Apache mod_python String Processing Bug Lets Remote Users Crash the Web Server
|
|
SecurityTracker Alert ID: 1008335
|
|
CVE Reference: CAN-2003-0973
(Links to External Site)
|
Updated: Jan 23 2004
|
Original Entry Date: Nov 28 2003
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 3.x prior to 3.0.4, 2.x prior to 2.7.9
|
Description: A vulnerability was reported in the Apache mod_python module in the processing of certain query strings. A remote user can cause denial of service conditions.
It is reported that a remote user can send a specific query string to be processed by mod_python, causing the Apache httpd process to crash. No further details were provided.
|
Impact: A remote user can cause the Apache web server process to crash.
|
Solution: The vendor has released a fixed version (3.0.4 for Apache 2.0), available at:
http://httpd.apache.org/modules/python-download.cgi
The
vendor also issued a fixed version (2.7.9 for Apache 1.3), but on January 22, 2004, the vendor reported that version 2.7.9 did not
fix the problem. The vendor has issued a fixed version (2.7.10) and recommends that users of mod_python 2.7.9 or earlier upgrade
to 2.7.10 as soon as possible, available at:
http://httpd.apache.org/modules/python-download.cgi
The vendor indicates that
users of mod_python 3.0.4 do not need to do anything.
[Editor's note: For the announcement regarding the flaw in 2.7.9, see
Alert ID 1008828 in January 2004.]
|
Vendor URL: www.modpython.org/ (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "Gregory (Grisha) Trubetskoy" <grisha@apache.org>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 28 Nov 2003 12:22:13 -0500 (EST)
From: "Gregory (Grisha) Trubetskoy" <grisha@apache.org>
Subject: [ANNOUNCE] Mod_python 3.0.4 and 2.7.9
|
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of versions 3.0.4 and 2.7.9 of mod_python.
These two releases (for HTTP Server 2.0 and 1.3 respectively) address an
issue whereby a specific query string processed by mod_python would cause
the httpd process to crash.
These two releases have also been patched to compile against Python 2.3
cleanly.
There are no other changes or improvements from the previous version in
these releases.
Both of these releases are considered stable. If you are currently using
mod_python 3.0.3 or 2.7.8, it is highly recommended that you upgrade to
3.0.4 or 2.7.9.
Mod_python is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit
http://www.modpython.org/
Regards,
Grisha Trubetskoy
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@httpd.apache.org
For additional commands, e-mail: announce-help@httpd.apache.org
|
|
