| Description: | Description:
The remote host is missing updates announced in
advisory FLSA-2005:157701.
Watchfire reported a flaw that occured when using the Apache server as
an HTTP proxy. A remote attacker could send an HTTP request with both a
Transfer-Encoding: chunked header and a Content-Length header. This
caused Apache to incorrectly handle and forward the body of the request
in a way that the receiving server processes it as a separate HTTP
request. This could allow the bypass of Web application firewall
protection or lead to cross-site scripting (XSS) attacks. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CVE-2005-2088 to this issue.
A buffer overflow was discovered in htdigest that may allow an attacker
to execute arbitrary code. Since htdigest is usually only accessible
locally, the impact of this issue is low. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CVE-2005-1344 to
this issue.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL
verification callback. In order to exploit this issue the Apache server
would need to be configured to use a malicious certificate revocation
list (CRL). The Common Vulnerabilities and Exposures project
(cve.mitre.org) assigned the name CVE-2005-1268 to this issue.
Users of Apache httpd should update to these errata packages that
contain backported patches to correct these issues.
Affected platforms:
Redhat 7.3
Redhat 9
Fedora Core 1
Fedora Core 2
Solution:
http://www.securityspace.com/smysecure/catid.html?in=FLSA-2005:157701
Risk factor : High
CVSS Score:
7.5
|
