Apache2 updated

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

Apache2 updated

Unread postby squeen » Thu Jul 10, 2003 4:07 am

The Apache HTTP Server releases prior to 2.0.47 contains several vulnerabilities that may allow a remote attacker to create a denial of service (DoS) on the Apache server or exploit an improperly used weak encryption suite.

The first vulnerability may be allow a remote attacker to exploit a weak encryption suite. A certain sequence of per-directory renegotiations and the SSLCipherSuite directive could cause a weak encryption suite to be used instead of the desired stronger suite.

A temporary DoS may be caused by certain errors returned by the accept() function on ports that are rarely accessed.

A DoS may occur when an attacker attempts to proxy to IPv6 but the FTP proxy server is unable
to create an IPv6 socket.

A DoS may be triggered by a malicious type-map file. Apache supports content negotiation through type-map files. Content negotiation allows the server to use the best resources based on the browser preferences for media, language, character sets, and encoding. An attacker may copy a malicious type-map to the system that causes the system to go into an infinite loop while parsing the file. This loop consumes all available resources until the system crashes.

Systems running Apache HTTP Server prior to 2.0.47 are vulnerable.
Apache has released an updated version at the following link: ["http://www.apache.org/dist/httpd/">Apache 2.0.47]

Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest