Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: apache (200304-01)
Date: Wed, 09 Apr 2003 15:30:40
Message-Id: 20030409080659.72FEC33A82@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200304-01
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : apache
9 SUMMARY : Denial of service in Apache 2.x
10 DATE : 2003-04-09 08:06 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : 2.0.0-2.0.44
13 FIXED VERSION : >=2.0.45
14 CVE : CAN-2003-0132
15
16 - - ---------------------------------------------------------------------
17
18 - From advisory:
19
20 "Remote exploitation of a memory leak in the Apache HTTP Server causes the
21 daemon to over utilize system resources on an affected system. The problem
22 is HTTP Server's handling of large chunks of consecutive linefeed
23 characters. The web server allocates an eighty-byte buffer for each
24 linefeed character without specifying an upper limit for allocation.
25 Consequently, an attacker can remotely exhaust system resources by
26 generating many requests containing these characters."
27
28 Read the full advisory at:
29 http://www.idefense.com/advisory/04.08.03.txt
30
31 SOLUTION
32
33 It is recommended that all Gentoo Linux users who are running
34 net-www/apache version 2 upgrade to apache-2.0.45 as follows:
35
36 emerge sync
37 emerge \=net-www/apache-2.0.45
38 emerge clean
39
40 - - ---------------------------------------------------------------------
41 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
42 - - ---------------------------------------------------------------------
43 -----BEGIN PGP SIGNATURE-----
44 Version: GnuPG v1.2.1 (GNU/Linux)
45
46 iD8DBQE+k9ScfT7nyhUpoZMRAjRsAKCOSha1aZfqiR5D8HuCwBcpwXenLACfYDTD
47 Nd0j+dcq/hf5VZ7FJ7H173Q=
48 =8BkJ
49 -----END PGP SIGNATURE-----