags": [
"vendor-advisory",
"x_refsource_SCO",
"x_transferred"
],
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
},
{
"name": "RHSA-2003:243",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"name": "oval:org.mitre.oval:def:169",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
},
{
"name": "RHSA-2003:244",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
},
{
"name": "20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2003-07-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:10:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "MDKSA-2003:075",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"name": "RHSA-2003:240",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"name": "SCOSA-2004.6",
"tags": [
"vendor-advisory",
"x_refsource_SCO"
],
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
},
{
"name": "RHSA-2003:243",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"name": "oval:org.mitre.oval:def:169",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
},
{
"name": "RHSA-2003:244",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
},
{
"name": "20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2003-0192",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "MDKSA-2003:075",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"name": "RHSA-2003:240",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"name": "SCOSA-2004.6",
"refsource": "SCO",
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
},
{
"name": "RHSA-2003:243",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"name": "oval:org.mitre.oval:def:169",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
},
{
"name": "RHSA-2003:244",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
},
{
"name": "20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2003-0192",
"datePublished": "2003-07-10T04:00:00",
"dateReserved": "2003-04-01T00:00:00",
"dateUpdated": "2024-08-08T01:43:36.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2003-0192\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2003-08-18T04:00:00.000\",\"lastModified\":\"2024-11-20T23:44:10.900\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \\\"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\\\" which could cause Apache to use the weak ciphersuite.\"},{\"lang\":\"es\",\"value\":\"Apache 2 anteriores a 2.0.47, y ciertas versiones de mod_ssl para Apache 1.3, no manejan adecuadamente \\\"ciertas secuencias de re-negociaciones por directorio junto con la directiva SSLCipherSuite siendo usada para mejorar de un nivel de cifrado (ciphersuite) d\u00e9bil a uno fuerte\\\", lo que podr\u00eda hacer que apache utilizara el nivel de cifrado d\u00e9bil.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"163A6EF6-7D3F-4B1F-9E03-A8C86562CC3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB477AFB-EA39-4892-B772-586CF6D2D235\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B35906CD-038E-4243-8A95-F0A3A43F06F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B940BB85-03F5-46D7-8DC9-2E1E228D3D98\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"82139FFA-2779-4732-AFA5-4E6E19775899\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7F717E6-BACD-4C8A-A9C5-516ADA6FEE6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"08AB120B-2FEC-4EB3-9777-135D81E809AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C7FF669-12E0-4A73-BBA7-250D109148C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AB7B1F1-7202-445D-9F96-135DC0AFB1E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCB7EE53-187E-40A9-9865-0F3EDA2B5A4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D06AE8A-9BA8-4AA8-ACEA-326CD001E879\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FC1A04B-0466-48AD-89F3-1F2EF1DEBE6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"19F34D08-430E-4331-A27D-667149425176\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"248BDF2C-3E78-49D1-BD9C-60C09A441724\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB0FDE3D-1509-4375-8703-0D174D70B22E\"}]}]}],\"references\":[{\"url\":\"ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDKSA-2003:075\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-240.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-243.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-244.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169\",\"source\":\"cve@mitre.org\"},{\"url\":\"ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDKSA-2003:075\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-240.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-243.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2003-244.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Apache\",\"comment\":\"Fixed in Apache HTTP Server 2.0.47:\\nhttp://httpd.apache.org/security/vulnerabilities_20.html\",\"lastModified\":\"2008-07-02T00:00:00\"},{\"organization\":\"Red Hat\",\"comment\":\"This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\\n\\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.\",\"lastModified\":\"2008-03-10T00:00:00\"}]}}"
}
}
rhsa-2003_243
Vulnerability from csaf_redhat
Published
2003-09-22 08:34
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities
Notes
Topic
Updated Apache and mod_ssl packages that fix several minor security issues
are now available for Red Hat Linux 7.1, 7.2, and 7.3.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
which can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Apache does not filter terminal escape sequences from its error logs, which
could make it easier for attackers to insert those sequences into terminal
emulators containing vulnerabilities related to escape sequences. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0020 to this issue.
It is possible to get Apache 1.3 to get into an infinite loop handling
internal redirects and nested subrequests. A patch for this issue adds a
new LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues.
After the errata packages are installed, restart the Web service by running
the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Linux 7.1, 7.2, and 7.3.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:243",
"url": "https://access.redhat.com/errata/RHSA-2003:243"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "60281",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=60281"
},
{
"category": "external",
"summary": "72245",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=72245"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_243.json"
}
],
"title": "Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:48:37+00:00",
"generator": {
"date": "2024-11-21T22:48:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:243",
"initial_release_date": "2003-09-22T08:34:00+00:00",
"revision_history": [
{
"date": "2003-09-22T08:34:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-22T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.3",
"product": {
"name": "Red Hat Linux 7.3",
"product_id": "Red Hat Linux 7.3",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0020",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616937"
}
],
"notes": [
{
"category": "description",
"text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0020"
},
{
"category": "external",
"summary": "RHBZ#1616937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
}
],
"release_date": "2003-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:34:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:243"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:34:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:243"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2003:290
Vulnerability from csaf_redhat
Published
2003-09-30 12:16
Modified
2024-11-21 22:52
Summary
Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold
Notes
Topic
Updated versions of Stronghold 4 cross-platform are available that fix
several security issues affecting OpenSSL and mod_ssl. A number of bug
fixes and new features are also included.
Details
Stronghold 4 contains a number of open source technologies, including
OpenSSL 0.9.6 and mod_ssl.
NISCC testing of implementations of the SSL protocol uncovered two bugs in
OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL
to crash. A remote attacker could trigger this bug by sending a carefully
crafted SSL client certificate to the Stronghold Web server, which would
cause the server child process handling the request to terminate. The
effects of such an attack would be limited, as Apache is designed to handle
this situation. In most cases, an attack would simply cause increased
server load, which would only last as long as an attacker continues to make
malicious connections. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to
this issue.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
that can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.
Red Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their
work on these vulnerabilities.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated versions of Stronghold 4 cross-platform are available that fix\nseveral security issues affecting OpenSSL and mod_ssl. A number of bug\nfixes and new features are also included.",
"title": "Topic"
},
{
"category": "general",
"text": "Stronghold 4 contains a number of open source technologies, including\nOpenSSL 0.9.6 and mod_ssl.\n\nNISCC testing of implementations of the SSL protocol uncovered two bugs in\nOpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL\nto crash. A remote attacker could trigger this bug by sending a carefully\ncrafted SSL client certificate to the Stronghold Web server, which would\ncause the server child process handling the request to terminate. The\neffects of such an attack would be limited, as Apache is designed to handle\nthis situation. In most cases, an attack would simply cause increased\nserver load, which would only last as long as an attacker continues to make\nmalicious connections. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to\nthis issue. \n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 cross-platform are advised to update to these errata\nversions, which contain backported security fixes and are not vulnerable to\nthese issues.\n\nRed Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their\nwork on these vulnerabilities.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:290",
"url": "https://access.redhat.com/errata/RHSA-2003:290"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.niscc.gov.uk/",
"url": "http://www.niscc.gov.uk/"
},
{
"category": "external",
"summary": "http://www.openssl.org/news/secadv_20030930.txt",
"url": "http://www.openssl.org/news/secadv_20030930.txt"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_290.json"
}
],
"title": "Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold",
"tracking": {
"current_release_date": "2024-11-21T22:52:00+00:00",
"generator": {
"date": "2024-11-21T22:52:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:290",
"initial_release_date": "2003-09-30T12:16:00+00:00",
"revision_history": [
{
"date": "2003-09-30T12:16:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-10-03T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:52:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Stronghold 4",
"product": {
"name": "Red Hat Stronghold 4",
"product_id": "Red Hat Stronghold 4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:stronghold:4"
}
}
}
],
"category": "product_family",
"name": "Stronghold Cross Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0543",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "104893"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0543"
},
{
"category": "external",
"summary": "RHBZ#104893",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0543",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0543"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543"
}
],
"release_date": "2003-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
},
{
"cve": "CVE-2003-0544",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "104893"
}
],
"notes": [
{
"category": "description",
"text": "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0544"
},
{
"category": "external",
"summary": "RHBZ#104893",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0544",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0544"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544"
}
],
"release_date": "2003-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
}
]
}
rhsa-2003_244
Vulnerability from csaf_redhat
Published
2003-09-22 08:39
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: apache security update
Notes
Topic
Updated Apache and mod_ssl packages that fix several minor security issues
are now available for Red Hat Enterprise Linux.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
which can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Apache does not filter terminal escape sequences from its error logs, which
could make it easier for attackers to insert those sequences into terminal
emulators containing vulnerabilities related to escape sequences. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0020 to this issue.
It is possible to get Apache 1.3 to get into an infinite loop handling
internal redirects and nested subrequests. A patch for this issue adds a
new LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues.
After the errata packages are installed, restart the Web service by running
the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Enterprise Linux.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:244",
"url": "https://access.redhat.com/errata/RHSA-2003:244"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "98919",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98919"
},
{
"category": "external",
"summary": "100430",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=100430"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_244.json"
}
],
"title": "Red Hat Security Advisory: apache security update",
"tracking": {
"current_release_date": "2024-11-21T22:48:41+00:00",
"generator": {
"date": "2024-11-21T22:48:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:244",
"initial_release_date": "2003-09-22T08:39:00+00:00",
"revision_history": [
{
"date": "2003-09-22T08:39:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-22T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product": {
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux Advanced Workstation 2.1",
"product": {
"name": "Red Hat Linux Advanced Workstation 2.1",
"product_id": "Red Hat Linux Advanced Workstation 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 2.1",
"product": {
"name": "Red Hat Enterprise Linux ES version 2.1",
"product_id": "Red Hat Enterprise Linux ES version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 2.1",
"product": {
"name": "Red Hat Enterprise Linux WS version 2.1",
"product_id": "Red Hat Enterprise Linux WS version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::ws"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0020",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616937"
}
],
"notes": [
{
"category": "description",
"text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0020"
},
{
"category": "external",
"summary": "RHBZ#1616937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
}
],
"release_date": "2003-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:39:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:244"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:39:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:244"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2003:244
Vulnerability from csaf_redhat
Published
2003-09-22 08:39
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: apache security update
Notes
Topic
Updated Apache and mod_ssl packages that fix several minor security issues
are now available for Red Hat Enterprise Linux.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
which can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Apache does not filter terminal escape sequences from its error logs, which
could make it easier for attackers to insert those sequences into terminal
emulators containing vulnerabilities related to escape sequences. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0020 to this issue.
It is possible to get Apache 1.3 to get into an infinite loop handling
internal redirects and nested subrequests. A patch for this issue adds a
new LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues.
After the errata packages are installed, restart the Web service by running
the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Enterprise Linux.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:244",
"url": "https://access.redhat.com/errata/RHSA-2003:244"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "98919",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98919"
},
{
"category": "external",
"summary": "100430",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=100430"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_244.json"
}
],
"title": "Red Hat Security Advisory: apache security update",
"tracking": {
"current_release_date": "2024-11-21T22:48:41+00:00",
"generator": {
"date": "2024-11-21T22:48:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:244",
"initial_release_date": "2003-09-22T08:39:00+00:00",
"revision_history": [
{
"date": "2003-09-22T08:39:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-22T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product": {
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux Advanced Workstation 2.1",
"product": {
"name": "Red Hat Linux Advanced Workstation 2.1",
"product_id": "Red Hat Linux Advanced Workstation 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 2.1",
"product": {
"name": "Red Hat Enterprise Linux ES version 2.1",
"product_id": "Red Hat Enterprise Linux ES version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 2.1",
"product": {
"name": "Red Hat Enterprise Linux WS version 2.1",
"product_id": "Red Hat Enterprise Linux WS version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::ws"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0020",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616937"
}
],
"notes": [
{
"category": "description",
"text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0020"
},
{
"category": "external",
"summary": "RHBZ#1616937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
}
],
"release_date": "2003-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:39:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:244"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:39:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:244"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
RHSA-2003:240
Vulnerability from csaf_redhat
Published
2003-09-04 07:40
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities
Notes
Topic
Updated httpd packages that fix several minor security issues are now
available for Red Hat Linux 8.0 and 9.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
included with Apache 2 versions 2.0.35 through 2.0.46 that can cause
cipher suite restrictions to be ignored. This is triggered if optional
renegotiation is used (SSLOptions +OptRenegotiate) along with verification
of client certificates and a change to the cipher suite over the
renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Yoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35
to 2.0.46 have a bug that can cause a remote Denial of Service. When a
client requests that proxy ftp connect to a ftp server with an IPv6
address, and the proxy is unable to create an IPv6 socket, an infinite loop
occurs. The Common Vulnerabilities and Exposures project has assigned the
name CAN-2003-0254 to this issue.
Saheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46
have a bug in the prefork MPM when handling accept errors. In a server with
multiple listening sockets, a certain error returned by accept() on a
rarely-accessed port can cause a temporary denial of service. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2003-0253
to this issue.
It is possible for Apache 2 to get into an infinite loop handling internal
redirects and nested subrequests. A patch for this issue adds the new
LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues, and are applied to Apache version 2.0.40.
After the errata packages are installed, restart the Web service by running
(as root) the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated httpd packages that fix several minor security issues are now\navailable for Red Hat Linux 8.0 and 9.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nincluded with Apache 2 versions 2.0.35 through 2.0.46 that can cause\ncipher suite restrictions to be ignored. This is triggered if optional\nrenegotiation is used (SSLOptions +OptRenegotiate) along with verification\nof client certificates and a change to the cipher suite over the\nrenegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nYoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35\nto 2.0.46 have a bug that can cause a remote Denial of Service. When a\nclient requests that proxy ftp connect to a ftp server with an IPv6\naddress, and the proxy is unable to create an IPv6 socket, an infinite loop\noccurs. The Common Vulnerabilities and Exposures project has assigned the\nname CAN-2003-0254 to this issue.\n\nSaheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46\nhave a bug in the prefork MPM when handling accept errors. In a server with\nmultiple listening sockets, a certain error returned by accept() on a\nrarely-accessed port can cause a temporary denial of service. The Common\nVulnerabilities and Exposures project has assigned the name CAN-2003-0253\nto this issue.\n\nIt is possible for Apache 2 to get into an infinite loop handling internal\nredirects and nested subrequests. A patch for this issue adds the new\nLimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues, and are applied to Apache version 2.0.40.\n\nAfter the errata packages are installed, restart the Web service by running\n(as root) the following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:240",
"url": "https://access.redhat.com/errata/RHSA-2003:240"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "78019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=78019"
},
{
"category": "external",
"summary": "82985",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=82985"
},
{
"category": "external",
"summary": "85022",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=85022"
},
{
"category": "external",
"summary": "97111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=97111"
},
{
"category": "external",
"summary": "98545",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98545"
},
{
"category": "external",
"summary": "98653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98653"
},
{
"category": "external",
"summary": "98852",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98852"
},
{
"category": "external",
"summary": "98853",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98853"
},
{
"category": "external",
"summary": "98855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98855"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_240.json"
}
],
"title": "Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:48:33+00:00",
"generator": {
"date": "2024-11-21T22:48:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:240",
"initial_release_date": "2003-09-04T07:40:00+00:00",
"revision_history": [
{
"date": "2003-09-04T07:40:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-04T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 8.0",
"product": {
"name": "Red Hat Linux 8.0",
"product_id": "Red Hat Linux 8.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:8.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 9",
"product": {
"name": "Red Hat Linux 9",
"product_id": "Red Hat Linux 9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0253",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1617012"
}
],
"notes": [
{
"category": "description",
"text": "The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0253"
},
{
"category": "external",
"summary": "RHBZ#1617012",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617012"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0253",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0254",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1617013"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0254"
},
{
"category": "external",
"summary": "RHBZ#1617013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617013"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0254",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"title": "security flaw"
}
]
}
rhsa-2003:243
Vulnerability from csaf_redhat
Published
2003-09-22 08:34
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities
Notes
Topic
Updated Apache and mod_ssl packages that fix several minor security issues
are now available for Red Hat Linux 7.1, 7.2, and 7.3.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
which can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Apache does not filter terminal escape sequences from its error logs, which
could make it easier for attackers to insert those sequences into terminal
emulators containing vulnerabilities related to escape sequences. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0020 to this issue.
It is possible to get Apache 1.3 to get into an infinite loop handling
internal redirects and nested subrequests. A patch for this issue adds a
new LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues.
After the errata packages are installed, restart the Web service by running
the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Linux 7.1, 7.2, and 7.3.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:243",
"url": "https://access.redhat.com/errata/RHSA-2003:243"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "60281",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=60281"
},
{
"category": "external",
"summary": "72245",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=72245"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_243.json"
}
],
"title": "Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:48:37+00:00",
"generator": {
"date": "2024-11-21T22:48:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:243",
"initial_release_date": "2003-09-22T08:34:00+00:00",
"revision_history": [
{
"date": "2003-09-22T08:34:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-22T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.3",
"product": {
"name": "Red Hat Linux 7.3",
"product_id": "Red Hat Linux 7.3",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0020",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616937"
}
],
"notes": [
{
"category": "description",
"text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0020"
},
{
"category": "external",
"summary": "RHBZ#1616937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
}
],
"release_date": "2003-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:34:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:243"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:34:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:243"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2003_301
Vulnerability from csaf_redhat
Published
2003-10-15 08:18
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: mod_ssl security update for Stronghold
Notes
Topic
An updated mod_ssl package is now available for Stronghold 4 on Red Hat
Enterprise Linux that closes a security issue in certain rare configurations.
Details
Stronghold 4 contains a number of open source technologies, including the
mod_ssl module (which provides SSL/TLS support for Apache).
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
that can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Users of Stronghold 4 on Red Hat Enterprise Linux may update to
this erratum package, which contains a backported security fix and is not
vulnerable to this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated mod_ssl package is now available for Stronghold 4 on Red Hat\nEnterprise Linux that closes a security issue in certain rare configurations.",
"title": "Topic"
},
{
"category": "general",
"text": "Stronghold 4 contains a number of open source technologies, including the\nmod_ssl module (which provides SSL/TLS support for Apache).\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 on Red Hat Enterprise Linux may update to\nthis erratum package, which contains a backported security fix and is not\nvulnerable to this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:301",
"url": "https://access.redhat.com/errata/RHSA-2003:301"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_301.json"
}
],
"title": "Red Hat Security Advisory: mod_ssl security update for Stronghold",
"tracking": {
"current_release_date": "2024-11-21T22:48:48+00:00",
"generator": {
"date": "2024-11-21T22:48:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:301",
"initial_release_date": "2003-10-15T08:18:00+00:00",
"revision_history": [
{
"date": "2003-10-15T08:18:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-10-15T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Stronghold 4 for Red Hat Enterprise Linux",
"product": {
"name": "Stronghold 4 for Red Hat Enterprise Linux",
"product_id": "Stronghold 4 for Red Hat Enterprise Linux",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_stronghold:4"
}
}
}
],
"category": "product_family",
"name": "Stronghold 4.0 for Red Hat Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Stronghold 4 for Red Hat Enterprise Linux"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-10-15T08:18:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Stronghold 4 for Red Hat Enterprise Linux"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:301"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
RHSA-2003:244
Vulnerability from csaf_redhat
Published
2003-09-22 08:39
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: apache security update
Notes
Topic
Updated Apache and mod_ssl packages that fix several minor security issues
are now available for Red Hat Enterprise Linux.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
which can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Apache does not filter terminal escape sequences from its error logs, which
could make it easier for attackers to insert those sequences into terminal
emulators containing vulnerabilities related to escape sequences. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0020 to this issue.
It is possible to get Apache 1.3 to get into an infinite loop handling
internal redirects and nested subrequests. A patch for this issue adds a
new LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues.
After the errata packages are installed, restart the Web service by running
the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Enterprise Linux.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:244",
"url": "https://access.redhat.com/errata/RHSA-2003:244"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "98919",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98919"
},
{
"category": "external",
"summary": "100430",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=100430"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_244.json"
}
],
"title": "Red Hat Security Advisory: apache security update",
"tracking": {
"current_release_date": "2024-11-21T22:48:41+00:00",
"generator": {
"date": "2024-11-21T22:48:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:244",
"initial_release_date": "2003-09-22T08:39:00+00:00",
"revision_history": [
{
"date": "2003-09-22T08:39:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-22T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product": {
"name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux Advanced Workstation 2.1",
"product": {
"name": "Red Hat Linux Advanced Workstation 2.1",
"product_id": "Red Hat Linux Advanced Workstation 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 2.1",
"product": {
"name": "Red Hat Enterprise Linux ES version 2.1",
"product_id": "Red Hat Enterprise Linux ES version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 2.1",
"product": {
"name": "Red Hat Enterprise Linux WS version 2.1",
"product_id": "Red Hat Enterprise Linux WS version 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:2.1::ws"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0020",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616937"
}
],
"notes": [
{
"category": "description",
"text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0020"
},
{
"category": "external",
"summary": "RHBZ#1616937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
}
],
"release_date": "2003-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:39:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:244"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:39:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
"Red Hat Enterprise Linux ES version 2.1",
"Red Hat Enterprise Linux WS version 2.1",
"Red Hat Linux Advanced Workstation 2.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:244"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
RHSA-2003:301
Vulnerability from csaf_redhat
Published
2003-10-15 08:18
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: mod_ssl security update for Stronghold
Notes
Topic
An updated mod_ssl package is now available for Stronghold 4 on Red Hat
Enterprise Linux that closes a security issue in certain rare configurations.
Details
Stronghold 4 contains a number of open source technologies, including the
mod_ssl module (which provides SSL/TLS support for Apache).
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
that can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Users of Stronghold 4 on Red Hat Enterprise Linux may update to
this erratum package, which contains a backported security fix and is not
vulnerable to this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated mod_ssl package is now available for Stronghold 4 on Red Hat\nEnterprise Linux that closes a security issue in certain rare configurations.",
"title": "Topic"
},
{
"category": "general",
"text": "Stronghold 4 contains a number of open source technologies, including the\nmod_ssl module (which provides SSL/TLS support for Apache).\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 on Red Hat Enterprise Linux may update to\nthis erratum package, which contains a backported security fix and is not\nvulnerable to this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:301",
"url": "https://access.redhat.com/errata/RHSA-2003:301"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_301.json"
}
],
"title": "Red Hat Security Advisory: mod_ssl security update for Stronghold",
"tracking": {
"current_release_date": "2024-11-21T22:48:48+00:00",
"generator": {
"date": "2024-11-21T22:48:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:301",
"initial_release_date": "2003-10-15T08:18:00+00:00",
"revision_history": [
{
"date": "2003-10-15T08:18:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-10-15T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Stronghold 4 for Red Hat Enterprise Linux",
"product": {
"name": "Stronghold 4 for Red Hat Enterprise Linux",
"product_id": "Stronghold 4 for Red Hat Enterprise Linux",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_stronghold:4"
}
}
}
],
"category": "product_family",
"name": "Stronghold 4.0 for Red Hat Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Stronghold 4 for Red Hat Enterprise Linux"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-10-15T08:18:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Stronghold 4 for Red Hat Enterprise Linux"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:301"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
RHSA-2003:290
Vulnerability from csaf_redhat
Published
2003-09-30 12:16
Modified
2024-11-21 22:52
Summary
Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold
Notes
Topic
Updated versions of Stronghold 4 cross-platform are available that fix
several security issues affecting OpenSSL and mod_ssl. A number of bug
fixes and new features are also included.
Details
Stronghold 4 contains a number of open source technologies, including
OpenSSL 0.9.6 and mod_ssl.
NISCC testing of implementations of the SSL protocol uncovered two bugs in
OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL
to crash. A remote attacker could trigger this bug by sending a carefully
crafted SSL client certificate to the Stronghold Web server, which would
cause the server child process handling the request to terminate. The
effects of such an attack would be limited, as Apache is designed to handle
this situation. In most cases, an attack would simply cause increased
server load, which would only last as long as an attacker continues to make
malicious connections. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to
this issue.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
that can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.
Red Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their
work on these vulnerabilities.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated versions of Stronghold 4 cross-platform are available that fix\nseveral security issues affecting OpenSSL and mod_ssl. A number of bug\nfixes and new features are also included.",
"title": "Topic"
},
{
"category": "general",
"text": "Stronghold 4 contains a number of open source technologies, including\nOpenSSL 0.9.6 and mod_ssl.\n\nNISCC testing of implementations of the SSL protocol uncovered two bugs in\nOpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL\nto crash. A remote attacker could trigger this bug by sending a carefully\ncrafted SSL client certificate to the Stronghold Web server, which would\ncause the server child process handling the request to terminate. The\neffects of such an attack would be limited, as Apache is designed to handle\nthis situation. In most cases, an attack would simply cause increased\nserver load, which would only last as long as an attacker continues to make\nmalicious connections. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to\nthis issue. \n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 cross-platform are advised to update to these errata\nversions, which contain backported security fixes and are not vulnerable to\nthese issues.\n\nRed Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their\nwork on these vulnerabilities.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:290",
"url": "https://access.redhat.com/errata/RHSA-2003:290"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.niscc.gov.uk/",
"url": "http://www.niscc.gov.uk/"
},
{
"category": "external",
"summary": "http://www.openssl.org/news/secadv_20030930.txt",
"url": "http://www.openssl.org/news/secadv_20030930.txt"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_290.json"
}
],
"title": "Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold",
"tracking": {
"current_release_date": "2024-11-21T22:52:00+00:00",
"generator": {
"date": "2024-11-21T22:52:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:290",
"initial_release_date": "2003-09-30T12:16:00+00:00",
"revision_history": [
{
"date": "2003-09-30T12:16:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-10-03T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:52:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Stronghold 4",
"product": {
"name": "Red Hat Stronghold 4",
"product_id": "Red Hat Stronghold 4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:stronghold:4"
}
}
}
],
"category": "product_family",
"name": "Stronghold Cross Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0543",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "104893"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0543"
},
{
"category": "external",
"summary": "RHBZ#104893",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0543",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0543"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543"
}
],
"release_date": "2003-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
},
{
"cve": "CVE-2003-0544",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "104893"
}
],
"notes": [
{
"category": "description",
"text": "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0544"
},
{
"category": "external",
"summary": "RHBZ#104893",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0544",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0544"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544"
}
],
"release_date": "2003-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
}
]
}
rhsa-2003_290
Vulnerability from csaf_redhat
Published
2003-09-30 12:16
Modified
2024-11-21 22:52
Summary
Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold
Notes
Topic
Updated versions of Stronghold 4 cross-platform are available that fix
several security issues affecting OpenSSL and mod_ssl. A number of bug
fixes and new features are also included.
Details
Stronghold 4 contains a number of open source technologies, including
OpenSSL 0.9.6 and mod_ssl.
NISCC testing of implementations of the SSL protocol uncovered two bugs in
OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL
to crash. A remote attacker could trigger this bug by sending a carefully
crafted SSL client certificate to the Stronghold Web server, which would
cause the server child process handling the request to terminate. The
effects of such an attack would be limited, as Apache is designed to handle
this situation. In most cases, an attack would simply cause increased
server load, which would only last as long as an attacker continues to make
malicious connections. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to
this issue.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
that can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Users of Stronghold 4 cross-platform are advised to update to these errata
versions, which contain backported security fixes and are not vulnerable to
these issues.
Red Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their
work on these vulnerabilities.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated versions of Stronghold 4 cross-platform are available that fix\nseveral security issues affecting OpenSSL and mod_ssl. A number of bug\nfixes and new features are also included.",
"title": "Topic"
},
{
"category": "general",
"text": "Stronghold 4 contains a number of open source technologies, including\nOpenSSL 0.9.6 and mod_ssl.\n\nNISCC testing of implementations of the SSL protocol uncovered two bugs in\nOpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL\nto crash. A remote attacker could trigger this bug by sending a carefully\ncrafted SSL client certificate to the Stronghold Web server, which would\ncause the server child process handling the request to terminate. The\neffects of such an attack would be limited, as Apache is designed to handle\nthis situation. In most cases, an attack would simply cause increased\nserver load, which would only last as long as an attacker continues to make\nmalicious connections. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to\nthis issue. \n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 cross-platform are advised to update to these errata\nversions, which contain backported security fixes and are not vulnerable to\nthese issues.\n\nRed Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their\nwork on these vulnerabilities.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:290",
"url": "https://access.redhat.com/errata/RHSA-2003:290"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.niscc.gov.uk/",
"url": "http://www.niscc.gov.uk/"
},
{
"category": "external",
"summary": "http://www.openssl.org/news/secadv_20030930.txt",
"url": "http://www.openssl.org/news/secadv_20030930.txt"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_290.json"
}
],
"title": "Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold",
"tracking": {
"current_release_date": "2024-11-21T22:52:00+00:00",
"generator": {
"date": "2024-11-21T22:52:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:290",
"initial_release_date": "2003-09-30T12:16:00+00:00",
"revision_history": [
{
"date": "2003-09-30T12:16:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-10-03T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:52:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Stronghold 4",
"product": {
"name": "Red Hat Stronghold 4",
"product_id": "Red Hat Stronghold 4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:stronghold:4"
}
}
}
],
"category": "product_family",
"name": "Stronghold Cross Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0543",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "104893"
}
],
"notes": [
{
"category": "description",
"text": "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0543"
},
{
"category": "external",
"summary": "RHBZ#104893",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0543",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0543"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543"
}
],
"release_date": "2003-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
},
{
"cve": "CVE-2003-0544",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "104893"
}
],
"notes": [
{
"category": "description",
"text": "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Stronghold 4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0544"
},
{
"category": "external",
"summary": "RHBZ#104893",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0544",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0544"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544"
}
],
"release_date": "2003-09-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-30T12:16:00+00:00",
"details": "Updated Stronghold 4 packages are now available via the update agent\nservice. Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
"product_ids": [
"Red Hat Stronghold 4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:290"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
}
]
}
rhsa-2003:301
Vulnerability from csaf_redhat
Published
2003-10-15 08:18
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: mod_ssl security update for Stronghold
Notes
Topic
An updated mod_ssl package is now available for Stronghold 4 on Red Hat
Enterprise Linux that closes a security issue in certain rare configurations.
Details
Stronghold 4 contains a number of open source technologies, including the
mod_ssl module (which provides SSL/TLS support for Apache).
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
that can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Users of Stronghold 4 on Red Hat Enterprise Linux may update to
this erratum package, which contains a backported security fix and is not
vulnerable to this issue.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated mod_ssl package is now available for Stronghold 4 on Red Hat\nEnterprise Linux that closes a security issue in certain rare configurations.",
"title": "Topic"
},
{
"category": "general",
"text": "Stronghold 4 contains a number of open source technologies, including the\nmod_ssl module (which provides SSL/TLS support for Apache).\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 on Red Hat Enterprise Linux may update to\nthis erratum package, which contains a backported security fix and is not\nvulnerable to this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:301",
"url": "https://access.redhat.com/errata/RHSA-2003:301"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_301.json"
}
],
"title": "Red Hat Security Advisory: mod_ssl security update for Stronghold",
"tracking": {
"current_release_date": "2024-11-21T22:48:48+00:00",
"generator": {
"date": "2024-11-21T22:48:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:301",
"initial_release_date": "2003-10-15T08:18:00+00:00",
"revision_history": [
{
"date": "2003-10-15T08:18:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-10-15T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Stronghold 4 for Red Hat Enterprise Linux",
"product": {
"name": "Stronghold 4 for Red Hat Enterprise Linux",
"product_id": "Stronghold 4 for Red Hat Enterprise Linux",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_stronghold:4"
}
}
}
],
"category": "product_family",
"name": "Stronghold 4.0 for Red Hat Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Stronghold 4 for Red Hat Enterprise Linux"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-10-15T08:18:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Stronghold 4 for Red Hat Enterprise Linux"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:301"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
RHSA-2003:243
Vulnerability from csaf_redhat
Published
2003-09-22 08:34
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities
Notes
Topic
Updated Apache and mod_ssl packages that fix several minor security issues
are now available for Red Hat Linux 7.1, 7.2, and 7.3.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
which can cause cipher suite restrictions to be ignored. This is triggered
if optional renegotiation is used (SSLOptions +OptRenegotiate) along with
verification of client certificates and a change to the cipher suite over
the renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Apache does not filter terminal escape sequences from its error logs, which
could make it easier for attackers to insert those sequences into terminal
emulators containing vulnerabilities related to escape sequences. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0020 to this issue.
It is possible to get Apache 1.3 to get into an infinite loop handling
internal redirects and nested subrequests. A patch for this issue adds a
new LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues.
After the errata packages are installed, restart the Web service by running
the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Linux 7.1, 7.2, and 7.3.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:243",
"url": "https://access.redhat.com/errata/RHSA-2003:243"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "60281",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=60281"
},
{
"category": "external",
"summary": "72245",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=72245"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_243.json"
}
],
"title": "Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:48:37+00:00",
"generator": {
"date": "2024-11-21T22:48:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:243",
"initial_release_date": "2003-09-22T08:34:00+00:00",
"revision_history": [
{
"date": "2003-09-22T08:34:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-22T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.3",
"product": {
"name": "Red Hat Linux 7.3",
"product_id": "Red Hat Linux 7.3",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0020",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616937"
}
],
"notes": [
{
"category": "description",
"text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0020"
},
{
"category": "external",
"summary": "RHBZ#1616937",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
}
],
"release_date": "2003-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:34:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:243"
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-22T08:34:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 7.1",
"Red Hat Linux 7.2",
"Red Hat Linux 7.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:243"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
}
]
}
rhsa-2003:240
Vulnerability from csaf_redhat
Published
2003-09-04 07:40
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities
Notes
Topic
Updated httpd packages that fix several minor security issues are now
available for Red Hat Linux 8.0 and 9.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
included with Apache 2 versions 2.0.35 through 2.0.46 that can cause
cipher suite restrictions to be ignored. This is triggered if optional
renegotiation is used (SSLOptions +OptRenegotiate) along with verification
of client certificates and a change to the cipher suite over the
renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Yoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35
to 2.0.46 have a bug that can cause a remote Denial of Service. When a
client requests that proxy ftp connect to a ftp server with an IPv6
address, and the proxy is unable to create an IPv6 socket, an infinite loop
occurs. The Common Vulnerabilities and Exposures project has assigned the
name CAN-2003-0254 to this issue.
Saheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46
have a bug in the prefork MPM when handling accept errors. In a server with
multiple listening sockets, a certain error returned by accept() on a
rarely-accessed port can cause a temporary denial of service. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2003-0253
to this issue.
It is possible for Apache 2 to get into an infinite loop handling internal
redirects and nested subrequests. A patch for this issue adds the new
LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues, and are applied to Apache version 2.0.40.
After the errata packages are installed, restart the Web service by running
(as root) the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated httpd packages that fix several minor security issues are now\navailable for Red Hat Linux 8.0 and 9.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nincluded with Apache 2 versions 2.0.35 through 2.0.46 that can cause\ncipher suite restrictions to be ignored. This is triggered if optional\nrenegotiation is used (SSLOptions +OptRenegotiate) along with verification\nof client certificates and a change to the cipher suite over the\nrenegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nYoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35\nto 2.0.46 have a bug that can cause a remote Denial of Service. When a\nclient requests that proxy ftp connect to a ftp server with an IPv6\naddress, and the proxy is unable to create an IPv6 socket, an infinite loop\noccurs. The Common Vulnerabilities and Exposures project has assigned the\nname CAN-2003-0254 to this issue.\n\nSaheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46\nhave a bug in the prefork MPM when handling accept errors. In a server with\nmultiple listening sockets, a certain error returned by accept() on a\nrarely-accessed port can cause a temporary denial of service. The Common\nVulnerabilities and Exposures project has assigned the name CAN-2003-0253\nto this issue.\n\nIt is possible for Apache 2 to get into an infinite loop handling internal\nredirects and nested subrequests. A patch for this issue adds the new\nLimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues, and are applied to Apache version 2.0.40.\n\nAfter the errata packages are installed, restart the Web service by running\n(as root) the following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:240",
"url": "https://access.redhat.com/errata/RHSA-2003:240"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "78019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=78019"
},
{
"category": "external",
"summary": "82985",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=82985"
},
{
"category": "external",
"summary": "85022",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=85022"
},
{
"category": "external",
"summary": "97111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=97111"
},
{
"category": "external",
"summary": "98545",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98545"
},
{
"category": "external",
"summary": "98653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98653"
},
{
"category": "external",
"summary": "98852",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98852"
},
{
"category": "external",
"summary": "98853",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98853"
},
{
"category": "external",
"summary": "98855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98855"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_240.json"
}
],
"title": "Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:48:33+00:00",
"generator": {
"date": "2024-11-21T22:48:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:240",
"initial_release_date": "2003-09-04T07:40:00+00:00",
"revision_history": [
{
"date": "2003-09-04T07:40:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-04T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 8.0",
"product": {
"name": "Red Hat Linux 8.0",
"product_id": "Red Hat Linux 8.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:8.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 9",
"product": {
"name": "Red Hat Linux 9",
"product_id": "Red Hat Linux 9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0253",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1617012"
}
],
"notes": [
{
"category": "description",
"text": "The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0253"
},
{
"category": "external",
"summary": "RHBZ#1617012",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617012"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0253",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0254",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1617013"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0254"
},
{
"category": "external",
"summary": "RHBZ#1617013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617013"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0254",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"title": "security flaw"
}
]
}
rhsa-2003_240
Vulnerability from csaf_redhat
Published
2003-09-04 07:40
Modified
2024-11-21 22:48
Summary
Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities
Notes
Topic
Updated httpd packages that fix several minor security issues are now
available for Red Hat Linux 8.0 and 9.
Details
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
Ben Laurie found a bug in the optional renegotiation code in mod_ssl
included with Apache 2 versions 2.0.35 through 2.0.46 that can cause
cipher suite restrictions to be ignored. This is triggered if optional
renegotiation is used (SSLOptions +OptRenegotiate) along with verification
of client certificates and a change to the cipher suite over the
renegotiation. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.
Yoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35
to 2.0.46 have a bug that can cause a remote Denial of Service. When a
client requests that proxy ftp connect to a ftp server with an IPv6
address, and the proxy is unable to create an IPv6 socket, an infinite loop
occurs. The Common Vulnerabilities and Exposures project has assigned the
name CAN-2003-0254 to this issue.
Saheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46
have a bug in the prefork MPM when handling accept errors. In a server with
multiple listening sockets, a certain error returned by accept() on a
rarely-accessed port can cause a temporary denial of service. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2003-0253
to this issue.
It is possible for Apache 2 to get into an infinite loop handling internal
redirects and nested subrequests. A patch for this issue adds the new
LimitInternalRecursion directive.
All users of the Apache HTTP Web Server are advised to upgrade to the
applicable errata packages, which contain back-ported fixes correcting
these issues, and are applied to Apache version 2.0.40.
After the errata packages are installed, restart the Web service by running
(as root) the following command:
/sbin/service httpd restart
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated httpd packages that fix several minor security issues are now\navailable for Red Hat Linux 8.0 and 9.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nincluded with Apache 2 versions 2.0.35 through 2.0.46 that can cause\ncipher suite restrictions to be ignored. This is triggered if optional\nrenegotiation is used (SSLOptions +OptRenegotiate) along with verification\nof client certificates and a change to the cipher suite over the\nrenegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nYoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35\nto 2.0.46 have a bug that can cause a remote Denial of Service. When a\nclient requests that proxy ftp connect to a ftp server with an IPv6\naddress, and the proxy is unable to create an IPv6 socket, an infinite loop\noccurs. The Common Vulnerabilities and Exposures project has assigned the\nname CAN-2003-0254 to this issue.\n\nSaheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46\nhave a bug in the prefork MPM when handling accept errors. In a server with\nmultiple listening sockets, a certain error returned by accept() on a\nrarely-accessed port can cause a temporary denial of service. The Common\nVulnerabilities and Exposures project has assigned the name CAN-2003-0253\nto this issue.\n\nIt is possible for Apache 2 to get into an infinite loop handling internal\nredirects and nested subrequests. A patch for this issue adds the new\nLimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues, and are applied to Apache version 2.0.40.\n\nAfter the errata packages are installed, restart the Web service by running\n(as root) the following command:\n\n/sbin/service httpd restart",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2003:240",
"url": "https://access.redhat.com/errata/RHSA-2003:240"
},
{
"category": "external",
"summary": "http://www.apacheweek.com/issues/03-07-11#security",
"url": "http://www.apacheweek.com/issues/03-07-11#security"
},
{
"category": "external",
"summary": "78019",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=78019"
},
{
"category": "external",
"summary": "82985",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=82985"
},
{
"category": "external",
"summary": "85022",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=85022"
},
{
"category": "external",
"summary": "97111",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=97111"
},
{
"category": "external",
"summary": "98545",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98545"
},
{
"category": "external",
"summary": "98653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98653"
},
{
"category": "external",
"summary": "98852",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98852"
},
{
"category": "external",
"summary": "98853",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98853"
},
{
"category": "external",
"summary": "98855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=98855"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_240.json"
}
],
"title": "Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities",
"tracking": {
"current_release_date": "2024-11-21T22:48:33+00:00",
"generator": {
"date": "2024-11-21T22:48:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2003:240",
"initial_release_date": "2003-09-04T07:40:00+00:00",
"revision_history": [
{
"date": "2003-09-04T07:40:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2003-09-04T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:48:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 8.0",
"product": {
"name": "Red Hat Linux 8.0",
"product_id": "Red Hat Linux 8.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:8.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 9",
"product": {
"name": "Red Hat Linux 9",
"product_id": "Red Hat Linux 9",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2003-0192",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616998"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"title": "Statement"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0192"
},
{
"category": "external",
"summary": "RHBZ#1616998",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0253",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1617012"
}
],
"notes": [
{
"category": "description",
"text": "The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0253"
},
{
"category": "external",
"summary": "RHBZ#1617012",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617012"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0253",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2003-0254",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1617013"
}
],
"notes": [
{
"category": "description",
"text": "Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2003-0254"
},
{
"category": "external",
"summary": "RHBZ#1617013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617013"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2003-0254",
"url": "https://www.cve.org/CVERecord?id=CVE-2003-0254"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254"
}
],
"release_date": "2003-07-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2003-09-04T07:40:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate. The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
"product_ids": [
"Red Hat Linux 8.0",
"Red Hat Linux 9"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2003:240"
}
],
"title": "security flaw"
}
]
}
ghsa-6r62-6x7v-wrm2
Vulnerability from github
Published
2022-05-03 03:09
Modified
2022-05-03 03:09
Details
Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.
{
"affected": [],
"aliases": [
"CVE-2003-0192"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2003-08-18T04:00:00Z",
"severity": "MODERATE"
},
"details": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"id": "GHSA-6r62-6x7v-wrm2",
"modified": "2022-05-03T03:09:41Z",
"published": "2022-05-03T03:09:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
gsd-2003-0192
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2003-0192",
"description": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"id": "GSD-2003-0192",
"references": [
"https://www.suse.com/security/cve/CVE-2003-0192.html",
"https://access.redhat.com/errata/RHSA-2003:301",
"https://access.redhat.com/errata/RHSA-2003:290",
"https://access.redhat.com/errata/RHSA-2003:244",
"https://access.redhat.com/errata/RHSA-2003:243",
"https://access.redhat.com/errata/RHSA-2003:240"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2003-0192"
],
"details": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
"id": "GSD-2003-0192",
"modified": "2023-12-13T01:22:13.475794Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2003-0192",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "MDKSA-2003:075",
"refsource": "MANDRAKE",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"name": "RHSA-2003:240",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"name": "SCOSA-2004.6",
"refsource": "SCO",
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
},
{
"name": "RHSA-2003:243",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"name": "oval:org.mitre.oval:def:169",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
},
{
"name": "RHSA-2003:244",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
},
{
"name": "20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released",
"refsource": "BUGTRAQ",
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2003-0192"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2003:240",
"refsource": "REDHAT",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"name": "RHSA-2003:243",
"refsource": "REDHAT",
"tags": [],
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"name": "SCOSA-2004.6",
"refsource": "SCO",
"tags": [],
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
},
{
"name": "RHSA-2003:244",
"refsource": "REDHAT",
"tags": [],
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
},
{
"name": "MDKSA-2003:075",
"refsource": "MANDRAKE",
"tags": [],
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"name": "20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released",
"refsource": "BUGTRAQ",
"tags": [],
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"name": "oval:org.mitre.oval:def:169",
"refsource": "OVAL",
"tags": [],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2021-06-06T11:15Z",
"publishedDate": "2003-08-18T04:00Z"
}
}
}
fkie_cve-2003-0192
Vulnerability from fkie_nvd
Published
2003-08-18 04:00
Modified
2024-11-20 23:44
Severity ?
Summary
Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | http_server | 2.0 | |
| apache | http_server | 2.0.28 | |
| apache | http_server | 2.0.32 | |
| apache | http_server | 2.0.35 | |
| apache | http_server | 2.0.36 | |
| apache | http_server | 2.0.37 | |
| apache | http_server | 2.0.38 | |
| apache | http_server | 2.0.39 | |
| apache | http_server | 2.0.40 | |
| apache | http_server | 2.0.41 | |
| apache | http_server | 2.0.42 | |
| apache | http_server | 2.0.43 | |
| apache | http_server | 2.0.44 | |
| apache | http_server | 2.0.45 | |
| apache | http_server | 2.0.46 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "163A6EF6-7D3F-4B1F-9E03-A8C86562CC3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "EB477AFB-EA39-4892-B772-586CF6D2D235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "B35906CD-038E-4243-8A95-F0A3A43F06F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "B940BB85-03F5-46D7-8DC9-2E1E228D3D98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "82139FFA-2779-4732-AFA5-4E6E19775899",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*",
"matchCriteriaId": "B7F717E6-BACD-4C8A-A9C5-516ADA6FEE6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*",
"matchCriteriaId": "08AB120B-2FEC-4EB3-9777-135D81E809AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*",
"matchCriteriaId": "1C7FF669-12E0-4A73-BBA7-250D109148C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*",
"matchCriteriaId": "5AB7B1F1-7202-445D-9F96-135DC0AFB1E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*",
"matchCriteriaId": "BCB7EE53-187E-40A9-9865-0F3EDA2B5A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*",
"matchCriteriaId": "9D06AE8A-9BA8-4AA8-ACEA-326CD001E879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*",
"matchCriteriaId": "2FC1A04B-0466-48AD-89F3-1F2EF1DEBE6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*",
"matchCriteriaId": "19F34D08-430E-4331-A27D-667149425176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*",
"matchCriteriaId": "248BDF2C-3E78-49D1-BD9C-60C09A441724",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*",
"matchCriteriaId": "BB0FDE3D-1509-4375-8703-0D174D70B22E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite."
},
{
"lang": "es",
"value": "Apache 2 anteriores a 2.0.47, y ciertas versiones de mod_ssl para Apache 1.3, no manejan adecuadamente \"ciertas secuencias de re-negociaciones por directorio junto con la directiva SSLCipherSuite siendo usada para mejorar de un nivel de cifrado (ciphersuite) d\u00e9bil a uno fuerte\", lo que podr\u00eda hacer que apache utilizara el nivel de cifrado d\u00e9bil."
}
],
"id": "CVE-2003-0192",
"lastModified": "2024-11-20T23:44:10.900",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2003-08-18T04:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "Fixed in Apache HTTP Server 2.0.47:\nhttp://httpd.apache.org/security/vulnerabilities_20.html",
"lastModified": "2008-07-02T00:00:00",
"organization": "Apache"
},
{
"comment": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release. This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
"lastModified": "2008-03-10T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.