LinuxReviws.org --get your your Linux knowledge
> Linux Reviews > News and headlines > 2004 News archive > September >

Two Denial of Service conditions found in the Apache2 web-servers mod_ssl module

This means any evil black-hat can close down a vulnerable apache2 web-server and make all websites hosted on it temporarily unavailable.

Version 2.0.50 of the Apache2 web server, released 1st July, fixed a Memory allocation denial of service (DoS) vulnerability  (CAN-2004-0493) affecting all previous versions of apache2.

Now two new Denial of Service conditions are found in the mod_ssl module module included in apache2. Details are classified as RESERVED (for white-hats only) and described in CAN-2004-0748 and CAN-2004-0751.

Denial of service (DoS) means intentionally doing something you know will cause the service you are attacking to become unavailable. This can be done by overloading the service or somehow by luring it into running code that will crash the program process running the service.

SuSE Linux released updated packages for their distributions 6. September. The updates are patched versions of apache2 2.0.49 for SUSE 9.1 and 2.0.48 for 9.0 and 8.2. Their updated versions are safe even though their version numbers imply the packages are old, because the RPM packages include patches which make them as up to date as the latest official release. SuSE updates are available from ftp://ftp.suse.com/pub/suse/i386/update/

SuSE recommends disabling the mod_ssl module in the apache configuration then restarting the apache process without SSL support as a temporary workaround for vulnerable systems.

It may be assumed the vulnerability is present in apache2 2.0.50 and previous versions. Disabling all SSL services is probably a huge over-reaction as there is no public information out on what versions are affected or how to exploit it, and updated packages for other distributions are likely to appear shortly.

More information:


News and headlines

Apache Week 349
  • Apache httpd 2.0.52 Released
    Apache httpd 2.0.52 was released on 28th September 2004. This release addresses a recent security issue in Apache httpd 2.0.51
  • In the news
    ApacheCon hits Las Vegas again in November 2004

Meet new people