SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
(Fedora Issues Fix for FC3) Apache Web Server Error in Processing Requests With Many Space Characters Lets Remote Users Deny Service
SecurityTracker Alert ID:  1012217
SecurityTracker URL:  http://securitytracker.com/id/1012217
CVE Reference:   CVE-2004-0942   (Links to External Site)
Date:  Nov 13 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.52 and prior 2.0.x versions
Description:   A denial of service vulnerability was reported in the Apache web server. A remote user can consume excessive resources on the target system.

Chintan Trivedi reported that a remote user can submit multiple, specially crafted HTTP GET requests containing spaces to cause denial of service conditions on the target system.

The vendor later reported that the field length limit is not properly enforced for certain malicious requests.

A demonstration exploit request is provided:

GET / HTTP/1.0\n
[space] x 8000\n
[space] x 8000\n
[space] x 8000\n
.
.
8000 times

Impact:   A remote user can consume excessive resources on the target system.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

7716c1d14e0ae69a891f2a329523dc96 SRPMS/httpd-2.0.52-3.1.src.rpm
ec3154ccfa6ac70331c830836dcc4871 x86_64/httpd-2.0.52-3.1.x86_64.rpm
31fa689b0a81efdd0e004be836637bc9 x86_64/httpd-devel-2.0.52-3.1.x86_64.rpm
c1d9035ad988c68b8ddae0c85c71ee02 x86_64/httpd-manual-2.0.52-3.1.x86_64.rpm
39c126e3f817d373daca7c441cb44caa x86_64/mod_ssl-2.0.52-3.1.x86_64.rpm
ceb684bb374754185bcdd4d859b11204 x86_64/httpd-suexec-2.0.52-3.1.x86_64.rpm
5b3aedb582d98588a052741f907b191c x86_64/debug/httpd-debuginfo-2.0.52-3.1.x86_64.rpm
de542c36d54e33026de4ab41c5e1853f i386/httpd-2.0.52-3.1.i386.rpm
d1e862ee15033b0a8a4f0e61e09a58eb i386/httpd-devel-2.0.52-3.1.i386.rpm
ec0ffcc129a05b97d8e83656bc49efff i386/httpd-manual-2.0.52-3.1.i386.rpm
5c55333c780b4fe78449044c95d93ed3 i386/mod_ssl-2.0.52-3.1.i386.rpm
bf1ffd0c0cf005de92d3efeb81c9228e i386/httpd-suexec-2.0.52-3.1.i386.rpm
4e2f66cc48e668b74dedcfb9f9c12e66 i386/debug/httpd-debuginfo-2.0.52-3.1.i386.rpm

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC3

Message History:   This archive entry is a follow-up to the message listed below.
Nov 4 2004 Apache Web Server Error in Processing Requests With Many Space Characters Lets Remote Users Deny Service



 Source Message Contents

Subject:  [SECURITY] Fedora Core 3 Update: httpd-2.0.52-3.1



--===============0055565381==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="jho1yZJdad60DJr+"
Content-Disposition: inline


--jho1yZJdad60DJr+
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-421
2004-11-12
---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : httpd
Version     : 2.0.52                     =20
Release     : 3.1                 =20
Summary     : Apache HTTP Server
Description :
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.

---------------------------------------------------------------------
Update Information:

This update includes the fix for a memory consumption denial of
service issue in the handling of request header lines (CVE
CAN-2004-0942).

---------------------------------------------------------------------
* Thu Nov 11 2004 Joe Orton <jorton@redhat.com> 2.0.52-3.1

- add fix for memory consumption DoS, CAN-2004-0942

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

7716c1d14e0ae69a891f2a329523dc96  SRPMS/httpd-2.0.52-3.1.src.rpm
ec3154ccfa6ac70331c830836dcc4871  x86_64/httpd-2.0.52-3.1.x86_64.rpm
31fa689b0a81efdd0e004be836637bc9  x86_64/httpd-devel-2.0.52-3.1.x86_64.rpm
c1d9035ad988c68b8ddae0c85c71ee02  x86_64/httpd-manual-2.0.52-3.1.x86_64.rpm
39c126e3f817d373daca7c441cb44caa  x86_64/mod_ssl-2.0.52-3.1.x86_64.rpm
ceb684bb374754185bcdd4d859b11204  x86_64/httpd-suexec-2.0.52-3.1.x86_64.rpm
5b3aedb582d98588a052741f907b191c  x86_64/debug/httpd-debuginfo-2.0.52-3.1.x=
86_64.rpm
de542c36d54e33026de4ab41c5e1853f  i386/httpd-2.0.52-3.1.i386.rpm
d1e862ee15033b0a8a4f0e61e09a58eb  i386/httpd-devel-2.0.52-3.1.i386.rpm
ec0ffcc129a05b97d8e83656bc49efff  i386/httpd-manual-2.0.52-3.1.i386.rpm
5c55333c780b4fe78449044c95d93ed3  i386/mod_ssl-2.0.52-3.1.i386.rpm
bf1ffd0c0cf005de92d3efeb81c9228e  i386/httpd-suexec-2.0.52-3.1.i386.rpm
4e2f66cc48e668b74dedcfb9f9c12e66  i386/debug/httpd-debuginfo-2.0.52-3.1.i38=
6.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------

--jho1yZJdad60DJr+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBlSixR/aWnQ5EzwwRAqmfAJ9hffGFlhebY6kLZzci3Iqxn1WFwwCgt5za
K7aAoE0lmkEO+GydomMlXa8=
=q6I6
-----END PGP SIGNATURE-----

--jho1yZJdad60DJr+--


--===============0055565381==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============0055565381==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC