Skip to navigation

Security Advisory httpd security update

Advisory: RHSA-2004:084-14
Type: Security Advisory
Severity: Important
Issued on: 2004-03-23
Last updated on: 2004-03-23
Affected Products: Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CVE-2004-0113

Details

Updated httpd packages are now available that fix a denial of service
vulnerability in mod_ssl and include various other bug fixes.

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49
allows a remote denial of service attack against an SSL-enabled server. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0113 to this issue.

This update also includes various bug fixes, including:

- improvements to the mod_expires, mod_dav, mod_ssl and mod_proxy modules

- a fix for a bug causing core dumps during configuration parsing on the
IA64 platform

- an updated version of mod_include fixing several edge cases in the SSI parser

Additionally, the mod_logio module is now included.

Users of the Apache HTTP server should upgrade to these updated packages,
which contain backported patches that address these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 3)
SRPMS:
httpd-2.0.46-32.ent.src.rpm
File outdated by:  RHSA-2009:1579		     MD5: 0578bb679d25664d60a396216751c52b
 
IA-32:
httpd-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: a4e26276faa96ae744b8584dfca9d0a8
httpd-devel-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: f16f311cb4a04b0eebfc0fb05841f4b1
mod_ssl-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: c83676811d1ad92f94332defca06562d
 
IA-64:
httpd-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 88f10b3263638bad5f25d8e2f466f577
httpd-devel-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 1f64367942fe38a883716f907aafdd2e
mod_ssl-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: fc2b50541e485d2b8c67c3ddc28596ab
 
PPC:
httpd-2.0.46-32.ent.ppc.rpm
File outdated by:  RHSA-2009:1579		     MD5: e5784963d08a8f2a1b1c2ebca88b495a
ftp://updates.redhat.com/rhn/repository/NULL/httpd/2.0.46-32.ent/ppc64/httpd-2.0.46-32.ent.ppc64.rpm
Missing file		     MD5: 6baf583f19a9f90d57e30fe8719c2fed
httpd-devel-2.0.46-32.ent.ppc.rpm
File outdated by:  RHSA-2009:1579		     MD5: 7f0c9424b7f5cda0a021cf3fb0f5dd80
ftp://updates.redhat.com/rhn/repository/NULL/httpd-devel/2.0.46-32.ent/ppc64/httpd-devel-2.0.46-32.ent.ppc64.rpm
Missing file		     MD5: e0df7bcb18320e5d5e18f1d15f4e8848
mod_ssl-2.0.46-32.ent.ppc.rpm
File outdated by:  RHSA-2009:1579		     MD5: bb809b4751b8d1bcdbfba8402b79de75
ftp://updates.redhat.com/rhn/repository/NULL/mod_ssl/2.0.46-32.ent/ppc64/mod_ssl-2.0.46-32.ent.ppc64.rpm
Missing file		     MD5: 5cd9bca47c0fd7593d24a23cfdefe492
 
s390:
httpd-2.0.46-32.ent.s390.rpm
File outdated by:  RHSA-2009:1579		     MD5: d31e82269a2b465b04871ef442fbf2d5
httpd-devel-2.0.46-32.ent.s390.rpm
File outdated by:  RHSA-2009:1579		     MD5: 6306426ed7de562c25f431a7f46bd893
mod_ssl-2.0.46-32.ent.s390.rpm
File outdated by:  RHSA-2009:1579		     MD5: 5da65fff9b14a7f4d39c9550bafda627
 
s390x:
httpd-2.0.46-32.ent.s390x.rpm
File outdated by:  RHSA-2009:1579		     MD5: 20ffb2d9fbdfdc4b9c31d3568f2db55c
httpd-devel-2.0.46-32.ent.s390x.rpm
File outdated by:  RHSA-2009:1579		     MD5: 20bebf1f27b1dcac4691292bb7689dc2
mod_ssl-2.0.46-32.ent.s390x.rpm
File outdated by:  RHSA-2009:1579		     MD5: be4e2faaa60b8ecbe22dc79342df1e07
 
x86_64:
httpd-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: c4109535a41be2dbdd7f522f1a70e4a7
httpd-devel-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: f95dc1f95b509ef64666c232c1758b92
mod_ssl-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 37dff057ab1b6ddc96488e207c5bbc22
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
httpd-2.0.46-32.ent.src.rpm
File outdated by:  RHSA-2009:1579		     MD5: 0578bb679d25664d60a396216751c52b
 
IA-32:
httpd-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: a4e26276faa96ae744b8584dfca9d0a8
httpd-devel-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: f16f311cb4a04b0eebfc0fb05841f4b1
mod_ssl-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: c83676811d1ad92f94332defca06562d
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
httpd-2.0.46-32.ent.src.rpm
File outdated by:  RHSA-2009:1579		     MD5: 0578bb679d25664d60a396216751c52b
 
IA-32:
httpd-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: a4e26276faa96ae744b8584dfca9d0a8
httpd-devel-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: f16f311cb4a04b0eebfc0fb05841f4b1
mod_ssl-2.0.46-32.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: c83676811d1ad92f94332defca06562d
 
IA-64:
httpd-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 88f10b3263638bad5f25d8e2f466f577
httpd-devel-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 1f64367942fe38a883716f907aafdd2e
mod_ssl-2.0.46-32.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: fc2b50541e485d2b8c67c3ddc28596ab
 
x86_64:
httpd-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: c4109535a41be2dbdd7f522f1a70e4a7
httpd-devel-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: f95dc1f95b509ef64666c232c1758b92
mod_ssl-2.0.46-32.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 37dff057ab1b6ddc96488e207c5bbc22
 

Bugs fixed (see bugzilla for more information)

112771 - Invalid paths in config_vars.mk crash build of mod_jk
113929 - mod_expires headers not set when used in conjunction with mod_proxy
113934 - SRPMS: test for MMN version it too fragile
115328 - Satisfy keyword in httpd.conf causes apache to segfault on load
115379 - pcre conflict between httpd and php
117280 - CAN-2004-0113 mod_ssl Denial of Service attack


References

https://www.redhat.com/security/data/cve/CVE-2004-0113.html
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106
http://www.apacheweek.com/features/security-20

Keywords

Apache, DoS, httpd, SSL

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/