cvelistv5 - CVE-2003-0192

URL	Tags
cve@mitre.org	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt
cve@mitre.org	http://marc.info/?l=bugtraq&m=105776593602600&w=2
cve@mitre.org	http://www.mandriva.com/security/advisories?name=MDKSA-2003:075
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-240.html	Patch, Vendor Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-243.html
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-244.html
cve@mitre.org	https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169

▼	Vendor	Product
	n/a	n/a

gsd-2003-0192

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.

Aliases

CVE-2003-0192

Aliases

CVE-2003-0192

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2003-0192",
    "description": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
    "id": "GSD-2003-0192",
    "references": [
      "https://www.suse.com/security/cve/CVE-2003-0192.html",
      "https://access.redhat.com/errata/RHSA-2003:301",
      "https://access.redhat.com/errata/RHSA-2003:290",
      "https://access.redhat.com/errata/RHSA-2003:244",
      "https://access.redhat.com/errata/RHSA-2003:243",
      "https://access.redhat.com/errata/RHSA-2003:240"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2003-0192"
      ],
      "details": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
      "id": "GSD-2003-0192",
      "modified": "2023-12-13T01:22:13.475794Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2003-0192",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "MDKSA-2003:075",
            "refsource": "MANDRAKE",
            "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
          },
          {
            "name": "RHSA-2003:240",
            "refsource": "REDHAT",
            "url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
          },
          {
            "name": "SCOSA-2004.6",
            "refsource": "SCO",
            "url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
          },
          {
            "name": "RHSA-2003:243",
            "refsource": "REDHAT",
            "url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
          },
          {
            "name": "oval:org.mitre.oval:def:169",
            "refsource": "OVAL",
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
          },
          {
            "name": "RHSA-2003:244",
            "refsource": "REDHAT",
            "url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
          },
          {
            "name": "20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released",
            "refsource": "BUGTRAQ",
            "url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
          },
          {
            "name": "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2003-0192"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2003:240",
              "refsource": "REDHAT",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
            },
            {
              "name": "RHSA-2003:243",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
            },
            {
              "name": "SCOSA-2004.6",
              "refsource": "SCO",
              "tags": [],
              "url": "ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txt"
            },
            {
              "name": "RHSA-2003:244",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
            },
            {
              "name": "MDKSA-2003:075",
              "refsource": "MANDRAKE",
              "tags": [],
              "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
            },
            {
              "name": "20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
            },
            {
              "name": "oval:org.mitre.oval:def:169",
              "refsource": "OVAL",
              "tags": [],
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058586 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058587 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1888194 [2/13] - /httpd/site/trunk/content/security/json/",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [2/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210606 svn commit: r1075470 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073140 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [3/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073143 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2021-06-06T11:15Z",
      "publishedDate": "2003-08-18T04:00Z"
    }
  }
}

rhsa-2003_240

Vulnerability from csaf_redhat

Published

2003-09-04 07:40

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities

Notes

Topic

Updated httpd packages that fix several minor security issues are now available for Red Hat Linux 8.0 and 9.

Details

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Ben Laurie found a bug in the optional renegotiation code in mod_ssl included with Apache 2 versions 2.0.35 through 2.0.46 that can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue. Yoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35 to 2.0.46 have a bug that can cause a remote Denial of Service. When a client requests that proxy ftp connect to a ftp server with an IPv6 address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0254 to this issue. Saheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46 have a bug in the prefork MPM when handling accept errors. In a server with multiple listening sockets, a certain error returned by accept() on a rarely-accessed port can cause a temporary denial of service. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0253 to this issue. It is possible for Apache 2 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue adds the new LimitInternalRecursion directive. All users of the Apache HTTP Web Server are advised to upgrade to the applicable errata packages, which contain back-ported fixes correcting these issues, and are applied to Apache version 2.0.40. After the errata packages are installed, restart the Web service by running (as root) the following command: /sbin/service httpd restart

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated httpd packages that fix several minor security issues are now\navailable for Red Hat Linux 8.0 and 9.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nincluded with Apache 2 versions 2.0.35 through 2.0.46 that can cause\ncipher suite restrictions to be ignored. This is triggered if optional\nrenegotiation is used (SSLOptions +OptRenegotiate) along with verification\nof client certificates and a change to the cipher suite over the\nrenegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nYoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35\nto 2.0.46 have a bug that can cause a remote Denial of Service. When a\nclient requests that proxy ftp connect to a ftp server with an IPv6\naddress, and the proxy is unable to create an IPv6 socket, an infinite loop\noccurs.  The Common Vulnerabilities and Exposures project has assigned the\nname CAN-2003-0254 to this issue.\n\nSaheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46\nhave a bug in the prefork MPM when handling accept errors. In a server with\nmultiple listening sockets, a certain error returned by accept() on a\nrarely-accessed port can cause a temporary denial of service.  The Common\nVulnerabilities and Exposures project has assigned the name CAN-2003-0253\nto this issue.\n\nIt is possible for Apache 2 to get into an infinite loop handling internal\nredirects and nested subrequests. A patch for this issue adds the new\nLimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues, and are applied to Apache version 2.0.40.\n\nAfter the errata packages are installed, restart the Web service by running\n(as root) the following command:\n\n/sbin/service httpd restart",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:240",
        "url": "https://access.redhat.com/errata/RHSA-2003:240"
      },
      {
        "category": "external",
        "summary": "http://www.apacheweek.com/issues/03-07-11#security",
        "url": "http://www.apacheweek.com/issues/03-07-11#security"
      },
      {
        "category": "external",
        "summary": "78019",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=78019"
      },
      {
        "category": "external",
        "summary": "82985",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=82985"
      },
      {
        "category": "external",
        "summary": "85022",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=85022"
      },
      {
        "category": "external",
        "summary": "97111",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=97111"
      },
      {
        "category": "external",
        "summary": "98545",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=98545"
      },
      {
        "category": "external",
        "summary": "98653",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=98653"
      },
      {
        "category": "external",
        "summary": "98852",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=98852"
      },
      {
        "category": "external",
        "summary": "98853",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=98853"
      },
      {
        "category": "external",
        "summary": "98855",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=98855"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_240.json"
      }
    ],
    "title": "Red Hat Security Advisory: : Updated httpd packages fix Apache security vulnerabilities",
    "tracking": {
      "current_release_date": "2024-11-21T22:48:33+00:00",
      "generator": {
        "date": "2024-11-21T22:48:33+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2003:240",
      "initial_release_date": "2003-09-04T07:40:00+00:00",
      "revision_history": [
        {
          "date": "2003-09-04T07:40:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-09-04T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T22:48:33+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Linux 8.0",
                "product": {
                  "name": "Red Hat Linux 8.0",
                  "product_id": "Red Hat Linux 8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:8.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux 9",
                "product": {
                  "name": "Red Hat Linux 9",
                  "product_id": "Red Hat Linux 9",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2003-0192",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616998"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 8.0",
          "Red Hat Linux 9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616998",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
        }
      ],
      "release_date": "2003-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-04T07:40:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Red Hat Linux 8.0",
            "Red Hat Linux 9"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:240"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2003-0253",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1617012"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 8.0",
          "Red Hat Linux 9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0253"
        },
        {
          "category": "external",
          "summary": "RHBZ#1617012",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617012"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0253",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0253"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0253"
        }
      ],
      "release_date": "2003-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-04T07:40:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Red Hat Linux 8.0",
            "Red Hat Linux 9"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:240"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2003-0254",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1617013"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 8.0",
          "Red Hat Linux 9"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0254"
        },
        {
          "category": "external",
          "summary": "RHBZ#1617013",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1617013"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0254"
        }
      ],
      "release_date": "2003-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-04T07:40:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Red Hat Linux 8.0",
            "Red Hat Linux 9"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:240"
        }
      ],
      "title": "security flaw"
    }
  ]
}

rhsa-2003_243

Vulnerability from csaf_redhat

Published

2003-09-22 08:34

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.

Details

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Ben Laurie found a bug in the optional renegotiation code in mod_ssl which can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue. Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0020 to this issue. It is possible to get Apache 1.3 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue adds a new LimitInternalRecursion directive. All users of the Apache HTTP Web Server are advised to upgrade to the applicable errata packages, which contain back-ported fixes correcting these issues. After the errata packages are installed, restart the Web service by running the following command: /sbin/service httpd restart

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Linux 7.1, 7.2, and 7.3.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:243",
        "url": "https://access.redhat.com/errata/RHSA-2003:243"
      },
      {
        "category": "external",
        "summary": "http://www.apacheweek.com/issues/03-07-11#security",
        "url": "http://www.apacheweek.com/issues/03-07-11#security"
      },
      {
        "category": "external",
        "summary": "60281",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=60281"
      },
      {
        "category": "external",
        "summary": "72245",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=72245"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_243.json"
      }
    ],
    "title": "Red Hat Security Advisory: : Updated Apache and mod_ssl packages fix security vulnerabilities",
    "tracking": {
      "current_release_date": "2024-11-21T22:48:37+00:00",
      "generator": {
        "date": "2024-11-21T22:48:37+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2003:243",
      "initial_release_date": "2003-09-22T08:34:00+00:00",
      "revision_history": [
        {
          "date": "2003-09-22T08:34:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-09-22T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T22:48:37+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Linux 7.1",
                "product": {
                  "name": "Red Hat Linux 7.1",
                  "product_id": "Red Hat Linux 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:7.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux 7.2",
                "product": {
                  "name": "Red Hat Linux 7.2",
                  "product_id": "Red Hat Linux 7.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:7.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux 7.3",
                "product": {
                  "name": "Red Hat Linux 7.3",
                  "product_id": "Red Hat Linux 7.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:7.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2003-0020",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616937"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2",
          "Red Hat Linux 7.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0020"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616937",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
        }
      ],
      "release_date": "2003-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-22T08:34:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2",
            "Red Hat Linux 7.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:243"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2003-0192",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616998"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2",
          "Red Hat Linux 7.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616998",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
        }
      ],
      "release_date": "2003-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-22T08:34:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2",
            "Red Hat Linux 7.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:243"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    }
  ]
}

rhsa-2003_290

Vulnerability from csaf_redhat

Published

2003-09-30 12:16

Modified

2024-11-21 22:52

Summary

Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold

Notes

Topic

Updated versions of Stronghold 4 cross-platform are available that fix several security issues affecting OpenSSL and mod_ssl. A number of bug fixes and new features are also included.

Details

Stronghold 4 contains a number of open source technologies, including OpenSSL 0.9.6 and mod_ssl. NISCC testing of implementations of the SSL protocol uncovered two bugs in OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully crafted SSL client certificate to the Stronghold Web server, which would cause the server child process handling the request to terminate. The effects of such an attack would be limited, as Apache is designed to handle this situation. In most cases, an attack would simply cause increased server load, which would only last as long as an attacker continues to make malicious connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to this issue. Ben Laurie found a bug in the optional renegotiation code in mod_ssl that can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue. Users of Stronghold 4 cross-platform are advised to update to these errata versions, which contain backported security fixes and are not vulnerable to these issues. Red Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their work on these vulnerabilities.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated versions of Stronghold 4 cross-platform are available that fix\nseveral security issues affecting OpenSSL and mod_ssl.  A number of bug\nfixes and new features are also included.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Stronghold 4 contains a number of open source technologies, including\nOpenSSL 0.9.6 and mod_ssl.\n\nNISCC testing of implementations of the SSL protocol uncovered two bugs in\nOpenSSL 0.9.6.  The parsing of unusual ASN.1 tag values can cause OpenSSL\nto crash.  A remote attacker could trigger this bug by sending a carefully\ncrafted SSL client certificate to the Stronghold Web server, which would\ncause the server child process handling the request to terminate.  The\neffects of such an attack would be limited, as Apache is designed to handle\nthis situation.  In most cases, an attack would simply cause increased\nserver load, which would only last as long as an attacker continues to make\nmalicious connections.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to\nthis issue.  \n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 cross-platform are advised to update to these errata\nversions, which contain backported security fixes and are not vulnerable to\nthese issues.\n\nRed Hat would like to thank NISCC, Stephen Henson, and Ben Laurie for their\nwork on these vulnerabilities.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:290",
        "url": "https://access.redhat.com/errata/RHSA-2003:290"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "http://www.niscc.gov.uk/",
        "url": "http://www.niscc.gov.uk/"
      },
      {
        "category": "external",
        "summary": "http://www.openssl.org/news/secadv_20030930.txt",
        "url": "http://www.openssl.org/news/secadv_20030930.txt"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_290.json"
      }
    ],
    "title": "Red Hat Security Advisory: mod_ssl, openssl security update for Stronghold",
    "tracking": {
      "current_release_date": "2024-11-21T22:52:00+00:00",
      "generator": {
        "date": "2024-11-21T22:52:00+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2003:290",
      "initial_release_date": "2003-09-30T12:16:00+00:00",
      "revision_history": [
        {
          "date": "2003-09-30T12:16:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-10-03T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T22:52:00+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Stronghold 4",
                "product": {
                  "name": "Red Hat Stronghold 4",
                  "product_id": "Red Hat Stronghold 4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:stronghold:4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Stronghold Cross Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2003-0192",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616998"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Stronghold 4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616998",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
        }
      ],
      "release_date": "2003-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-30T12:16:00+00:00",
          "details": "Updated Stronghold 4 packages are now available via the update agent\nservice.  Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
          "product_ids": [
            "Red Hat Stronghold 4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:290"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2003-0543",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "104893"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Stronghold 4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0543"
        },
        {
          "category": "external",
          "summary": "RHBZ#104893",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0543",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0543"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0543"
        }
      ],
      "release_date": "2003-09-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-30T12:16:00+00:00",
          "details": "Updated Stronghold 4 packages are now available via the update agent\nservice.  Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
          "product_ids": [
            "Red Hat Stronghold 4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:290"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
    },
    {
      "cve": "CVE-2003-0544",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "104893"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "For Red Hat Enterprise Linux 2.1 OpenSSL packages (openssl, openssl096, openssl095a) issue was addressed via RHSA-2003:293.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 3 and 4 (openssl, openssl096b) contain a backported patch since their initial release.\n\nThe OpenSSL packages in Red Hat Enterprise Linux 5 are based on fixed upstream release (openssl), or contain backported patch since their initial release (openssl097a).",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Stronghold 4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0544"
        },
        {
          "category": "external",
          "summary": "RHBZ#104893",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=104893"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0544",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0544"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0544"
        }
      ],
      "release_date": "2003-09-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-30T12:16:00+00:00",
          "details": "Updated Stronghold 4 packages are now available via the update agent\nservice.  Run the following command from the Stronghold 4 install root to\nupgrade an existing Stronghold 4 installation to the new package versions:\n\n$ bin/agent\n\nThe Stronghold 4.0g patch release which contains these updated packages is\nalso available from the download site.\n\nAfter upgrading Stronghold, the server must be completely restarted by\nrunning the following commands from the install root:\n\n$ bin/stop-server\n$ bin/start-server\n\nFor more information on how to upgrade between releases of Stronghold 4,\nrefer to http://stronghold.redhat.com/support/upgrade-sh4",
          "product_ids": [
            "Red Hat Stronghold 4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:290"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes"
    }
  ]
}

rhsa-2003_301

Vulnerability from csaf_redhat

Published

2003-10-15 08:18

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: mod_ssl security update for Stronghold

Notes

Topic

An updated mod_ssl package is now available for Stronghold 4 on Red Hat Enterprise Linux that closes a security issue in certain rare configurations.

Details

Stronghold 4 contains a number of open source technologies, including the mod_ssl module (which provides SSL/TLS support for Apache). Ben Laurie found a bug in the optional renegotiation code in mod_ssl that can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue. Users of Stronghold 4 on Red Hat Enterprise Linux may update to this erratum package, which contains a backported security fix and is not vulnerable to this issue.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated mod_ssl package is now available for Stronghold 4 on Red Hat\nEnterprise Linux that closes a security issue in certain rare configurations.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Stronghold 4 contains a number of open source technologies, including the\nmod_ssl module (which provides SSL/TLS support for Apache).\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nthat can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nUsers of Stronghold 4 on Red Hat Enterprise Linux may update to\nthis erratum package, which contains a backported security fix and is not\nvulnerable to this issue.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:301",
        "url": "https://access.redhat.com/errata/RHSA-2003:301"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_301.json"
      }
    ],
    "title": "Red Hat Security Advisory: mod_ssl security update for Stronghold",
    "tracking": {
      "current_release_date": "2024-11-21T22:48:48+00:00",
      "generator": {
        "date": "2024-11-21T22:48:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2003:301",
      "initial_release_date": "2003-10-15T08:18:00+00:00",
      "revision_history": [
        {
          "date": "2003-10-15T08:18:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-10-15T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T22:48:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Stronghold 4 for Red Hat Enterprise Linux",
                "product": {
                  "name": "Stronghold 4 for Red Hat Enterprise Linux",
                  "product_id": "Stronghold 4 for Red Hat Enterprise Linux",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_stronghold:4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Stronghold 4.0 for Red Hat Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2003-0192",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616998"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Stronghold 4 for Red Hat Enterprise Linux"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616998",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
        }
      ],
      "release_date": "2003-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-10-15T08:18:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Stronghold 4 for Red Hat Enterprise Linux"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:301"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    }
  ]
}

rhsa-2003_244

Vulnerability from csaf_redhat

Published

2003-09-22 08:39

Modified

2024-11-21 22:48

Summary

Red Hat Security Advisory: apache security update

Notes

Topic

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Enterprise Linux.

Details

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Ben Laurie found a bug in the optional renegotiation code in mod_ssl which can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue. Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0020 to this issue. It is possible to get Apache 1.3 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue adds a new LimitInternalRecursion directive. All users of the Apache HTTP Web Server are advised to upgrade to the applicable errata packages, which contain back-ported fixes correcting these issues. After the errata packages are installed, restart the Web service by running the following command: /sbin/service httpd restart

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated Apache and mod_ssl packages that fix several minor security issues\nare now available for Red Hat Enterprise Linux.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Apache HTTP server is a powerful, full-featured, efficient, and\nfreely-available Web server.\n\nBen Laurie found a bug in the optional renegotiation code in mod_ssl\nwhich can cause cipher suite restrictions to be ignored. This is triggered\nif optional renegotiation is used (SSLOptions +OptRenegotiate) along with\nverification of client certificates and a change to the cipher suite over\nthe renegotiation.  The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CAN-2003-0192 to this issue.\n\nApache does not filter terminal escape sequences from its error logs, which\ncould make it easier for attackers to insert those sequences into terminal\nemulators containing vulnerabilities related to escape sequences.  The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has assigned\nthe name CAN-2003-0020 to this issue.\n\nIt is possible to get Apache 1.3 to get into an infinite loop handling\ninternal redirects and nested subrequests. A patch for this issue adds a\nnew LimitInternalRecursion directive.\n\nAll users of the Apache HTTP Web Server are advised to upgrade to the\napplicable errata packages, which contain back-ported fixes correcting\nthese issues.\n\nAfter the errata packages are installed, restart the Web service by running\nthe following command:\n\n/sbin/service httpd restart",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:244",
        "url": "https://access.redhat.com/errata/RHSA-2003:244"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "http://www.apacheweek.com/issues/03-07-11#security",
        "url": "http://www.apacheweek.com/issues/03-07-11#security"
      },
      {
        "category": "external",
        "summary": "98919",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=98919"
      },
      {
        "category": "external",
        "summary": "100430",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=100430"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_244.json"
      }
    ],
    "title": "Red Hat Security Advisory: apache security update",
    "tracking": {
      "current_release_date": "2024-11-21T22:48:41+00:00",
      "generator": {
        "date": "2024-11-21T22:48:41+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2003:244",
      "initial_release_date": "2003-09-22T08:39:00+00:00",
      "revision_history": [
        {
          "date": "2003-09-22T08:39:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-09-22T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T22:48:41+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                "product": {
                  "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux Advanced Workstation 2.1",
                "product": {
                  "name": "Red Hat Linux Advanced Workstation 2.1",
                  "product_id": "Red Hat Linux Advanced Workstation 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ES version 2.1",
                "product": {
                  "name": "Red Hat Enterprise Linux ES version 2.1",
                  "product_id": "Red Hat Enterprise Linux ES version 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::es"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux WS version 2.1",
                "product": {
                  "name": "Red Hat Enterprise Linux WS version 2.1",
                  "product_id": "Red Hat Enterprise Linux WS version 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::ws"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2003-0020",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616937"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Enterprise Linux ES version 2.1",
          "Red Hat Enterprise Linux WS version 2.1",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0020"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616937",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616937"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0020",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0020"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0020"
        }
      ],
      "release_date": "2003-02-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-22T08:39:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Enterprise Linux ES version 2.1",
            "Red Hat Enterprise Linux WS version 2.1",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:244"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2003-0192",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616998"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affected Red Hat Enterprise Linux 2.1 and an update was released to correct it:\nhttp://rhn.redhat.com/errata/RHSA-2003-244.html\n\nRed Hat Enterprise Linux 3 contained a backported patch to correct this issue since release.  This issue does not affect the versions of Apache in Enterprise Linux 4 or later.",
          "title": "Statement"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Enterprise Linux ES version 2.1",
          "Red Hat Enterprise Linux WS version 2.1",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616998",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616998"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0192",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0192"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
        }
      ],
      "release_date": "2003-07-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-09-22T08:39:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains the\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nIf up2date fails to connect to Red Hat Network due to SSL Certificate \nErrors, you need to install a version of the up2date client with an updated \ncertificate.  The latest version of up2date is available from the Red Hat \nFTP site and may also be downloaded directly from the RHN website:\n\nhttps://rhn.redhat.com/help/latest-up2date.pxt",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Enterprise Linux ES version 2.1",
            "Red Hat Enterprise Linux WS version 2.1",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:244"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    }
  ]
}

ghsa-6r62-6x7v-wrm2

Vulnerability from github

Published

2022-05-03 03:09

Modified

2022-05-03 03:09

Details

Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2003-0192"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-08-18T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle \"certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one,\" which could cause Apache to use the weak ciphersuite.",
  "id": "GHSA-6r62-6x7v-wrm2",
  "modified": "2022-05-03T03:09:41Z",
  "published": "2022-05-03T03:09:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0192"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=105776593602600\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:075"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-240.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-243.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-244.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2003-0192

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature

Action not permitted

Vulnerability from cvelistv5

Vulnerability from gsd

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from csaf_redhat

Vulnerability from github

Tags

Sightings

Nomenclature