(RHSA-2004:562) httpd security update

2004-11-12T05:00:00
ID RHSA-2004:562
Type redhat
Reporter RedHat
Modified 2017-07-29T20:29:23

Description

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server.

An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0885 to this issue.

An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue.

Several minor bugs were also discovered, including:

  • In the mod_cgi module, problems that arise when CGI scripts are invoked from SSI pages by mod_include using the "#include virtual" syntax have been fixed.

  • In the mod_dav_fs module, problems with the handling of indirect locks on the S/390x platform have been fixed.

Users of the Apache HTTP server who are affected by these issues should upgrade to these updated packages, which contain backported patches.