SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
(Mandrake Issues Fix) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
SecurityTracker Alert ID:  1010178
SecurityTracker URL:  http://securitytracker.com/id/1010178
CVE Reference:   CVE-2004-0174   (Links to External Site)
Date:  May 18 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.48 and prior versions; 1.3.29 and prior versions
Description:   A vulnerability was reported in the Apache web server. A remote user may be able to cause denial of service conditions.

It is reported that a remote user can establish a short-lived connection to a rarely-accessed listening socket on the target server. This may cause the Apache child process to block new connections until another connection arrives on the rarely-accessed listening socket.

The report indicates that some versions of AIX, Solaris, and Tru64 UNIX are affected, but that FreeBSD and Linux systems are not affected.

Impact:   A remote user may be able to cause the target server to deny connection requests.
Solution:   Mandrake has released a fix.

Mandrakelinux 10.0:
c10b863b2c71da6e3896135b51e28067 10.0/RPMS/apache-1.3.29-1.1.100mdk.i586.rpm
547ec6569770d99dcc38a2a516def5e1 10.0/RPMS/apache-devel-1.3.29-1.1.100mdk.i586.rpm
e97605cb95bc7ee68c1622e4b7876bbe 10.0/RPMS/apache-modules-1.3.29-1.1.100mdk.i586.rpm
86e0eb12c74c6cf387c90bb871e05d96 10.0/RPMS/apache-source-1.3.29-1.1.100mdk.i586.rpm
8ea42133866f1dc766a66fdb0fbcef2c 10.0/SRPMS/apache-1.3.29-1.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
b3d493f6c856eaba6b6916c05c68b951 amd64/10.0/RPMS/apache-1.3.29-1.1.100mdk.amd64.rpm
7c3e65be2760ff13ae094a86972304d8 amd64/10.0/RPMS/apache-devel-1.3.29-1.1.100mdk.amd64.rpm
6fda2efdbcb30f7e2fa9686fb0f1a584 amd64/10.0/RPMS/apache-modules-1.3.29-1.1.100mdk.amd64.rpm
d358734dc2a2829ecd05ebe368306c9c amd64/10.0/RPMS/apache-source-1.3.29-1.1.100mdk.amd64.rpm
8ea42133866f1dc766a66fdb0fbcef2c amd64/10.0/SRPMS/apache-1.3.29-1.1.100mdk.src.rpm

Corporate Server 2.1:
2ba3f60a80db761f9e632807bb68490e corporate/2.1/RPMS/apache-1.3.26-7.1.C21mdk.i586.rpm
b4d2ebf8611b8a7c96e2e4c573d82d04 corporate/2.1/RPMS/apache-common-1.3.26-7.1.C21mdk.i586.rpm
759c9a160cadf607f5e0b05f2527ef62 corporate/2.1/RPMS/apache-devel-1.3.26-7.1.C21mdk.i586.rpm
5cd5fc3340a801be7d6478c349e11356 corporate/2.1/RPMS/apache-manual-1.3.26-7.1.C21mdk.i586.rpm
af88fd7db2f187abfa0f5bed00d2ea28 corporate/2.1/RPMS/apache-modules-1.3.26-7.1.C21mdk.i586.rpm
17541a17f20b94cd63c1ce208dd92161 corporate/2.1/RPMS/apache-source-1.3.26-7.1.C21mdk.i586.rpm
20022ad2481a7f9b6c589c5d54ff3ef2 corporate/2.1/SRPMS/apache-1.3.26-7.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
0b97faa3320694e450b42b7c4c35117b x86_64/corporate/2.1/RPMS/apache-1.3.26-7.1.C21mdk.x86_64.rpm
2923a077d31e25128ca26f2ff39b2218 x86_64/corporate/2.1/RPMS/apache-common-1.3.26-7.1.C21mdk.x86_64.rpm
bc02caab78d66f916497adef35813f66 x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-7.1.C21mdk.x86_64.rpm
946381e40bfd066e1eea5897dd2f1ccd x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-7.1.C21mdk.x86_64.rpm
165ae3c407da223e08c10cfd69ae1919 x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-7.1.C21mdk.x86_64.rpm
4904816fd0f79bf8aa2edf32487bdeb1 x86_64/corporate/2.1/RPMS/apache-source-1.3.26-7.1.C21mdk.x86_64.rpm
20022ad2481a7f9b6c589c5d54ff3ef2 x86_64/corporate/2.1/SRPMS/apache-1.3.26-7.1.C21mdk.src.rpm

Mandrakelinux 9.1:
8430439cc946758536b8995214c6b241 9.1/RPMS/apache-1.3.27-8.2.91mdk.i586.rpm
dafe80db84dc3ea0045a3cc88b706025 9.1/RPMS/apache-devel-1.3.27-8.2.91mdk.i586.rpm
8c94ba2f3663be3808f0b730aa816925 9.1/RPMS/apache-modules-1.3.27-8.2.91mdk.i586.rpm
dfd5b600ad329ecbbaa48d86f87ac727 9.1/RPMS/apache-source-1.3.27-8.2.91mdk.i586.rpm
cecbcfb44ca1f13fa3f0afacd8bb21df 9.1/SRPMS/apache-1.3.27-8.2.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
576fd9a94c7b0bdacbf87f03e6e1b193 ppc/9.1/RPMS/apache-1.3.27-8.2.91mdk.ppc.rpm
5cd0231dd70c466e62ef4774de67ea2c ppc/9.1/RPMS/apache-devel-1.3.27-8.2.91mdk.ppc.rpm
e2bc6d8c1bc8fc35f8591ac2321f1796 ppc/9.1/RPMS/apache-modules-1.3.27-8.2.91mdk.ppc.rpm
0cf21078ea8708932689c3d1857cd21a ppc/9.1/RPMS/apache-source-1.3.27-8.2.91mdk.ppc.rpm
cecbcfb44ca1f13fa3f0afacd8bb21df ppc/9.1/SRPMS/apache-1.3.27-8.2.91mdk.src.rpm

Mandrakelinux 9.2:
ad40d4c4d037d2325f517a83b4a6ddbc 9.2/RPMS/apache-1.3.28-3.2.92mdk.i586.rpm
898d8e855ef2dca810a5e85740fbf418 9.2/RPMS/apache-devel-1.3.28-3.2.92mdk.i586.rpm
c67b6a75cf890b8514746e486e498fc9 9.2/RPMS/apache-modules-1.3.28-3.2.92mdk.i586.rpm
66e48a0a86fe3f5b39e195e2b7fad7b3 9.2/RPMS/apache-source-1.3.28-3.2.92mdk.i586.rpm
929aae2cbc5af8267664e45855d7ca86 9.2/SRPMS/apache-1.3.28-3.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
b4d4119cf47406a0a7aab2673588e4af amd64/9.2/RPMS/apache-1.3.28-3.2.92mdk.amd64.rpm
4bf14eabf3e85ae498b5d4fd2603fe8d amd64/9.2/RPMS/apache-devel-1.3.28-3.2.92mdk.amd64.rpm
2edc0182131aa5320a36525b4608a342 amd64/9.2/RPMS/apache-modules-1.3.28-3.2.92mdk.amd64.rpm
e6e811b93283881650fd767167b4b85e amd64/9.2/RPMS/apache-source-1.3.28-3.2.92mdk.amd64.rpm
929aae2cbc5af8267664e45855d7ca86 amd64/9.2/SRPMS/apache-1.3.28-3.2.92mdk.src.rpm

Multi Network Firewall 8.2:
a7749a8b4c3c9812628b26a5936a7ec5 mnf8.2/RPMS/apache-1.3.23-4.4.M82mdk.i586.rpm
3bec21aa4d1a2c02eb46ea73ef1d073b mnf8.2/RPMS/apache-common-1.3.23-4.4.M82mdk.i586.rpm
55d3551d21662fcd0f9ff71c4ccebeff mnf8.2/RPMS/apache-modules-1.3.23-4.4.M82mdk.i586.rpm
7acbac463605bbd7e1eb438b3a48003a mnf8.2/SRPMS/apache-1.3.23-4.4.M82mdk.src.rpm

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Mandriva/Mandrake)
Underlying OS Comments:  10.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2004 Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service



 Source Message Contents

Subject:  MDKSA-2004:046 - Updated apache packages fix a number of vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           apache
 Advisory ID:            MDKSA-2004:046
 Date:                   May 17th, 2004

 Affected versions:	 10.0, 9.1, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 Four security vulnerabilities were fixed with the 1.3.31 release of
 Apache.  All of these issues have been backported and applied to the
 provided packages.  Thanks to Ralf Engelschall of OpenPKG for providing
 the patches.
 
 Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences
 from its error logs.  This could make it easier for attackers to insert
 those sequences into the terminal emulators of administrators viewing
 the error logs that contain vulnerabilities related to escape sequence
 handling (CAN-2003-0020).
 
 mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the
 nonce of a client response by using an AuthNonce secret.  Apache now
 verifies the nonce returned in the client response to check whether it
 was issued by itself by means of a "AuthDigestRealmSeed" secret exposed
 as an MD5 checksum (CAN-2004-0987).
 
 mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian
 64-bit platforms, did not properly parse Allow/Deny rules using IP
 addresses without a netmask.  This could allow a remote attacker to
 bypass intended access restrictions (CAN-2003-0993).
 
 Apache 1.3 prior to 1.3.30, when using multiple listening sockets on
 certain platforms, allows a remote attacker to cause a DoS by blocking
 new connections via a short-lived connection on a rarely-accessed
 listening socket (CAN-2004-0174).  While this particular vulnerability
 does not affect Linux, we felt it prudent to include the fix.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 c10b863b2c71da6e3896135b51e28067  10.0/RPMS/apache-1.3.29-1.1.100mdk.i586.rpm
 547ec6569770d99dcc38a2a516def5e1  10.0/RPMS/apache-devel-1.3.29-1.1.100mdk.i586.rpm
 e97605cb95bc7ee68c1622e4b7876bbe  10.0/RPMS/apache-modules-1.3.29-1.1.100mdk.i586.rpm
 86e0eb12c74c6cf387c90bb871e05d96  10.0/RPMS/apache-source-1.3.29-1.1.100mdk.i586.rpm
 8ea42133866f1dc766a66fdb0fbcef2c  10.0/SRPMS/apache-1.3.29-1.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 b3d493f6c856eaba6b6916c05c68b951  amd64/10.0/RPMS/apache-1.3.29-1.1.100mdk.amd64.rpm
 7c3e65be2760ff13ae094a86972304d8  amd64/10.0/RPMS/apache-devel-1.3.29-1.1.100mdk.amd64.rpm
 6fda2efdbcb30f7e2fa9686fb0f1a584  amd64/10.0/RPMS/apache-modules-1.3.29-1.1.100mdk.amd64.rpm
 d358734dc2a2829ecd05ebe368306c9c  amd64/10.0/RPMS/apache-source-1.3.29-1.1.100mdk.amd64.rpm
 8ea42133866f1dc766a66fdb0fbcef2c  amd64/10.0/SRPMS/apache-1.3.29-1.1.100mdk.src.rpm

 Corporate Server 2.1:
 2ba3f60a80db761f9e632807bb68490e  corporate/2.1/RPMS/apache-1.3.26-7.1.C21mdk.i586.rpm
 b4d2ebf8611b8a7c96e2e4c573d82d04  corporate/2.1/RPMS/apache-common-1.3.26-7.1.C21mdk.i586.rpm
 759c9a160cadf607f5e0b05f2527ef62  corporate/2.1/RPMS/apache-devel-1.3.26-7.1.C21mdk.i586.rpm
 5cd5fc3340a801be7d6478c349e11356  corporate/2.1/RPMS/apache-manual-1.3.26-7.1.C21mdk.i586.rpm
 af88fd7db2f187abfa0f5bed00d2ea28  corporate/2.1/RPMS/apache-modules-1.3.26-7.1.C21mdk.i586.rpm
 17541a17f20b94cd63c1ce208dd92161  corporate/2.1/RPMS/apache-source-1.3.26-7.1.C21mdk.i586.rpm
 20022ad2481a7f9b6c589c5d54ff3ef2  corporate/2.1/SRPMS/apache-1.3.26-7.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 0b97faa3320694e450b42b7c4c35117b  x86_64/corporate/2.1/RPMS/apache-1.3.26-7.1.C21mdk.x86_64.rpm
 2923a077d31e25128ca26f2ff39b2218  x86_64/corporate/2.1/RPMS/apache-common-1.3.26-7.1.C21mdk.x86_64.rpm
 bc02caab78d66f916497adef35813f66  x86_64/corporate/2.1/RPMS/apache-devel-1.3.26-7.1.C21mdk.x86_64.rpm
 946381e40bfd066e1eea5897dd2f1ccd  x86_64/corporate/2.1/RPMS/apache-manual-1.3.26-7.1.C21mdk.x86_64.rpm
 165ae3c407da223e08c10cfd69ae1919  x86_64/corporate/2.1/RPMS/apache-modules-1.3.26-7.1.C21mdk.x86_64.rpm
 4904816fd0f79bf8aa2edf32487bdeb1  x86_64/corporate/2.1/RPMS/apache-source-1.3.26-7.1.C21mdk.x86_64.rpm
 20022ad2481a7f9b6c589c5d54ff3ef2  x86_64/corporate/2.1/SRPMS/apache-1.3.26-7.1.C21mdk.src.rpm

 Mandrakelinux 9.1:
 8430439cc946758536b8995214c6b241  9.1/RPMS/apache-1.3.27-8.2.91mdk.i586.rpm
 dafe80db84dc3ea0045a3cc88b706025  9.1/RPMS/apache-devel-1.3.27-8.2.91mdk.i586.rpm
 8c94ba2f3663be3808f0b730aa816925  9.1/RPMS/apache-modules-1.3.27-8.2.91mdk.i586.rpm
 dfd5b600ad329ecbbaa48d86f87ac727  9.1/RPMS/apache-source-1.3.27-8.2.91mdk.i586.rpm
 cecbcfb44ca1f13fa3f0afacd8bb21df  9.1/SRPMS/apache-1.3.27-8.2.91mdk.src.rpm

 Mandrakelinux 9.1/PPC:
 576fd9a94c7b0bdacbf87f03e6e1b193  ppc/9.1/RPMS/apache-1.3.27-8.2.91mdk.ppc.rpm
 5cd0231dd70c466e62ef4774de67ea2c  ppc/9.1/RPMS/apache-devel-1.3.27-8.2.91mdk.ppc.rpm
 e2bc6d8c1bc8fc35f8591ac2321f1796  ppc/9.1/RPMS/apache-modules-1.3.27-8.2.91mdk.ppc.rpm
 0cf21078ea8708932689c3d1857cd21a  ppc/9.1/RPMS/apache-source-1.3.27-8.2.91mdk.ppc.rpm
 cecbcfb44ca1f13fa3f0afacd8bb21df  ppc/9.1/SRPMS/apache-1.3.27-8.2.91mdk.src.rpm

 Mandrakelinux 9.2:
 ad40d4c4d037d2325f517a83b4a6ddbc  9.2/RPMS/apache-1.3.28-3.2.92mdk.i586.rpm
 898d8e855ef2dca810a5e85740fbf418  9.2/RPMS/apache-devel-1.3.28-3.2.92mdk.i586.rpm
 c67b6a75cf890b8514746e486e498fc9  9.2/RPMS/apache-modules-1.3.28-3.2.92mdk.i586.rpm
 66e48a0a86fe3f5b39e195e2b7fad7b3  9.2/RPMS/apache-source-1.3.28-3.2.92mdk.i586.rpm
 929aae2cbc5af8267664e45855d7ca86  9.2/SRPMS/apache-1.3.28-3.2.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 b4d4119cf47406a0a7aab2673588e4af  amd64/9.2/RPMS/apache-1.3.28-3.2.92mdk.amd64.rpm
 4bf14eabf3e85ae498b5d4fd2603fe8d  amd64/9.2/RPMS/apache-devel-1.3.28-3.2.92mdk.amd64.rpm
 2edc0182131aa5320a36525b4608a342  amd64/9.2/RPMS/apache-modules-1.3.28-3.2.92mdk.amd64.rpm
 e6e811b93283881650fd767167b4b85e  amd64/9.2/RPMS/apache-source-1.3.28-3.2.92mdk.amd64.rpm
 929aae2cbc5af8267664e45855d7ca86  amd64/9.2/SRPMS/apache-1.3.28-3.2.92mdk.src.rpm

 Multi Network Firewall 8.2:
 a7749a8b4c3c9812628b26a5936a7ec5  mnf8.2/RPMS/apache-1.3.23-4.4.M82mdk.i586.rpm
 3bec21aa4d1a2c02eb46ea73ef1d073b  mnf8.2/RPMS/apache-common-1.3.23-4.4.M82mdk.i586.rpm
 55d3551d21662fcd0f9ff71c4ccebeff  mnf8.2/RPMS/apache-modules-1.3.23-4.4.M82mdk.i586.rpm
 7acbac463605bbd7e1eb438b3a48003a  mnf8.2/SRPMS/apache-1.3.23-4.4.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesecure.net/en/advisories/

 Mandrakesoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

  http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAqTLqmqjQ0CJFipgRArbuAJ9S4/hwzuwln85MryjKjF/seO4paACfahCt
hyuhT3ObUfQRmKrdwQIo53o=
=gb7C
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC