SLES-SP4 Apache vunrablility to SSL-RENEGOTIATION

As it seems Suse did not backport the SSLinsecureRenegotiation directive
into the SLES10-SP4 Apache for now
They did backport the option into the openssl package thoucht, but how
could i use it on sles-stock apache?
With the open access to the THC DOS tool it’s getting very risky to
have a ssl server on SLES10:
http://www.thc.org/thc-ssl-dos/

Code:

apache2-2.2.3-16.36.1 - The Apache Web Server Version 2.0

Mi 31 Aug 2011 14:00:00 CEST
draht@suse.de

  • httpd-2.2.x-bnc713966-CVE-2011-3192.patch fixes byterange remote
    DoS vulnerability known as CVE-2011-3192. [bnc#713966]
    Di 28 Jun 2011 14:00:00 CEST
    draht@suse.de
  • httpd-2.2.x-bnc690734.patch: take LimitRequestFieldsize config
    option into account when parsing headers from backend. Thereby
    avoid that the receiving buffers are too small. bnc#690734.
    Mi 19 Jan 2011 13:00:00 CET
    draht@suse.de
  • httpd-2.2.x-bnc661597-add-root-to-path.patch: add / when on a
    directory to feed correctly linked listings. bnc#661597
    Di 11 Jan 2011 13:00:00 CET
    draht@suse.de
  • a2enmod shalt not disable a module in query mode. bnc#663359
    Mi 08 Dez 2010 13:00:00 CET
    draht@suse.de
  • httpd-2.2.x-bnc555098-new_option_SSLRenegBufferSize.dif fixes
    “413 Request Entity Too Large occur” problem. From L3:28789 and
    bnc#555098.
  • httpd-2.2.x-bnc527440-prefork_graceful_restart_hang.patch
    fixes graceful restart hangs, bnc#555098.
  • unified into httpd-2.2.x-CVE-2007-6420-6421-6422.patch:
    httpd-2.2.x-CVE-2007-6420.patch
    httpd-2.2.x-CVE-2007-6421.patch
    httpd-2.2.x-CVE-2007-6422.patch for --fuzz=0 conflicts.
    all patches apply to httpd-2.2.3/modules/proxy/mod_proxy_balancer.c
  • unified into httpd-2.2.3-CVE-2009-1195-0.patch:
    httpd-2.2.3-CVE-2009-1195.patch
    httpd-2.2.3-CVE-2009-1195-2.patch for --fuzz=0 conflicts.
    Di 17 Aug 2010 14:00:00 CEST
    draht@suse.de
  • httpd-2.2.10-bnc627030-CVE-2010-1452.patch fixes CVE-2010-1452
    from [bnc#627030]. This only affects mod_dav. CVE-2010-1452
    also refers to mod_cache, but SLES is not affected as the error
    was introduced into a newer version of apache. For completeness:
    CVE-2010-2068 (information disclosure by mod_proxy_http)
    does not affect Linux.
    Fr 09 Apr 2010 14:00:00 CEST
    draht@suse.de
  • httpd-2.2.10-bnc570127.patch [bnc#570127]: fix for mod_ssl buffer
    flushing problems causing hangs between browser and server, as
    both are waiting for each other.
  • httpd-2.2.10-bnc586572-CVE-2010-0434.patch [bnc#586572]: fix for
    CVE-2010-0434 subrequest header handling information disclosure
    with multithreaded MPM; remote attackers may obtain information
    that is related to an earlier request.
  • httpd-2.2.x-bnc586572-CVE-2010-0408.patch fix for CVE-2010-0408
    DoS caused by wrong status code in mod_proxy_ajp
    Fr 16 Okt 2009 14:00:00 CEST
    meissner@suse.de
  • fixed CVE-2009-3094 (The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
    mod_proxy_ftp module allows remote FTP servers to cause a denial
    of service (NULL pointer dereference and child process crash) via a
    malformed reply to an EPSV command.)
  • fixed CVE-2009-3095 (access restriction bypass in mod_proxy_ftp module)
    bnc#538322
    Di 13 Okt 2009 14:00:00 CEST
    meissner@suse.de
  • The CVE-2009-1191 patch should have been labeled CVE-2009-1195,
    renamed. (bnc#513080)
  • The CVE-2009-1195 patch was incomplete and lead to failures
    with SSI scripts. (bnc#512583, bnc#539571)
  • Fixed mod_proxy reverse denial of service (CVE-2009-1890, bnc#519194)
    Fr 24 Jul 2009 14:00:00 CEST
    crrodriguez@suse.de
  • VUL-0: apache mod_deflate DoS [bnc#521906]
  • VUL-0: apache - another issue similar to CVE-2009-1195 [bnc#513080]
  • VUL-0: apache2: does not properly handle Options=IncludesNOEXEC [bnc#512583]
    Mi 27 Mai 2009 14:00:00 CEST
    crrodriguez@suse.de
  • mod_cache and mod_rewrite incompatible with each other [bnc#482633]
    Mo 02 Mär 2009 13:00:00 CET
    crrodriguez@suse.de
  • fix CVE-2008-2364 [bnc#408832]
    Fr 19 Sep 2008 14:00:00 CEST
    skh@suse.de
  • add httpd-2.2.x-CVE-2007-6420.patch [bnc#373903]:
    mod_proxy_balancer: Prevent CSRF attacks against the
    balancer-manager interface. [Joe Orton]
  • add httpd-2.0.x-CVE-2008-2939.patch [bnc#415061]:
    mod_proxy_ftp: Prevent XSS attacks when using wildcards in
    the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
    [Ruediger Pluem]
  • fix httpd-2.2.x-CVE-2007-3304.patch:
    do not bump MODULE_MAGIC_NUMBER_MINOR to 5 as the security fix
    only provides part of the api
    Di 25 Mär 2008 13:00:00 CET
    skh@suse.de
  • bnc #353859 / CVE-2007-5000: modules/mappers/mod_imagemap.c
    (menu_header): Fix cross-site-scripting issue by escaping the URI,
    and ensure that a charset parameter is sent in the content-type to
    prevent autodetection by broken browsers.
  • bnc #346451 / CVE-2007-6203: modules/http/http_protocol.c: Escape
    request method in 413 error reporting. Determined to be not
    generally exploitable, but a flaw in any case.
  • bnc #352235 / CVE-2007-6388: mod_status: Ensure refresh parameter
    is numeric to prevent a possible XSS attack caused by redirecting
    to other URLs. Reported by SecurityReason.
  • bnc #353261 / CVE-2007-6421: mod_proxy_balancer: Correctly escape
    the worker route and the worker redirect string in the HTML output
    of the balancer manager. Reported by SecurityReason.
  • bnc #353261 / CVE-2007-6422: Prevent crash in balancer manager if
    invalid balancer name is passed as parameter. Reported by
    SecurityReason.
  • bnc #353262 / CVE-2008-0005: Add explicit charset to the output of
    various modules to work around possible cross-site scripting flaws
    affecting web browsers that do not derive the response character
    set as required by RFC2616. One of these reported by
    SecurityReason
  • Add Requires: ed [bnc #363611]

Code:

openssl-0.9.8a-18.54.1 - Secure Sockets and Transport Layer Security

Mo 19 Sep 2011 14:00:00 CEST
gjhe@suse.com

  • fix bug[bnc#716144]- VUL-0: openssl ECDH crash
    CVE-2011-3210
    Di 31 Mai 2011 14:00:00 CEST
    gjhe@novell.com
  • update cyclic dependency with package openssl-certs.
    Mo 30 Mai 2011 14:00:00 CEST
    gjhe@novell.com
  • fix bug[bnc#693027].
    Add protection against ECDSA timing attacks as mentioned in the paper
    by Billy Bob Brumley and Nicola Tuveri, see:
    http://eprint.iacr.org/2011/232.pdf
    [Billy Bob Brumley and Nicola Tuveri]
    Mo 11 Apr 2011 14:00:00 CEST
    gjhe@novell.com
  • fix bug [bnc#657663]
    CVE-2010-4180
    for CVE-2010-4252,no patch is added(for the J-PAKE
    implementaion is not compiled in by default).
    Di 15 Feb 2011 13:00:00 CET
    lnussel@suse.de
  • run c_rehash in %post to make sure cert links are there
    Di 15 Feb 2011 13:00:00 CET
    gjhe@novell.com
  • fix bug[bnc#659128], add ‘-extensions v3_ca’ option to both
    demo scripts CA.sh and CA.pl
    Do 10 Feb 2011 13:00:00 CET
    kukuk@suse.de
  • Require openssl-certs [bnc#670623]
    Fr 10 Dez 2010 13:00:00 CET
    gjhe@novell.com
  • out of date CA list, bug[bnc#638744]
    Mo 27 Sep 2010 14:00:00 CEST
    gjhe@novell.com
  • fix bug [bnc#608666]
    So 26 Sep 2010 14:00:00 CEST
    gjhe@novell.com
  • fix bug [bnc#629905]
    CVE-2010-2939
    Do 25 Mär 2010 13:00:00 CET
    meissner@suse.de
  • Added tls/ssl secure renegotiation feature backport from 0.9.8m.
    CVE-2009-3555 [bnc#584292]
  • refreshed some patches for fuzz=0
    Di 23 Mär 2010 13:00:00 CET
    gjhe@novell.com
  • fix security bug [bnc#597379]
    CVE-2009-3245
    Fr 15 Jan 2010 13:00:00 CET
    gjhe@suse.de
  • fix security bug [bnc#566238]
    CVE-2009-4355
    Do 12 Nov 2009 13:00:00 CET
    gjhe@suse.de
  • fix security bug [bnc#553641]
    CVE-2009-3555
    Di 21 Jul 2009 14:00:00 CEST
    gjhe@suse.de
    -add Entrust_net_Premium_2048_Secure_Server_CA.pem [bnc#522175]
    Mi 10 Jun 2009 14:00:00 CEST
    gjhe@suse.de
  • fix security bug [bnc#509031]
    CVE-2009-1386
    CVE-2009-1387


vhbsles

vhbsles’s Profile: http://forums.novell.com/member.php?userid=101902
View this thread: http://forums.novell.com/showthread.php?t=447649

Thanks for considering the security of your system. Unfortunately this
topic is a bit tricky. We did not backport the SSLInsecureRenegotiation
option, but we disabled insecure renegotiations completely (without an
option to turn it back on). This is however unrelated to the DoS issue
you’re talking about. that one is not about insecure renegotiations, but
about being able to trigger excessive amount of secure renegotiations
continuously on the server, so even if the option would be available, it
would not help.

We’re working with high priority on an update that will address the DoS
issue. The links to that will appear here:
http://support.novell.com/security/cve/CVE-2011-1473.html and here:
https://bugzilla.novell.com/show_bug.cgi?id=727993 and can be installed
like normal via your regular maintenance update methods or ‘NOVELL:
Patch Finder’
(http://download.novell.com/patch/finder/#familyId=7261&productId=36423&dateRange=&startDate=&endDate=&priority=&distribution=&architecture=&keywords=)


dirkmueller

dirkmueller’s Profile: http://forums.novell.com/member.php?userid=21451
View this thread: http://forums.novell.com/showthread.php?t=447649