SCOUG-HELP Mailing List Archives

<< Previous Message << >> Next Message >>

Date:	Sat, 12 Apr 2003 11:31:31 PDT
From:	"Dave Watson" <david.watson@earthlink.net >
Reply-To:	scoug-help@scoug.com
To:	scoug-help@scoug.com
Subject:	SCOUG-Help: Apache 2.0.44 Denial of Service

Content Type: text/plain

=====================================================
If you are responding to someone asking for help who
may not be a member of this list, be sure to use the
REPLY TO ALL feature of your email program.
=====================================================

Bugtraq is a software patch monitoring service. Normally they address
Win and Linux bugs, this one describes a vulnerability in Apache for
OS2. Thought some of you might be interested.

------- Forwarded message follows -------
Date sent: Fri, 11 Apr 2003 16:32:34 -0500
To: Bugtraq
From: "William A. Rowe, Jr."
Subject: PATCH: [CAN-2003-0132] Apache 2.0.44
Denial of Service
Vulnerability

[ Double-click this line for list subscription options ]

In additional response to the iDEFENSE Security Advisory 04.08.03
cited
below, the Apache HTTP Server Project has published a specific patch
to address this Denial of Service vulnerability for the 2.0.44 server
version.

The patch may or may not apply to earlier versions of Apache 2.0, and
if applied to earlier versions, may or may not fully address the
vulnerability.
Review was limited to correcting the but in the 2.0.44 release only.

The patch can be obtained from;

http://www.apache.org/dist/httpd/patches/apply_to_2.0.44/denial_of_se
rvice_fix.patch

The Apache HTTP Server project continues to caution users to obtain
the
latest release (2.0.45 at this time) from

http://httpd.apache.org/download.cgi

to improve stability and obtain the most current bug fixes. As noted in
the
prior announcement;

OS/2 Users of both 2.0.44 and 2.0.45 have an additional Denial of
Service
vulnerability identified and reported by Robert Howard

that be addressed with the next release. Until that time, OS2 users
must obtain
an additional patch before building Apache release 2.0.45 or prior:

http://www.apache.org/dist/httpd/patches/apply_to_2.0.45/os2_filestat_
security_fix.patch

That is all.

At 11:44 AM 4/8/2003, iDEFENSE Labs wrote:
>iDEFENSE Security Advisory 04.08.03:
>http://www.idefense.com/advisory/04.08.03.txt
>Denial of Service in Apache HTTP Server 2.x
>April 8, 2003
>
>Remote exploitation of a memory leak in the Apache HTTP Server
causes the
>daemon to over utilize system resources on an affected system. The
problem
>is HTTP Server's handling of large chunks of consecutive linefeed
>characters. The web server allocates an eighty-byte buffer for each
>linefeed character without specifying an upper limit for allocation.
>Consequently, an attacker can remotely exhaust system resources by
>generating many requests containing these characters.
>[...]
>
>V. VENDOR FIX/RESPONSE
>
>Apache HTTP Server 2.0.45, which fixes this vulnerability, can be
>downloaded at http://httpd.apache.org/download.cgi . This release
>introduces a limit of 100 blank lines accepted before an HTTP
connection
>is discarded.

------- End of forwarded message -------

=====================================================

To unsubscribe from this list, send an email message
to "steward@scoug.com". In the body of the message,
put the command "unsubscribe scoug-help".

For problems, contact the list owner at
"rollin@scoug.com".

=====================================================

Return to [ 12 | April | 2003 ]

SCOUG, Warp Expo West, and Warpfest are trademarks of the Southern California OS/2 User Group. OS/2, Workplace Shell, and IBM are registered trademarks of International Business Machines Corporation. All other trademarks remain the property of their respective owners.