(Apple Issues Fix for OS X) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1010042 |
|
SecurityTracker URL: http://securitytracker.com/id/1010042
|
|
CVE Reference:
CAN-2004-0174
(Links to External Site)
|
Date: May 4 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.0.48 and prior versions; 1.3.29 and prior versions
|
Description:
A vulnerability was reported in the Apache web server. A remote user may be able to cause denial of service conditions.
It is reported that a remote user can establish a short-lived connection to a rarely-accessed listening socket on the target server. This may cause the Apache child process to block new connections until another connection arrives on the rarely-accessed listening socket.
The report indicates that some versions of AIX, Solaris, and Tru64 UNIX are affected, but that FreeBSD and Linux systems are not affected.
|
Impact:
A remote user may be able to cause the target server to deny connection requests.
|
Solution:
Apple has released a fix as part of APPLE-SA-2004-05-03 Security Update 2004-05-03.
For Mac OS X 10.3.3 "Panther"
=============================
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/SecUpd2004-05-03Pan.dmg
The download file is named: "SecUpd2004-05-03Pan.dmg"
Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532
For Mac OS X Server 10.3.3
==========================
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/SecUpdSrvr2004-05-03Pan.dmg
The download file is named: "SecUpdSrvr2004-05-03Pan.dmg"
Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7
For Mac OS X 10.2.8 "Jaguar"
=============================
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/SecUpd2004-05-03Jag.dmg
The download file is named: "SecUpd2004-05-03Jag.dmg"
Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945
For Mac OS X Server 10.2.8
==========================
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/SecUpdSrvr2004-05-03Jag.dmg
The download file is named: "SecUpdSrvr2004-05-03Jag.dmg"
Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause:
Resource error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 03 May 2004 14:27:44 -0700
Subject: APPLE-SA-2004-05-03 Security Update 2004-05-03
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2004-05-03 Security Update 2004-05-03
Security Update 2004-05-03 is now available and contains security
enhancements for the following:
CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an
environment variable. Credit to aaron@vtty.com for reporting this
issue.
Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by
updating to Apache 2 to version 2.0.49.
RAdmin: Fixes CAN-2004-0429 to improve the handling of large requests
AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long
passwords. Credit to Dave G. from @stake for reporting this issue.
IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security
of VPN tunnels. IPSec in Mac OS X is not vulnerable to
CAN-2004-0392.
Notes:
- Security Update 2004-05-03 is available for both Mac OS X 10.3.3
and Mac OS X 10.2.8
- Security Update 2004-04-05 has been incorporated into this update
================================================
Security Update 2004-05-03 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
For Mac OS X 10.3.3 "Panther"
=============================
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z
/SecUpd2004-05-03Pan.dmg
The download file is named: "SecUpd2004-05-03Pan.dmg"
Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532
For Mac OS X Server 10.3.3
==========================
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z
/SecUpdSrvr2004-05-03Pan.dmg
The download file is named: "SecUpdSrvr2004-05-03Pan.dmg"
Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7
For Mac OS X 10.2.8 "Jaguar"
=============================
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z
/SecUpd2004-05-03Jag.dmg
The download file is named: "SecUpd2004-05-03Jag.dmg"
Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945
For Mac OS X Server 10.2.8
==========================
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z
/SecUpdSrvr2004-05-03Jag.dmg
The download file is named: "SecUpdSrvr2004-05-03Jag.dmg"
Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBQJa38XeI0z6bzFr0AQKEjAf9HAvSxFVwKjmzZ1ZcqmVWhCfkNA9TIby7
Z9WOeAIhSFX1GVyetjQIeODLBYVj8bACK2fDj+deRv60VC6IQOxQNTSI5EwlkI/O
Tnz9q77WwV0IaNugfZHWQglKiH6j5ZhMg9xZUQTEpJChPS6u0NN3J4nhj7diqlbK
4a6N+HLQ4jQvk4hpQoFYRGOVnHzso2SJpKUN5uJ2obTSUw528Gchugr1Uez4/m9G
Pb5BZewX877Qc3t1icnlNxSXSru2TIrqef4+ZuJlek5N8lN0oda2KQ7pvkc0/raO
oJnLTiJoGFxLV5jLw7PBd7bIRpUJXZa/xtyg1lj8XUf0r5SFGRVwww==
=wmAo
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
