Rapid7 Vulnerability & Exploit Database

CESA-2004:562: httpd security update

Back to Search

CESA-2004:562: httpd security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
11/03/2004
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

Updated httpd packages that include fixes for two security issues, as well as other bugs, are now available.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0885 to this issue. An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue. Several minor bugs were also discovered, including: - In the mod_cgi module, problems that arise when CGI scripts are invoked from SSI pages by mod_include using the "#include virtual" syntax have been fixed. - In the mod_dav_fs module, problems with the handling of indirect locks on the S/390x platform have been fixed. Users of the Apache HTTP server who are affected by these issues should upgrade to these updated packages, which contain backported patches.

Solution(s)

  • centos-upgrade-httpd
  • centos-upgrade-httpd-devel
  • centos-upgrade-mod_ssl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;