[ISN] DoS Holes Plugged in Apache HTTP Server

From: InfoSec News (isnat_private)
Date: Thu Jul 10 2003 - 00:22:19 PDT

  • Next message: InfoSec News: "[ISN] Ten minute host firewall, Part 2"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    
    http://www.internetnews.com/dev-news/article.php/2232981
    
    July 9, 2003 
    By Ryan Naraine
    
    The Apache Software Foundation on Monday released a new version of its 
    open-source Web server project to plug four potentially serious 
    security holes. 
    
    The latest update to the Apache 2.0 HTTP Server (version 2.0.47) is 
    described as a security and bug fix release to plug holes that could 
    lead to denial-of-service attacks.
    
    The Foundation warned that the SSLCipherSuite directive being used to 
    upgrade from a weak ciphersuite to a strong one could result in the 
    weak ciphersuite being used in place of the strong one. The previous 
    Apache HTTP Server version also contains a bug in the prefork MPM 
    where certain errors returned by accept() on rarely accessed ports 
    could cause temporal DoS.
    
    Another DoS security vulnerability, caused when target host is IPv6, 
    was also patched. Apache explained that ftp proxy server can't create 
    IPv6 socket. The Apache Foundation also warned older versions of the 
    server would crash when going into an infinite loop because of too 
    many subsequent internal redirects and nested subrequests.
    
    The Apache 2.0 HTTP Server project, which is developed and maintained 
    by volunteers, dominates the Web server market. At the end of June, 
    Netcraft statistics found the Apache server commanding a 67 percent 
    share (29 million sites) of the market, well ahead of competing 
    products from Microsoft and Sun Microsystems.
    
    
    
    _______________________________________________________________________
    eric wolbrom, CISSP			Safe Harbor Technologies
    President & CIO				66 Garlen Road
    Voice 914.767.9090				Katonah, NY 10536
    Fax   914.767.3911				http://www.shtech.net
    _______________________________________________________________________
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 03:03:57 PDT