SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Mod_ssl Vendors:   Apache Software Foundation
Apache mod_ssl Can Be Crashed By Remote Users When Reverse Proxying SSL Connections
SecurityTracker Alert ID:  1011213
SecurityTracker URL:  http://securitytracker.com/id/1011213
CVE Reference:   CAN-2004-0751   (Links to External Site)
Updated:  Sep 15 2004
Original Entry Date:  Sep 10 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.50
Description:   A vulnerability was reported in Apache mod_ssl when used as a reverse proxy. A remote user can cause denial of service conditions in a certain configuration.

M. "Alex" Hankins reported that a remote user can trigger a memory error in char_buffer_read() when using a RewriteRule to reverse proxy SSL connections. A remote server can cause Apache to crash.

Impact:   A remote server can cause Apache to crash.
Solution:   A fix is available via CVS at:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126

Vendor URL:  issues.apache.org/bugzilla/show_bug.cgi?id=30134 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on Solaris

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 15 2004 (Apache Issues Fix) Apache mod_ssl Can Be Crashed By Remote Users When Reverse Proxying SSL Connections
The vendor has issued a fixed version.
Sep 16 2004 (Red Hat Issues Fix for RHEL) Apache mod_ssl Can Be Crashed By Remote Users When Reverse Proxying SSL Connections
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Oct 15 2004 (Fedora Issues Fix) Apache mod_ssl Can Be Crashed By Remote Users When Reverse Proxying SSL Connections
Fedora has released a fix for Red Hat Linux 9 and Fedora Core 1.
Oct 27 2004 (HP Issues Fix for HP-UX) Apache mod_ssl Can Be Crashed By Remote Users When Reverse Proxying SSL Connections
HP has issued a fixed version for HP-UX.
Dec 2 2004 (Apple Issues Fix for OS X) Apache mod_ssl Can Be Crashed By Remote Users When Reverse Proxying SSL Connections
Apple has issued a fix for Apache on Mac OS X.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2016, SecurityGlobal.net LLC