SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
(Fedora Issues Fix for FC2) Apache Web Server Error in Processing Requests With Many Space Characters Lets Remote Users Deny Service
SecurityTracker Alert ID:  1012220
SecurityTracker URL:  http://securitytracker.com/id/1012220
CVE Reference:   CVE-2004-0942   (Links to External Site)
Date:  Nov 13 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.52 and prior 2.0.x versions
Description:   A denial of service vulnerability was reported in the Apache web server. A remote user can consume excessive resources on the target system.

Chintan Trivedi reported that a remote user can submit multiple, specially crafted HTTP GET requests containing spaces to cause denial of service conditions on the target system.

The vendor later reported that the field length limit is not properly enforced for certain malicious requests.

A demonstration exploit request is provided:

GET / HTTP/1.0\n
[space] x 8000\n
[space] x 8000\n
[space] x 8000\n
.
.
8000 times

Impact:   A remote user can consume excessive resources on the target system.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

b202b93fa33a117c576f49b0b6ea8cce SRPMS/httpd-2.0.51-2.9.src.rpm
d44a26a035bef7f26249e1d0a7ae95b4 x86_64/httpd-2.0.51-2.9.x86_64.rpm
0920735cfe93100965958df44e6cca28 x86_64/httpd-devel-2.0.51-2.9.x86_64.rpm
50681f4ed4f3448fa1f8fd86ce41d749 x86_64/httpd-manual-2.0.51-2.9.x86_64.rpm
1b3230a8c205bdf96464d4ecc51bea40 x86_64/mod_ssl-2.0.51-2.9.x86_64.rpm
fae759a29d5ac1eacfb947ec4b447994 x86_64/debug/httpd-debuginfo-2.0.51-2.9.x86_64.rpm
d8e4ed9aafd639fdfab26e6fe3cd8c29 i386/httpd-2.0.51-2.9.i386.rpm
cd1ab7ce0fcc375de0d6db748babc753 i386/httpd-devel-2.0.51-2.9.i386.rpm
341a963e8ac8aba17c18eaebc7ac27c1 i386/httpd-manual-2.0.51-2.9.i386.rpm
f227c579f61c355c594f8e790695bcd8 i386/mod_ssl-2.0.51-2.9.i386.rpm
dc3be7afa997f09293b82caaae505f7b i386/debug/httpd-debuginfo-2.0.51-2.9.i386.rpm

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC2

Message History:   This archive entry is a follow-up to the message listed below.
Nov 4 2004 Apache Web Server Error in Processing Requests With Many Space Characters Lets Remote Users Deny Service



 Source Message Contents

Subject:  [SECURITY] Fedora Core 2 Update: httpd-2.0.51-2.9



--===============1591218207==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG"
Content-Disposition: inline


--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-420
2004-11-12
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : httpd
Version     : 2.0.51                     =20
Release     : 2.9                 =20
Summary     : Apache HTTP Server
Description :
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.

---------------------------------------------------------------------

This update includes the fixes for an issue in mod_ssl which could
lead to a bypass of an SSLCipherSuite setting in directory or location
context (CVE CAN-2004-0885), and a memory consumption denial of
service issue in the handling of request header lines (CVE
CAN-2004-0942).

---------------------------------------------------------------------

* Thu Nov 11 2004 Joe Orton <jorton@redhat.com> 2.0.51-2.9

- add fix for memory consumption DoS, CAN-2004-0942
- mod_ssl: add fix for SSLCipherSuite bypass, CAN-2004-0885

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

b202b93fa33a117c576f49b0b6ea8cce  SRPMS/httpd-2.0.51-2.9.src.rpm
d44a26a035bef7f26249e1d0a7ae95b4  x86_64/httpd-2.0.51-2.9.x86_64.rpm
0920735cfe93100965958df44e6cca28  x86_64/httpd-devel-2.0.51-2.9.x86_64.rpm
50681f4ed4f3448fa1f8fd86ce41d749  x86_64/httpd-manual-2.0.51-2.9.x86_64.rpm
1b3230a8c205bdf96464d4ecc51bea40  x86_64/mod_ssl-2.0.51-2.9.x86_64.rpm
fae759a29d5ac1eacfb947ec4b447994  x86_64/debug/httpd-debuginfo-2.0.51-2.9.x=
86_64.rpm
d8e4ed9aafd639fdfab26e6fe3cd8c29  i386/httpd-2.0.51-2.9.i386.rpm
cd1ab7ce0fcc375de0d6db748babc753  i386/httpd-devel-2.0.51-2.9.i386.rpm
341a963e8ac8aba17c18eaebc7ac27c1  i386/httpd-manual-2.0.51-2.9.i386.rpm
f227c579f61c355c594f8e790695bcd8  i386/mod_ssl-2.0.51-2.9.i386.rpm
dc3be7afa997f09293b82caaae505f7b  i386/debug/httpd-debuginfo-2.0.51-2.9.i38=
6.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command. =20
---------------------------------------------------------------------

--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBlSiIR/aWnQ5EzwwRAvJnAJ4mh6JJdguxZynRTeIWkDADY4RTjACgwRsK
Bwgz3+RgPZS1R3RCoJ3PcDM=
=1RAL
-----END PGP SIGNATURE-----

--OgqxwSJOaUobr8KG--


--===============1591218207==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list
--===============1591218207==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC