SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
SecurityTracker Alert ID:  1009495
SecurityTracker URL:  http://securitytracker.com/id/1009495
CVE Reference:   CVE-2004-0174   (Links to External Site)
Updated:  Apr 13 2004
Original Entry Date:  Mar 19 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.48 and prior versions; 1.3.29 and prior versions
Description:   A vulnerability was reported in the Apache web server. A remote user may be able to cause denial of service conditions.

It is reported that a remote user can establish a short-lived connection to a rarely-accessed listening socket on the target server. This may cause the Apache child process to block new connections until another connection arrives on the rarely-accessed listening socket.

The report indicates that some versions of AIX, Solaris, and Tru64 UNIX are affected, but that FreeBSD and Linux systems are not affected.

Impact:   A remote user may be able to cause the target server to deny connection requests.
Solution:   The vendor has developed a fixed version (2.0.49), available at:

http://httpd.apache.org/download.cgi

The vendor has also released a fixed development version (1.3.31-dev) for the Apache 1.3 release series.

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  UNIX (Any)
Underlying OS Comments:  May affect some versions of AIX, Solaris, and Tru64; Reportedly does not affect FreeBSD or Linux.

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 1 2004 (Trustix Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Trustix has released a fix.
Apr 14 2004 (Conectiva Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Conectiva has released a fix.
Apr 26 2004 (HP Issues Fix for HP-UX) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
HP has issued a fix for HP-UX.
May 4 2004 (Apple Issues Fix for OS X) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Apple has released a fix for Mac OS X.
May 13 2004 (Slackware Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Slackware has released a fix.
May 18 2004 (Mandrake Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Mandrake has released a fix.
May 20 2004 (Mandrake Issues Fix for mod_perl) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Mandrake has issued a fix for mod_perl.
May 26 2004 (Gentoo Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Gentoo has released a fix.
Jun 11 2004 (HP Issues Fix for Tru64) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
HP has issued patches.
Sep 10 2004 (Sun Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Sun has issued a fix for Solaris 9.
Dec 2 2004 (Apple Issues Fix for OS X) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
Apple has issued a fix for Apache on Mac OS X.



 Source Message Contents

Subject:  CVE-2004-0174


 > Fixed in Apache httpd 2.0.49

 > listening socket starvation CAN-2004-0174
 > A starvation issue on listening sockets occurs when a short-lived connection on a
 > rarely-accessed listening socket will cause a child to hold the accept mutex and block
 > out new connections until another connection arrives on that rarely-accessed listening
 > socket.

 > Affects: 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39,
 > 2.0.37, 2.0.36, 2.0.35

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC