304502 - mozilla.org's servers should update to at least Apache 2.0.53

Status: RESOLVED INVALID

(mozilla.org Graveyard :: Server Operations, task)

Description

[:Gijs (he/him)]

Since 2.0.52 (which these servers seem to run, judging from the 404 reply...)
the following security problems have been fixed:

  *) SECURITY: CAN-2004-0942 (cve.mitre.org)
     Fix for memory consumption DoS in handling of MIME folded request
     headers.  [Joe Orton]

  *) SECURITY: CAN-2004-0885 (cve.mitre.org)
     mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
     bypassed during an SSL renegotiation.  PR 31505.  
     [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]

I'm not very knowledgeable in any related subjects, so I apologize in advance if
this bug is filed in error (ie, the security problems shouldn't be exploitable
considering the software run on the servers, or Red Hat has patched their httpd
without updating the version). I'm filing this just in case it *is* important.

Keeping normal severity until I am/others are sure that this is a critical problem.

Comment 1

[Daniel Veditz [:dveditz]]

Red Hat's Enterprise Linux support does tend to patch security holes without
updating the version but wouldn't hurt to confirm it. Thanks for keeping an eye
out for us.

Switching to webtools security group

Comment 2

[Dave Miller [:justdave]]

We are up-to-date.  RedHat backports the security patches.

We are currently running: httpd-2.0.52-12.1.ent

* Fri Oct 29 2004 Joe Orton <jorton@redhat.com> 2.0.52-4.ent
- add security fix for CVE CAN-2004-0942 (memory consumption DoS)

* Thu Sep 28 2004 Joe Orton <jorton@redhat.com> 2.0.52-3
- mod_ssl: add security fix for CAN-2004-0885