CONECTIVA LINUX SECURITY ANNOUNCEMENT
| PACKAGE | : | apache |
| SUMMARY | : | Denial of service vulnerabilities |
| DATE | : | 2003-07-21 18:34:00 |
| ID | : | CLA-2003:698 |
| RELEVANT RELEASES | : | 9 |
DESCRIPTION
Apache[1] is the most popular webserver in use today.
This update addresses the following issues:
- SSL renegotiations (CAN-2003-0192 [2]) Certain sequences of
per-directory renegotiations and the SSLCipherSuite directive being
used to upgrade from a weak ciphersuite to a strong one could
result in the weak ciphersuite being used in place of the strong
one. - Denial of service (CAN-2003-0253 [3]) Saheed Akhtar reported
that a denial of service condition exists in the prefork MPM when
accept() on rarely accessed port returns certain errors. The
prefork MPM is the default mode for Apache as shipped with
Conectiva Linux 9. - Ftp proxy denial of service (CAN-2003-0254 [4]) Yoshioka Tsuneo
reported a denial of service condition in the ftp proxy which
happens when the target host is IPv6 but the proxy server itself
cannot create an IPv6 socket. - Denial of service (VU#379828 [5]) Ryan O’Neill reported that it
is possible to make the httpd server enter infinite loops and crash
under certain circumstances. A new configuration directive has been
created (LimitInternalRecursion) to avoid these infinite loops and
abort the request which caused them if the configured limit has
been reached.
SOLUTION
It is recommended that all Apache users upgrade their packages.
IMPORTANT: it is necessary to manually restart the httpd server
after upgrading the packages. In order to do this, execute the
following as root:
service apache stop
(wait a few seconds and check with “ps ax|grep httpd” if there
are any httpd processes running. On a busy webserver this could
take a little longer)
service apache start
REFERENCES
- http://httpd.apache.org/
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0192
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0253
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0254
- http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19753
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/9/SRPMS/apache-2.0.45-28790U90_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-devel-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-doc-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/apache-htpasswd-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr-devel-static-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/libapr0-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_auth_ldap-2.0.45-28790U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/mod_dav-2.0.45-28790U90_3cl.i386.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade
examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com