| Description: | Description:
The remote host is missing updates announced in
advisory RHSA-2004:562.
The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.
An issue has been discovered in the mod_ssl module when configured to use
the SSLCipherSuite directive in directory or location context. If a
particular location context has been configured to require a specific set
of cipher suites, then a client will be able to access that location using
any cipher suite allowed by the virtual host configuration. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CVE-2004-0885 to this issue.
An issue has been discovered in the handling of white space in request
header lines using MIME folding. A malicious client could send a carefully
crafted request, forcing the server to consume large amounts of memory,
leading to a denial of service. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2004-0942 to this issue.
Several minor bugs were also discovered, including:
- - In the mod_cgi module, problems that arise when CGI scripts are
invoked from SSI pages by mod_include using the #include virtual
syntax have been fixed.
- - In the mod_dav_fs module, problems with the handling of indirect locks
on the S/390x platform have been fixed.
Users of the Apache HTTP server who are affected by these issues should
upgrade to these updated packages, which contain backported patches.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2004-562.html
http://www.apacheweek.com/features/security-20
Risk factor : High
CVSS Score:
7.5
|
