| VID |
22280 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
Apache HTTP Server versions 2.0 through 2.0.50 have multiple remote and local vulnerabilities. All versions of Apache 2.0, prior to 2.0.51 are reported susceptible to the following vulnerabilities:
- A buffer overflow vulnerability by local attacker when expanding environment variables in an .htaccess or httpd.conf configuration file (CAN-2004-0747).
- A denial of service vulnerability by remote attacker, caused by a vulnerability in the mod_ssl authentication module (CAN-2004-0748).
- A denial of service vulnerability by remote attacker, caused by a vulnerability in the mod_ssl authentication module when running in speculative mode (CAN-2004-0751).
- A denial of service vulnerability by remote attacker, caused by a vulnerability in the IPv6 URI parsing routines in the apr_util library (CAN-2004-0786).
- A denial of service vulnerability by remote attacker, caused by a vulnerability in the mod_dav distributed authoring and versioning (DAV) module (CAN-2004-0809).
An attacker could use these flaws to cause an httpd child process to crash or possibly execute arbitrary code on the system.
* Note: This check solely relied on the banner of the remote Apache HTTP Server to assess this vulnerability, so this might be a false positive.
* References:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183
http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-3404.txt
* Platforms Affected:
Apache HTTP Server 2.0 to 2.0.50
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Apache HTTP Server (2.0.51-dev or later), available from Apache HTTP Server Project Web site at http://httpd.apache.org
For Red Hat Linux:
Upgrade to the latest httpd package, as listed in Red Hat Security Advisory RHSA-2004:463-09 at https://rhn.redhat.com/errata/RHSA-2004-463.html
For SuSE Linux:
Upgrade to the latest httpd package, as listed in SuSE Security Announcement SUSE-SA:2004:032 at http://www.suse.de/de/security/2004_32_apache2.html
For Mandrake Linux:
Upgrade to the latest apache2 package, as listed in MandrakeSoft Security Advisory MDKSA-2004:096 at http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:096
For Turbolinux:
Upgrade to the latest httpd package, as listed in Turbolinux Security Advisory TLSA-2004-28 at http://www.turbolinux.com/security/2004/TLSA-2004-28.txt
For Trustix Secure Linux:
Upgrade to the latest apache package, as listed in Trustix Secure Linux Security Advisory #2004-0047 at http://www.trustix.net/errata/2004/0047/
For Gentoo Linux:
Upgrade to the latest version of apache (2.0.51, < 2.0 or later) or mod_dav (1.0.3-r2 or later), as listed in Gentoo Linux Security Advisory GLSA 200409-21 at http://www.gentoo.org/security/en/glsa/glsa-200409-21.xml
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0747,CVE-2004-0748,CVE-2004-0751,CVE-2004-0786,CVE-2004-0809 (CVE) |
| Related URL |
11094,11154,11182,11185,11187 (SecurityFocus) |
| Related URL |
17200,17382,17384,17273,17366 (ISS) |
|
