Fedora 9 HTTPD Update: Critical Memory Leak and DoS Risk

The Apache HTTP Server is a powerful, efficient, and extensible

web server.

This update includes the latest release of httpd 2.2. Two security issues are

fixed in this update: A flaw was found in the handling of excessive interim

responses from an origin server when using mod_proxy_http. In a forward proxy

configuration, if a user of the proxy could be tricked into visiting a malicious

web server, the proxy could be forced into consuming a large amount of stack or

heap memory. This could lead to an eventual process crash due to stack space

exhaustion. A flaw was found in the handling of compression structures

between mod_ssl and OpenSSL. A remote attacker enabling compression in an SSL

handshake could cause a memory leak in the server, leading to a denial of

service.

* Fri May 23 2008 Dennis Gilmore - 2.2.8-3.1

- minor rebuild for sparc

[ 1 ] Bug #447268 - CVE-2008-1678 httpd: mod_ssl per-connection memory leak for connections with zlib compression

https://bugzilla.redhat.com/show_bug.cgi?id=447268

[ 2 ] Bug #451615 - CVE-2008-2364 httpd: mod_proxy_http DoS via excessive interim responses from the origin server

https://bugzilla.redhat.com/show_bug.cgi?id=451615

su -c 'yum update httpd' at the command line.

For more information, refer to "Managing Software with yum",

available at .

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/