SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   mod_perl Vendors:   Apache Software Foundation
(Mandrake Issues Fix for mod_perl) Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service
SecurityTracker Alert ID:  1010246
SecurityTracker URL:  http://securitytracker.com/id/1010246
CVE Reference:   CVE-2004-0174   (Links to External Site)
Date:  May 20 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.48 and prior versions; 1.3.29 and prior versions
Description:   A vulnerability was reported in the Apache web server. A remote user may be able to cause denial of service conditions.

It is reported that a remote user can establish a short-lived connection to a rarely-accessed listening socket on the target server. This may cause the Apache child process to block new connections until another connection arrives on the rarely-accessed listening socket.

The report indicates that some versions of AIX, Solaris, and Tru64 UNIX are affected, but that FreeBSD and Linux systems are not affected.

Impact:   A remote user may be able to cause the target server to deny connection requests.
Solution:   Mandrake has issued a fix.

Mandrakelinux 10.0:
63acd52155d098a1f7f366f9022e22d2 10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.i586.rpm
965ea6d33ad296e8ebf2e3ff493510a7 10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.i586.rpm
d9677587622c98969032258d28fab962 10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.i586.rpm
5fc0a04b29dc963a8198ba43231b5062 10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.i586.rpm
705caa117fd889d8f47b8672a63f7b0a 10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
8684baaf82445ae2aa10c688241f7d22 amd64/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.amd64.rpm
d8ed6249524aa168bd2de1175b60ab0e amd64/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.amd64.rpm
7cd33d82e9143c229f6f7545c73a89ce amd64/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.amd64.rpm
33c10b3b423dc9496c785437f1f46e13 amd64/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.amd64.rpm
705caa117fd889d8f47b8672a63f7b0a amd64/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

Corporate Server 2.1:
eccb615f3e80136147a846a7827ee086 corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.i586.rpm
417f2e3022591b2c32fb3da2eea493f6 corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.i586.rpm
06f9ba2f38c157eea76f16d54da3520e corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.i586.rpm
5f27ce00d7d11bd201873840f5ee1337 corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.i586.rpm
2d5741904c5a87b53eaef9351dfbe16d corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
ccfaf2869f3b93b58bb82985522d6a6a x86_64/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.x86_64.rpm
ec45dfb7d782e164c3eb200a417839db x86_64/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
dede6137003aa366b8f57007f0769c50 x86_64/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
2cab584c8d30778cdeb54521b3fe9537 x86_64/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
2d5741904c5a87b53eaef9351dfbe16d x86_64/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

Mandrakelinux 9.1:
3e12f0d068d6e7979edc6c70a9e57fc0 9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.i586.rpm
7d893f2d67c0b0146cc9b7307ebb4d8a 9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.i586.rpm
920082a37fb424a9df9e0f942393a0b2 9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.i586.rpm
69172f9d1315939c6e4d05c3395ce212 9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.i586.rpm
043f2c9c57767318b7dd3c33fa90899f 9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
1c9a84b031aab153bc8dea7610b0eedc ppc/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.ppc.rpm
ca8aa7f53e5b6dd6ba852b3e12fe9ea8 ppc/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.ppc.rpm
844ca50fb72aad0225e99c9268577f2a ppc/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.ppc.rpm
eaa68e38912c3be140f6379d59296c08 ppc/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.ppc.rpm
043f2c9c57767318b7dd3c33fa90899f ppc/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

Mandrakelinux 9.2:
1d88e2ef611d80ba3f0c9602e81f77d9 9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.i586.rpm
7ccb9d87d744755f57536684fef6d820 9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.i586.rpm
c7167fb4d1e1416e7f8ffef7979a3906 9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.i586.rpm
2b2004d1e4514d720a80f7ecec22b1d2 9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.i586.rpm
4bf5804d6155bf7d06705e5c4e46cf3e 9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
fe4885d9af3da5107101fbfac0a7f25f amd64/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.amd64.rpm
b15da8abc8d7914528b90c612b6a558b amd64/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.amd64.rpm
cd878dc7e721615e9b0ffdb8a8849f93 amd64/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.amd64.rpm
75109c17f579d2d108a4258ef1e12ba4 amd64/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.amd64.rpm
4bf5804d6155bf7d06705e5c4e46cf3e amd64/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Mandriva/Mandrake)
Underlying OS Comments:  10.0, 9.1, 9.2, Corporate Server 2.1

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2004 Apache Web Server Socket Starvation Flaw May Let Remote Users Deny Service



 Source Message Contents

Subject:  [Full-Disclosure] MDKSA-2004:046-1 - apache-mod_perl packages are now available


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           apache-mod_perl
 Advisory ID:            MDKSA-2004:046-1
 Date:                   May 20th, 2004
 Original Advisory Date: May 17th, 2004
 Affected versions:	 10.0, 9.1, 9.2, Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Four security vulnerabilities were fixed with the 1.3.31 release of
 Apache.  All of these issues have been backported and applied to the
 provided packages.  Thanks to Ralf Engelschall of OpenPKG for providing
 the patches.
 
 Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences
 from its error logs.  This could make it easier for attackers to insert
 those sequences into the terminal emulators of administrators viewing
 the error logs that contain vulnerabilities related to escape sequence
 handling (CAN-2003-0020).
 
 mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the
 nonce of a client response by using an AuthNonce secret.  Apache now
 verifies the nonce returned in the client response to check whether it
 was issued by itself by means of a "AuthDigestRealmSeed" secret exposed
 as an MD5 checksum (CAN-2003-0987).
 
 mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian
 64-bit platforms, did not properly parse Allow/Deny rules using IP
 addresses without a netmask.  This could allow a remote attacker to
 bypass intended access restrictions (CAN-2003-0993).
 
 Apache 1.3 prior to 1.3.30, when using multiple listening sockets on
 certain platforms, allows a remote attacker to cause a DoS by blocking
 new connections via a short-lived connection on a rarely-accessed
 listening socket (CAN-2004-0174).  While this particular vulnerability
 does not affect Linux, we felt it prudent to include the fix.
  
Update:

 Due to the changes in mod_digest.so, mod_perl needed to be rebuilt
 against the patched Apache packages in order for httpd-perl to
 properly load the module.  The appropriate mod_perl packages have
 been rebuilt and are now available.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 63acd52155d098a1f7f366f9022e22d2  10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.i586.rpm
 965ea6d33ad296e8ebf2e3ff493510a7  10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.i586.rpm
 d9677587622c98969032258d28fab962  10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.i586.rpm
 5fc0a04b29dc963a8198ba43231b5062  10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.i586.rpm
 705caa117fd889d8f47b8672a63f7b0a  10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 8684baaf82445ae2aa10c688241f7d22  amd64/10.0/RPMS/HTML-Embperl-1.3.29_1.3.6-3.1.100mdk.amd64.rpm
 d8ed6249524aa168bd2de1175b60ab0e  amd64/10.0/RPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.amd64.rpm
 7cd33d82e9143c229f6f7545c73a89ce  amd64/10.0/RPMS/mod_perl-common-1.3.29_1.29-3.1.100mdk.amd64.rpm
 33c10b3b423dc9496c785437f1f46e13  amd64/10.0/RPMS/mod_perl-devel-1.3.29_1.29-3.1.100mdk.amd64.rpm
 705caa117fd889d8f47b8672a63f7b0a  amd64/10.0/SRPMS/apache-mod_perl-1.3.29_1.29-3.1.100mdk.src.rpm

 Corporate Server 2.1:
 eccb615f3e80136147a846a7827ee086  corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.i586.rpm
 417f2e3022591b2c32fb3da2eea493f6  corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.i586.rpm
 06f9ba2f38c157eea76f16d54da3520e  corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.i586.rpm
 5f27ce00d7d11bd201873840f5ee1337  corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.i586.rpm
 2d5741904c5a87b53eaef9351dfbe16d  corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 ccfaf2869f3b93b58bb82985522d6a6a  x86_64/corporate/2.1/RPMS/HTML-Embperl-1.3.26_1.3.4-7.1.C21mdk.x86_64.rpm
 ec45dfb7d782e164c3eb200a417839db  x86_64/corporate/2.1/RPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
 dede6137003aa366b8f57007f0769c50  x86_64/corporate/2.1/RPMS/mod_perl-common-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
 2cab584c8d30778cdeb54521b3fe9537  x86_64/corporate/2.1/RPMS/mod_perl-devel-1.3.26_1.27-7.1.C21mdk.x86_64.rpm
 2d5741904c5a87b53eaef9351dfbe16d  x86_64/corporate/2.1/SRPMS/apache-mod_perl-1.3.26_1.27-7.1.C21mdk.src.rpm

 Mandrakelinux 9.1:
 3e12f0d068d6e7979edc6c70a9e57fc0  9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.i586.rpm
 7d893f2d67c0b0146cc9b7307ebb4d8a  9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.i586.rpm
 920082a37fb424a9df9e0f942393a0b2  9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.i586.rpm
 69172f9d1315939c6e4d05c3395ce212  9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.i586.rpm
 043f2c9c57767318b7dd3c33fa90899f  9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

 Mandrakelinux 9.1/PPC:
 1c9a84b031aab153bc8dea7610b0eedc  ppc/9.1/RPMS/HTML-Embperl-1.3.27_1.3.4-7.1.91mdk.ppc.rpm
 ca8aa7f53e5b6dd6ba852b3e12fe9ea8  ppc/9.1/RPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.ppc.rpm
 844ca50fb72aad0225e99c9268577f2a  ppc/9.1/RPMS/mod_perl-common-1.3.27_1.27-7.1.91mdk.ppc.rpm
 eaa68e38912c3be140f6379d59296c08  ppc/9.1/RPMS/mod_perl-devel-1.3.27_1.27-7.1.91mdk.ppc.rpm
 043f2c9c57767318b7dd3c33fa90899f  ppc/9.1/SRPMS/apache-mod_perl-1.3.27_1.27-7.1.91mdk.src.rpm

 Mandrakelinux 9.2:
 1d88e2ef611d80ba3f0c9602e81f77d9  9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.i586.rpm
 7ccb9d87d744755f57536684fef6d820  9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.i586.rpm
 c7167fb4d1e1416e7f8ffef7979a3906  9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.i586.rpm
 2b2004d1e4514d720a80f7ecec22b1d2  9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.i586.rpm
 4bf5804d6155bf7d06705e5c4e46cf3e  9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 fe4885d9af3da5107101fbfac0a7f25f  amd64/9.2/RPMS/HTML-Embperl-1.3.28_1.3.4-1.1.92mdk.amd64.rpm
 b15da8abc8d7914528b90c612b6a558b  amd64/9.2/RPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.amd64.rpm
 cd878dc7e721615e9b0ffdb8a8849f93  amd64/9.2/RPMS/mod_perl-common-1.3.28_1.28-1.1.92mdk.amd64.rpm
 75109c17f579d2d108a4258ef1e12ba4  amd64/9.2/RPMS/mod_perl-devel-1.3.28_1.28-1.1.92mdk.amd64.rpm
 4bf5804d6155bf7d06705e5c4e46cf3e  amd64/9.2/SRPMS/apache-mod_perl-1.3.28_1.28-1.1.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFArFWFmqjQ0CJFipgRAsS6AKDSG3UNuC76NTZBpDnKVUwP0kI6xwCgqIfp
AxrWu1bC+83ssGHLt2UknFc=
=kQPR
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC