Lucene search

K
redhatRedHatRHSA-2004:562
HistoryNov 12, 2004 - 12:00 a.m.

(RHSA-2004:562) httpd security update

2004-11-1200:00:00
access.redhat.com
13

EPSS

0.966

Percentile

99.6%

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

An issue has been discovered in the mod_ssl module when configured to use
the “SSLCipherSuite” directive in directory or location context. If a
particular location context has been configured to require a specific set
of cipher suites, then a client will be able to access that location using
any cipher suite allowed by the virtual host configuration. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0885 to this issue.

An issue has been discovered in the handling of white space in request
header lines using MIME folding. A malicious client could send a carefully
crafted request, forcing the server to consume large amounts of memory,
leading to a denial of service. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue.

Several minor bugs were also discovered, including:

  • In the mod_cgi module, problems that arise when CGI scripts are
    invoked from SSI pages by mod_include using the “#include virtual”
    syntax have been fixed.

  • In the mod_dav_fs module, problems with the handling of indirect locks
    on the S/390x platform have been fixed.

Users of the Apache HTTP server who are affected by these issues should
upgrade to these updated packages, which contain backported patches.