SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
(Apple Issues Fix for OS X) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
SecurityTracker Alert ID:  1010042
SecurityTracker URL:  http://securitytracker.com/id/1010042
CVE Reference:   CVE-2004-0174   (Links to External Site)
Date:  May 4 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.48 and prior versions; 1.3.29 and prior versions
Description:   A vulnerability was reported in the Apache web server. A remote user may be able to cause denial of service conditions.

It is reported that a remote user can establish a short-lived connection to a rarely-accessed listening socket on the target server. This may cause the Apache child process to block new connections until another connection arrives on the rarely-accessed listening socket.

The report indicates that some versions of AIX, Solaris, and Tru64 UNIX are affected, but that FreeBSD and Linux systems are not affected.

Impact:   A remote user may be able to cause the target server to deny connection requests.
Solution:   Apple has released a fix as part of APPLE-SA-2004-05-03 Security Update 2004-05-03.

For Mac OS X 10.3.3 "Panther"
=============================
http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z/SecUpd2004-05-03Pan.dmg
The download file is named: "SecUpd2004-05-03Pan.dmg"
Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532

For Mac OS X Server 10.3.3
==========================
http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z/SecUpdSrvr2004-05-03Pan.dmg
The download file is named: "SecUpdSrvr2004-05-03Pan.dmg"
Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7

For Mac OS X 10.2.8 "Jaguar"
=============================
http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z/SecUpd2004-05-03Jag.dmg
The download file is named: "SecUpd2004-05-03Jag.dmg"
Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945

For Mac OS X Server 10.2.8
==========================
http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z/SecUpdSrvr2004-05-03Jag.dmg
The download file is named: "SecUpdSrvr2004-05-03Jag.dmg"
Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.2.8, 10.3.3

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2004 Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service



 Source Message Contents

Subject:  APPLE-SA-2004-05-03 Security Update 2004-05-03


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2004-05-03 Security Update 2004-05-03

Security Update 2004-05-03 is now available and contains security
enhancements for the following:

CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an
    environment variable. Credit to aaron@vtty.com for reporting this
    issue.

Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by
    updating to Apache 2 to version 2.0.49.

RAdmin: Fixes CAN-2004-0429 to improve the handling of large requests

AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long
    passwords. Credit to Dave G. from @stake for reporting this issue.

IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security
    of VPN tunnels.  IPSec in Mac OS X is not vulnerable to
    CAN-2004-0392.

Notes:
  -  Security Update 2004-05-03 is available for both Mac OS X 10.3.3
       and Mac OS X 10.2.8
  -  Security Update 2004-04-05 has been incorporated into this update

================================================

Security Update 2004-05-03 may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:

    For Mac OS X 10.3.3 "Panther"
    =============================
    http://download.info.apple.com/Mac_OS_X/061-1213.20040503.vngr3/2Z
/SecUpd2004-05-03Pan.dmg
    The download file is named: "SecUpd2004-05-03Pan.dmg"
    Its SHA-1 digest is: 6f35539668d80ee536305a4146bd982a93706532
    
    For Mac OS X Server 10.3.3
    ==========================
    http://download.info.apple.com/Mac_OS_X/061-1215.20040503.mPp9k/2Z
/SecUpdSrvr2004-05-03Pan.dmg
    The download file is named: "SecUpdSrvr2004-05-03Pan.dmg"
    Its SHA-1 digest is: 3c7da910601fd36d4cdfb276af4783ae311ac5d7
    
    For Mac OS X 10.2.8 "Jaguar"
    =============================
    http://download.info.apple.com/Mac_OS_X/061-1217.20040503.BmkY5/2Z
/SecUpd2004-05-03Jag.dmg
    The download file is named: "SecUpd2004-05-03Jag.dmg"
    Its SHA-1 digest is: 11d5f365e0db58b369d85aa909ac6209e2f49945
    
    For Mac OS X Server 10.2.8
    ==========================
    http://download.info.apple.com/Mac_OS_X/061-1219.20040503.Zsw3S/2Z
/SecUpdSrvr2004-05-03Jag.dmg
    The download file is named: "SecUpdSrvr2004-05-03Jag.dmg"
    Its SHA-1 digest is: 28859a4c88f6e1d1fe253388b233a5732b6e42fb
        
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBQJa38XeI0z6bzFr0AQKEjAf9HAvSxFVwKjmzZ1ZcqmVWhCfkNA9TIby7
Z9WOeAIhSFX1GVyetjQIeODLBYVj8bACK2fDj+deRv60VC6IQOxQNTSI5EwlkI/O
Tnz9q77WwV0IaNugfZHWQglKiH6j5ZhMg9xZUQTEpJChPS6u0NN3J4nhj7diqlbK
4a6N+HLQ4jQvk4hpQoFYRGOVnHzso2SJpKUN5uJ2obTSUw528Gchugr1Uez4/m9G
Pb5BZewX877Qc3t1icnlNxSXSru2TIrqef4+ZuJlek5N8lN0oda2KQ7pvkc0/raO
oJnLTiJoGFxLV5jLw7PBd7bIRpUJXZa/xtyg1lj8XUf0r5SFGRVwww==
=wmAo
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC