1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - --------------------------------------------------------------------- |
5 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200304-01 |
6 |
- - --------------------------------------------------------------------- |
7 |
|
8 |
PACKAGE : apache |
9 |
SUMMARY : Denial of service in Apache 2.x |
10 |
DATE : 2003-04-09 08:06 UTC |
11 |
EXPLOIT : remote |
12 |
VERSIONS AFFECTED : 2.0.0-2.0.44 |
13 |
FIXED VERSION : >=2.0.45 |
14 |
CVE : CAN-2003-0132 |
15 |
|
16 |
- - --------------------------------------------------------------------- |
17 |
|
18 |
- From advisory: |
19 |
|
20 |
"Remote exploitation of a memory leak in the Apache HTTP Server causes the |
21 |
daemon to over utilize system resources on an affected system. The problem |
22 |
is HTTP Server's handling of large chunks of consecutive linefeed |
23 |
characters. The web server allocates an eighty-byte buffer for each |
24 |
linefeed character without specifying an upper limit for allocation. |
25 |
Consequently, an attacker can remotely exhaust system resources by |
26 |
generating many requests containing these characters." |
27 |
|
28 |
Read the full advisory at: |
29 |
http://www.idefense.com/advisory/04.08.03.txt |
30 |
|
31 |
SOLUTION |
32 |
|
33 |
It is recommended that all Gentoo Linux users who are running |
34 |
net-www/apache version 2 upgrade to apache-2.0.45 as follows: |
35 |
|
36 |
emerge sync |
37 |
emerge \=net-www/apache-2.0.45 |
38 |
emerge clean |
39 |
|
40 |
- - --------------------------------------------------------------------- |
41 |
aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz |
42 |
- - --------------------------------------------------------------------- |
43 |
-----BEGIN PGP SIGNATURE----- |
44 |
Version: GnuPG v1.2.1 (GNU/Linux) |
45 |
|
46 |
iD8DBQE+k9ScfT7nyhUpoZMRAjRsAKCOSha1aZfqiR5D8HuCwBcpwXenLACfYDTD |
47 |
Nd0j+dcq/hf5VZ7FJ7H173Q= |
48 |
=8BkJ |
49 |
-----END PGP SIGNATURE----- |