[gentoo-announce] [ GLSA 200407-03 ] Apache 2: Remote denial of service attack - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200407-03 ] Apache 2: Remote denial of service attack
Date:	Sun, 04 Jul 2004 19:42:27
Message-Id:	`40E85D5F.60909@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200407-03

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Apache 2: Remote denial of service attack

12

      Date: July 04, 2004

13

      Bugs: #55441

14

        ID: 200407-03

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

A bug in Apache may allow a remote attacker to perform a Denial of

22

Service attack. With certain configurations this could lead to a heap

23

based buffer overflow.

24

25

Background

26

==========

27

28

The Apache HTTP Server Project is an effort to develop and maintain an

29

open-source HTTP server for modern operating systems. The goal of this

30

project is to provide a secure, efficient and extensible server that

31

provides services in tune with the current HTTP standards.

32

33

Affected packages

34

=================

35

36

    -------------------------------------------------------------------

37

     Package         /    Vulnerable    /                   Unaffected

38

    -------------------------------------------------------------------

39

  1  net-www/apache      <= 2.0.49-r3                     >= 2.0.49-r4

40

< 2

41

42

Description

43

===========

44

45

A bug in the protocol.c file handling header lines will cause Apache to

46

allocate memory for header lines starting with TAB or SPACE.

47

48

Impact

49

======

50

51

An attacker can exploit this vulnerability to perform a Denial of

52

Service attack by causing Apache to exhaust all memory. On 64 bit

53

systems with more than 4GB of virtual memory a possible integer

54

signedness error could lead to a buffer based overflow causing Apache

55

to crash and under some circumstances execute arbitrary code as the

56

user running Apache, usually "apache".

57

58

Workaround

59

==========

60

61

There is no known workaround at this time. All users are encouraged to

62

upgrade to the latest available version:

63

64

Resolution

65

==========

66

67

Apache 2 users should upgrade to the latest version of Apache:

68

69

    # emerge sync

70

71

    # emerge -pv ">=net-www/apache-2.0.49-r4"

72

    # emerge ">=net-www/apache-2.0.49-r4"

73

74

References

75

==========

76

77

  [ 1 ] Georgi Guninski security advisory #70, 2004

78

        http://www.guninski.com/httpd1.html

79

  [ 2 ] CAN-2004-0493

80

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493

81

82

Availability

83

============

84

85

This GLSA and any updates to it are available for viewing at

86

the Gentoo Security Website:

87

88

    http://security.gentoo.org/glsa/glsa-200407-03.xml

89

90

Concerns?

91

=========

92

93

Security is a primary focus of Gentoo Linux and ensuring the

94

confidentiality and security of our users machines is of utmost

95

importance to us. Any security concerns should be addressed to

96

security@g.o or alternatively, you may file a bug at

97

http://bugs.gentoo.org.

98

99

License

100

=======

101

102

Copyright 2004 Gentoo Technologies, Inc; referenced text

103

belongs to its owner(s).

104

105

The contents of this document are licensed under the

106

Creative Commons - Attribution / Share Alike license.

107

108

http://creativecommons.org/licenses/by-sa/1.0

109

110

-----BEGIN PGP SIGNATURE-----

111

Version: GnuPG v1.2.4 (GNU/Linux)

112

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

113

114

iD8DBQFA6F1fvcL1obalX08RAhz9AKCPeuWIsRNOW23muPm9Wg8o+4DsIgCeIKFG

115

tLPdwSIV5gDVQeZB8jcxozo=

116

=1rY3

117

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200407-03
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Apache 2: Remote denial of service attack
12	Date: July 04, 2004
13	Bugs: #55441
14	ID: 200407-03
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	A bug in Apache may allow a remote attacker to perform a Denial of
22	Service attack. With certain configurations this could lead to a heap
23	based buffer overflow.
24
25	Background
26	==========
27
28	The Apache HTTP Server Project is an effort to develop and maintain an
29	open-source HTTP server for modern operating systems. The goal of this
30	project is to provide a secure, efficient and extensible server that
31	provides services in tune with the current HTTP standards.
32
33	Affected packages
34	=================
35
36	-------------------------------------------------------------------
37	Package / Vulnerable / Unaffected
38	-------------------------------------------------------------------
39	1 net-www/apache <= 2.0.49-r3 >= 2.0.49-r4
40	< 2
41
42	Description
43	===========
44
45	A bug in the protocol.c file handling header lines will cause Apache to
46	allocate memory for header lines starting with TAB or SPACE.
47
48	Impact
49	======
50
51	An attacker can exploit this vulnerability to perform a Denial of
52	Service attack by causing Apache to exhaust all memory. On 64 bit
53	systems with more than 4GB of virtual memory a possible integer
54	signedness error could lead to a buffer based overflow causing Apache
55	to crash and under some circumstances execute arbitrary code as the
56	user running Apache, usually "apache".
57
58	Workaround
59	==========
60
61	There is no known workaround at this time. All users are encouraged to
62	upgrade to the latest available version:
63
64	Resolution
65	==========
66
67	Apache 2 users should upgrade to the latest version of Apache:
68
69	# emerge sync
70
71	# emerge -pv ">=net-www/apache-2.0.49-r4"
72	# emerge ">=net-www/apache-2.0.49-r4"
73
74	References
75	==========
76
77	[ 1 ] Georgi Guninski security advisory #70, 2004
78	http://www.guninski.com/httpd1.html
79	[ 2 ] CAN-2004-0493
80	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493
81
82	Availability
83	============
84
85	This GLSA and any updates to it are available for viewing at
86	the Gentoo Security Website:
87
88	http://security.gentoo.org/glsa/glsa-200407-03.xml
89
90	Concerns?
91	=========
92
93	Security is a primary focus of Gentoo Linux and ensuring the
94	confidentiality and security of our users machines is of utmost
95	importance to us. Any security concerns should be addressed to
96	security@g.o or alternatively, you may file a bug at
97	http://bugs.gentoo.org.
98
99	License
100	=======
101
102	Copyright 2004 Gentoo Technologies, Inc; referenced text
103	belongs to its owner(s).
104
105	The contents of this document are licensed under the
106	Creative Commons - Attribution / Share Alike license.
107
108	http://creativecommons.org/licenses/by-sa/1.0
109
110	-----BEGIN PGP SIGNATURE-----
111	Version: GnuPG v1.2.4 (GNU/Linux)
112	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
113
114	iD8DBQFA6F1fvcL1obalX08RAhz9AKCPeuWIsRNOW23muPm9Wg8o+4DsIgCeIKFG
115	tLPdwSIV5gDVQeZB8jcxozo=
116	=1rY3
117	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce