(Vendor Issues Fix) Apache httpd Header Line Memory Allocation Lets Remote Users Crash the Server
|
|
SecurityTracker Alert ID: 1010621 |
|
SecurityTracker URL: http://securitytracker.com/id/1010621
|
|
CVE Reference:
CAN-2004-0493
(Links to External Site)
|
Date: Jul 1 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.0.49 and prior 2.x versions
|
Description:
A denial of service vulnerability was reported in the Apache web server in the folding of header lines. A remote user can cause the application to consume arbitrary amounts of memory.
Georgi Guninski reported that a remote user can send header lines that begin with a tab or space character to cause ap_get_mime_headers_core() in 'server/protocol.c' to allocate memory for the header line. A remote user can reportedly send a large number of specially crafted header lines to cause Apache to consume all available memory on the target system and crash.
The report indicates that on 64-bit systems that have more than 4GB of virtual memory, a remote user may be able to trigger a heap-based buffer overflow, but it is not clear whether this can be exploited to execute arbitrary code or not.
The vendor has reportedly been notified.
The original advisory is available at:
http://www.guninski.com/httpd1.html
|
Impact:
A remote user can cause the httpd process to crash.
|
Solution:
The vendor has issued a fixed version (2.0.50) of the Apache HTTP Server, available at:
http://httpd.apache.org/download.cgi
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause:
Resource error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 01 Jul 2004 01:28:48 +0200
Subject: [ANNOUNCE] Apache HTTP Server 2.0.50 Released
|
Apache HTTP Server 2.0.50 Released
The Apache Software Foundation and the The Apache HTTP Server Project are
pleased to announce the release of version 2.0.50 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.50 as compared to 2.0.49. The Announcement is also available in
German from:
http://www.apache.org/dist/httpd/Announcement2.txt.de
This version of Apache is principally a bug fix release. A summary of
the bug fixes is given at the end of this document. Of particular
note is that 2.0.50 addresses two security vulnerabilities:
A remotely triggered memory leak in http header parsing can allow a
denial of service attack due to excessive memory consumption.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493]
Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488]
This release is compatible with modules compiled for 2.0.42 and later
versions. We consider this release to be the best version of Apache
available and encourage users of all prior versions to upgrade.
Apache HTTP Server 2.0.50 is available for download from
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes.
Apache 2.0 offers numerous enhancements, improvements, and performance
boosts over the 1.3 codebase. For an overview of new features introduced
after 1.3 please see
http://httpd.apache.org/docs-2.0/new_features_2_0.html
When upgrading or installing this version of Apache, please keep
in mind the following:
If you intend to use Apache with one of the threaded MPMs, you must
ensure that the modules (and the libraries they depend on) that you
will be using are thread-safe. Please contact the vendors of these
modules to obtain this information.
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@httpd.apache.org
For additional commands, e-mail: announce-help@httpd.apache.org
|
|
