Rapid7 Vulnerability & Exploit Database

RHSA-2003:240: Updated httpd packages fix Apache security vulnerabilities

Back to Search

RHSA-2003:240: Updated httpd packages fix Apache security vulnerabilities

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
Published
08/18/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated httpd packages that fix several minor security issues are now available for Red Hat Linux 8.0 and 9.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Ben Laurie found a bug in the optional renegotiation code in mod_ssl included with Apache 2 versions 2.0.35 through 2.0.46 that can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0192 to this issue. Yoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35 to 2.0.46 have a bug that can cause a remote Denial of Service. When a client requests that proxy ftp connect to a ftp server with an IPv6 address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0254 to this issue. Saheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46 have a bug in the prefork MPM when handling accept errors. In a server with multiple listening sockets, a certain error returned by accept() on a rarely-accessed port can cause a temporary denial of service. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0253 to this issue. It is possible for Apache 2 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue adds the new LimitInternalRecursion directive. All users of the Apache HTTP Web Server are advised to upgrade to the applicable errata packages, which contain back-ported fixes correcting these issues, and are applied to Apache version 2.0.40. After the errata packages are installed, restart the Web service by running (as root) the following command: /sbin/service httpd restart

Solution(s)

  • redhat-upgrade-httpd
  • redhat-upgrade-httpd-devel
  • redhat-upgrade-httpd-manual
  • redhat-upgrade-mod_ssl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;