(Fedora Issues Fix for FC3) Apache Web Server Error in Processing Requests With Many Space Characters Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1012217 |
|
SecurityTracker URL: http://securitytracker.com/id/1012217
|
|
CVE Reference:
CAN-2004-0942
(Links to External Site)
|
Date: Nov 13 2004
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.0.52 and prior 2.0.x versions
|
Description:
A denial of service vulnerability was reported in the Apache web server. A remote user can consume excessive resources on the target system.
Chintan Trivedi reported that a remote user can submit multiple, specially crafted HTTP GET requests containing spaces to cause denial of service conditions on the target system.
The vendor later reported that the field length limit is not properly enforced for certain malicious requests.
A demonstration exploit request is provided:
GET / HTTP/1.0\n
[space] x 8000\n
[space] x 8000\n
[space] x 8000\n
.
.
8000 times
|
Impact:
A remote user can consume excessive resources on the target system.
|
Solution:
Fedora has released a fix, available at:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
7716c1d14e0ae69a891f2a329523dc96 SRPMS/httpd-2.0.52-3.1.src.rpm
ec3154ccfa6ac70331c830836dcc4871 x86_64/httpd-2.0.52-3.1.x86_64.rpm
31fa689b0a81efdd0e004be836637bc9 x86_64/httpd-devel-2.0.52-3.1.x86_64.rpm
c1d9035ad988c68b8ddae0c85c71ee02 x86_64/httpd-manual-2.0.52-3.1.x86_64.rpm
39c126e3f817d373daca7c441cb44caa x86_64/mod_ssl-2.0.52-3.1.x86_64.rpm
ceb684bb374754185bcdd4d859b11204 x86_64/httpd-suexec-2.0.52-3.1.x86_64.rpm
5b3aedb582d98588a052741f907b191c x86_64/debug/httpd-debuginfo-2.0.52-3.1.x86_64.rpm
de542c36d54e33026de4ab41c5e1853f i386/httpd-2.0.52-3.1.i386.rpm
d1e862ee15033b0a8a4f0e61e09a58eb i386/httpd-devel-2.0.52-3.1.i386.rpm
ec0ffcc129a05b97d8e83656bc49efff i386/httpd-manual-2.0.52-3.1.i386.rpm
5c55333c780b4fe78449044c95d93ed3 i386/mod_ssl-2.0.52-3.1.i386.rpm
bf1ffd0c0cf005de92d3efeb81c9228e i386/httpd-suexec-2.0.52-3.1.i386.rpm
4e2f66cc48e668b74dedcfb9f9c12e66 i386/debug/httpd-debuginfo-2.0.52-3.1.i386.rpm
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause:
Resource error
|
Underlying OS:
Linux (Red Hat Fedora)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 12 Nov 2004 21:18:41 +0000
Subject: [SECURITY] Fedora Core 3 Update: httpd-2.0.52-3.1
|
--===============0055565381==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="jho1yZJdad60DJr+"
Content-Disposition: inline
--jho1yZJdad60DJr+
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-421
2004-11-12
---------------------------------------------------------------------
Product : Fedora Core 3
Name : httpd
Version : 2.0.52 =20
Release : 3.1 =20
Summary : Apache HTTP Server
Description :
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.
---------------------------------------------------------------------
Update Information:
This update includes the fix for a memory consumption denial of
service issue in the handling of request header lines (CVE
CAN-2004-0942).
---------------------------------------------------------------------
* Thu Nov 11 2004 Joe Orton <jorton@redhat.com> 2.0.52-3.1
- add fix for memory consumption DoS, CAN-2004-0942
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
7716c1d14e0ae69a891f2a329523dc96 SRPMS/httpd-2.0.52-3.1.src.rpm
ec3154ccfa6ac70331c830836dcc4871 x86_64/httpd-2.0.52-3.1.x86_64.rpm
31fa689b0a81efdd0e004be836637bc9 x86_64/httpd-devel-2.0.52-3.1.x86_64.rpm
c1d9035ad988c68b8ddae0c85c71ee02 x86_64/httpd-manual-2.0.52-3.1.x86_64.rpm
39c126e3f817d373daca7c441cb44caa x86_64/mod_ssl-2.0.52-3.1.x86_64.rpm
ceb684bb374754185bcdd4d859b11204 x86_64/httpd-suexec-2.0.52-3.1.x86_64.rpm
5b3aedb582d98588a052741f907b191c x86_64/debug/httpd-debuginfo-2.0.52-3.1.x=
86_64.rpm
de542c36d54e33026de4ab41c5e1853f i386/httpd-2.0.52-3.1.i386.rpm
d1e862ee15033b0a8a4f0e61e09a58eb i386/httpd-devel-2.0.52-3.1.i386.rpm
ec0ffcc129a05b97d8e83656bc49efff i386/httpd-manual-2.0.52-3.1.i386.rpm
5c55333c780b4fe78449044c95d93ed3 i386/mod_ssl-2.0.52-3.1.i386.rpm
bf1ffd0c0cf005de92d3efeb81c9228e i386/httpd-suexec-2.0.52-3.1.i386.rpm
4e2f66cc48e668b74dedcfb9f9c12e66 i386/debug/httpd-debuginfo-2.0.52-3.1.i38=
6.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------
--jho1yZJdad60DJr+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFBlSixR/aWnQ5EzwwRAqmfAJ9hffGFlhebY6kLZzci3Iqxn1WFwwCgt5za
K7aAoE0lmkEO+GydomMlXa8=
=q6I6
-----END PGP SIGNATURE-----
--jho1yZJdad60DJr+--
--===============0055565381==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============0055565381==--
|
|
