(Fedora Issues Fix for FC2) Apache Web Server Error in Processing Requests With Many Space Characters Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1012220
|
|
SecurityTracker URL: http://securitytracker.com/id?1012220
|
|
CVE Reference: CAN-2004-0942
(Links to External Site)
|
Date: Nov 13 2004
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.52 and prior 2.0.x versions
|
Description: A denial of service vulnerability was reported in the Apache web server. A remote user can consume excessive resources on the target system.
Chintan Trivedi reported that a remote user can submit multiple, specially crafted HTTP GET requests containing spaces to cause denial
of service conditions on the target system.
The vendor later reported that the field length limit is not properly enforced
for certain malicious requests.
A demonstration exploit request is provided:
GET / HTTP/1.0\n
[space] x 8000\n
[space] x
8000\n
[space] x 8000\n
.
.
8000 times
|
Impact: A remote user can consume excessive resources on the target system.
|
Solution: Fedora has released a fix, available at:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
b202b93fa33a117c576f49b0b6ea8cce
SRPMS/httpd-2.0.51-2.9.src.rpm
d44a26a035bef7f26249e1d0a7ae95b4 x86_64/httpd-2.0.51-2.9.x86_64.rpm
0920735cfe93100965958df44e6cca28
x86_64/httpd-devel-2.0.51-2.9.x86_64.rpm
50681f4ed4f3448fa1f8fd86ce41d749 x86_64/httpd-manual-2.0.51-2.9.x86_64.rpm
1b3230a8c205bdf96464d4ecc51bea40
x86_64/mod_ssl-2.0.51-2.9.x86_64.rpm
fae759a29d5ac1eacfb947ec4b447994 x86_64/debug/httpd-debuginfo-2.0.51-2.9.x86_64.rpm
d8e4ed9aafd639fdfab26e6fe3cd8c29
i386/httpd-2.0.51-2.9.i386.rpm
cd1ab7ce0fcc375de0d6db748babc753 i386/httpd-devel-2.0.51-2.9.i386.rpm
341a963e8ac8aba17c18eaebc7ac27c1
i386/httpd-manual-2.0.51-2.9.i386.rpm
f227c579f61c355c594f8e790695bcd8 i386/mod_ssl-2.0.51-2.9.i386.rpm
dc3be7afa997f09293b82caaae505f7b
i386/debug/httpd-debuginfo-2.0.51-2.9.i386.rpm
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause: Resource error
|
Underlying OS: Linux (Red Hat Fedora)
|
Underlying OS Comments: FC2
|
Reported By: Joe Orton <jorton@redhat.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 12 Nov 2004 21:18:00 +0000
From: Joe Orton <jorton@redhat.com>
Subject: [SECURITY] Fedora Core 2 Update: httpd-2.0.51-2.9
|
--===============1591218207==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG"
Content-Disposition: inline
--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-420
2004-11-12
---------------------------------------------------------------------
Product : Fedora Core 2
Name : httpd
Version : 2.0.51 =20
Release : 2.9 =20
Summary : Apache HTTP Server
Description :
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.
---------------------------------------------------------------------
This update includes the fixes for an issue in mod_ssl which could
lead to a bypass of an SSLCipherSuite setting in directory or location
context (CVE CAN-2004-0885), and a memory consumption denial of
service issue in the handling of request header lines (CVE
CAN-2004-0942).
---------------------------------------------------------------------
* Thu Nov 11 2004 Joe Orton <jorton@redhat.com> 2.0.51-2.9
- add fix for memory consumption DoS, CAN-2004-0942
- mod_ssl: add fix for SSLCipherSuite bypass, CAN-2004-0885
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/
b202b93fa33a117c576f49b0b6ea8cce SRPMS/httpd-2.0.51-2.9.src.rpm
d44a26a035bef7f26249e1d0a7ae95b4 x86_64/httpd-2.0.51-2.9.x86_64.rpm
0920735cfe93100965958df44e6cca28 x86_64/httpd-devel-2.0.51-2.9.x86_64.rpm
50681f4ed4f3448fa1f8fd86ce41d749 x86_64/httpd-manual-2.0.51-2.9.x86_64.rpm
1b3230a8c205bdf96464d4ecc51bea40 x86_64/mod_ssl-2.0.51-2.9.x86_64.rpm
fae759a29d5ac1eacfb947ec4b447994 x86_64/debug/httpd-debuginfo-2.0.51-2.9.x=
86_64.rpm
d8e4ed9aafd639fdfab26e6fe3cd8c29 i386/httpd-2.0.51-2.9.i386.rpm
cd1ab7ce0fcc375de0d6db748babc753 i386/httpd-devel-2.0.51-2.9.i386.rpm
341a963e8ac8aba17c18eaebc7ac27c1 i386/httpd-manual-2.0.51-2.9.i386.rpm
f227c579f61c355c594f8e790695bcd8 i386/mod_ssl-2.0.51-2.9.i386.rpm
dc3be7afa997f09293b82caaae505f7b i386/debug/httpd-debuginfo-2.0.51-2.9.i38=
6.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------
--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFBlSiIR/aWnQ5EzwwRAvJnAJ4mh6JJdguxZynRTeIWkDADY4RTjACgwRsK
Bwgz3+RgPZS1R3RCoJ3PcDM=
=1RAL
-----END PGP SIGNATURE-----
--OgqxwSJOaUobr8KG--
--===============1591218207==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============1591218207==--
|
|
