A memory leak in mod_ssl allows a remote denial of service attack against an SSL-enabled server via plain HTTP requests. Another flaw was found when arbitrary client-supplied strings can be written to the error log, allowing the exploit of certain terminal emulators. A third flaw exists with the mod_disk_cache module.
|Package||www-servers/apache on all architectures|
|Affected versions||<= 2.0.48|
|Unaffected versions||= 1.3*, >= 2.0.49|
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems. The goal of this project is to provide a secure, efficient and extensible server that provides services in tune with the current HTTP standards.
Three vulnerabilities were found:
No special privileges are required for these vulnerabilities. As a result, all users are recommended to upgrade their Apache installations.
There is no immediate workaround; a software upgrade is required. There is no workaround for the mod_disk_cache issue; users are recommended to disable the feature on their servers until a patched version is released.
Users are urged to upgrade to Apache 2.0.49:
# emerge sync # emerge -pv ">=www-servers/apache-2.0.49" # emerge ">=www-servers/apache-2.0.49" # ** IMPORTANT ** # If you are migrating from Apache 2.0.48-r1 or earlier versions, # it is important that the following directories are removed. # The following commands should cause no data loss since these # are symbolic links. # rm /etc/apache2/lib /etc/apache2/logs /etc/apache2/modules # rm /etc/apache2/modules # ** ** ** ** ** # ** ALSO NOTE ** # Users who use mod_disk_cache should edit their Apache # configuration and disable mod_disk_cache.
March 22, 2004
December 30, 2007: 03