SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
(Trustix Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
SecurityTracker Alert ID:  1009607
SecurityTracker URL:  http://securitytracker.com/id/1009607
CVE Reference:   CVE-2004-0174   (Links to External Site)
Date:  Apr 1 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.48 and prior versions; 1.3.29 and prior versions
Description:   A vulnerability was reported in the Apache web server. A remote user may be able to cause denial of service conditions.

It is reported that a remote user can establish a short-lived connection to a rarely-accessed listening socket on the target server. This may cause the Apache child process to block new connections until another connection arrives on the rarely-accessed listening socket.

The report indicates that some versions of AIX, Solaris, and Tru64 UNIX are affected, but that FreeBSD and Linux systems are not affected.

Impact:   A remote user may be able to cause the target server to deny connection requests.
Solution:   Trustix has released a fix, available at:

http://http.trustix.org/pub/trustix/updates/
ftp://ftp.trustix.org/pub/trustix/updates/

The MD5sums of the packages are:

2f8cb6185125538096f5294dd73fcfdf 2.1/rpms/apache-2.0.49-2tr.i586.rpm
d4a92784e59270f8213b10ec47150ec4 2.1/rpms/apache-dbm-2.0.49-2tr.i586.rpm
1f0cba7667cbd4c0e235f056aff03df2 2.1/rpms/apache-devel-2.0.49-2tr.i586.rpm
65c9b7530f0d7e9ba38e7a0d8d106083 2.1/rpms/apache-manual-2.0.49-2tr.i586.rpm
3f1efb8f665de116a06b9ebb780e81cb 2.0/rpms/apache-2.0.49-1tr.i586.rpm
64ab42919cdef6ede9d4efc9c82df2e5 2.0/rpms/apache-devel-2.0.49-1tr.i586.rpm
f40a03994d7140311cf2e5fe714bc410 2.0/rpms/apache-manual-2.0.49-1tr.i586.rpm

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Trustix)
Underlying OS Comments:  2.1

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2004 Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service



 Source Message Contents

Subject:  TSLSA-2004-0017 - apache


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0017

Package name:      apache
Summary:           new upstream
Date:              2004-03-30
Affected versions: Trustix 2.1

- --------------------------------------------------------------------------
Package description:
  Apache is a full featured web server that is freely available, and also
  happens to be the most widely used.Built with loadable modules (all standard
  modules enabled). This verion is intended as a replacement for a standard
  apache, the configuration files provided with apache and apache-ssl are
  unchanged.

Problem description:
  The new upstream version of apache addresses several security issues:
  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113
  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Public testing:
  Most updates for Trustix are made available for public testing some time
  before release.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://tsldev.trustix.org/horizon/>

  You may also use swup for public testing of updates:
  
  site {
      class = 0
      location = "http://tsldev.trustix.org/horizon/rdfs/latest.rdf"
      regexp = ".*"
  }
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.0/> and
  <URI:http://www.trustix.org/errata/trustix-2.1/>
  or directly at
  <URI:http://www.trustix.org/errata/misc/2004/TSL-2004-0017-apache.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
2f8cb6185125538096f5294dd73fcfdf  2.1/rpms/apache-2.0.49-2tr.i586.rpm
d4a92784e59270f8213b10ec47150ec4  2.1/rpms/apache-dbm-2.0.49-2tr.i586.rpm
1f0cba7667cbd4c0e235f056aff03df2  2.1/rpms/apache-devel-2.0.49-2tr.i586.rpm
65c9b7530f0d7e9ba38e7a0d8d106083  2.1/rpms/apache-manual-2.0.49-2tr.i586.rpm
3f1efb8f665de116a06b9ebb780e81cb  2.0/rpms/apache-2.0.49-1tr.i586.rpm
64ab42919cdef6ede9d4efc9c82df2e5  2.0/rpms/apache-devel-2.0.49-1tr.i586.rpm
f40a03994d7140311cf2e5fe714bc410  2.0/rpms/apache-manual-2.0.49-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAaXuvi8CEzsK9IksRAq5CAKCp6Wnz4BmOLfwSqYFU5BDedt5d1wCgo8mn
ZYNT+qxDVYQ4vOZvo/pQ040=
=hqpX
-----END PGP SIGNATURE-----
_______________________________________________
tsl-announce mailing list
tsl-announce@lists.trustix.org
http://lists.trustix.org/mailman/listinfo/tsl-announce

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC