Gentoo: apache 2.x denial of service vulnerability
Summary
GENTOO LINUX SECURITY ANNOUNCEMENT 200305-13
- From announcement:
"Apache 2.0 versions 2.0.37 through 2.0.45 can be caused to crash in certain circumstances. This can be triggered remotely through mod_dav and possibly other mechanisms. The crash was originally reported by David Endler <DEndler@iDefense.com> and was researched and fixed by Joe Orton <jorton@RedHat.com>. Specific details and an analysis of the crash will be published Friday, May 30. No more specific information is disclosed at this time, but all Apache 2.0 users are encouraged to upgrade now."
"Apache 2.0 versions 2.0.40 through 2.0.45 on Unix platforms were vulnerable to a denial-of-service attack on the basic authentication module, which was reported by John Hughes <john.hughes@entegrity.com>. A bug in the configuration scripts caused the apr_password_validate() function to be thread-unsafe on platforms with crypt_r(), including AIX and Linux. All versions of Apache 2.0 have this thread-safety problem on platforms with no crypt_r() and no thread-safe crypt(), such as Mac OS X and possibly others. When using a threaded MPM (which is not the default on these platforms), this allows remote attackers to create a denial of service which causes valid usernames and passwords for Basic Authentication to fail until Apache is restarted. We do not believe this bug could allow unauthorized users to gain access to protected resources."
Read the full advisories at:
/us-en
SOLUTION
It is recommended that all Gentoo Linux users who are running net-www/apache-2.x upgrade to apache-2.0.46 as follows
emerge sync emerge apache emerge clean
aliz@gentoo.org - GnuPG key is available at woodchip@gentoo.org