CVE-2005-2728
CVSS5.0
发布时间 :2005-08-30 07:45:00
修订时间 :2011-03-07 21:24:57
NMCOPS    

[原文]The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.


[CNNVD]Apache 拒绝服务漏洞 (CNNVD-200508-298)

        Apache 2.0系列中2.0.54之前的版本中的字节范围过滤器允许远程攻击者借助于具有大的范围字段的HTTP报头造成拒绝服务(内存损耗)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:2.0.47Apache Software Foundation Apache HTTP Server 2.0.47
cpe:/a:apache:http_server:2.0.49Apache Software Foundation Apache HTTP Server 2.0.49
cpe:/a:apache:http_server:2.0.28Apache Software Foundation Apache HTTP Server 2.0.28
cpe:/a:apache:http_server:2.0.48Apache Software Foundation Apache HTTP Server 2.0.48
cpe:/a:apache:http_server:2.0.41Apache Software Foundation Apache HTTP Server 2.0.41
cpe:/a:apache:http_server:2.0.53Apache Software Foundation Apache HTTP Server 2.0.53
cpe:/a:apache:http_server:2.0.36Apache Software Foundation Apache HTTP Server 2.0.36
cpe:/a:apache:http_server:2.0.40Apache Software Foundation Apache HTTP Server 2.0.40
cpe:/a:apache:http_server:2.0.51Apache Software Foundation Apache HTTP Server 2.0.51
cpe:/a:apache:http_server:2.0.28:betaApache Software Foundation Apache HTTP Server 2.0.28 Beta
cpe:/a:apache:http_server:2.0.37Apache Software Foundation Apache HTTP Server 2.0.37
cpe:/a:apache:http_server:2.0.42Apache Software Foundation Apache HTTP Server 2.0.42
cpe:/a:apache:http_server:2.0.35Apache Software Foundation Apache HTTP Server 2.0.35
cpe:/a:apache:http_server:2.0.52Apache Software Foundation Apache HTTP Server 2.0.52
cpe:/a:apache:http_server:2.0.45Apache Software Foundation Apache HTTP Server 2.0.45
cpe:/a:apache:http_server:2.0.50Apache Software Foundation Apache HTTP Server 2.0.50
cpe:/a:apache:http_server:2.0.43Apache Software Foundation Apache HTTP Server 2.0.43
cpe:/a:apache:http_server:2.0.39Apache Software Foundation Apache HTTP Server 2.0.39
cpe:/a:apache:http_server:2.0.44Apache Software Foundation Apache HTTP Server 2.0.44
cpe:/a:apache:http_server:2.0.46Apache Software Foundation Apache HTTP Server 2.0.46
cpe:/a:apache:http_server:2.0.32Apache Software Foundation Apache HTTP Server 2.0.32
cpe:/a:apache:http_server:2.0Apache Software Foundation Apache HTTP Server 2.0
cpe:/a:apache:http_server:2.0.9Apache Software Foundation Apache HTTP Server 2.0.9a
cpe:/a:apache:http_server:2.0.38Apache Software Foundation Apache HTTP Server 2.0.38

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:760Apache HTTP Byte-range DoS Vulnerability
oval:org.mitre.oval:def:1727Webproxy CGI Byterange Request DoS
oval:org.mitre.oval:def:1246VirusVault CGI Byterange Request DoS
oval:org.mitre.oval:def:10017The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP head...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2728
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2728
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-298
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/22006
(PATCH)  XF  apache-byterange-dos(22006)
http://www.securityfocus.com/bid/14660
(PATCH)  BID  14660
http://www.gentoo.org/security/en/glsa/glsa-200508-15.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200508-15
http://issues.apache.org/bugzilla/show_bug.cgi?id=29962
(VENDOR_ADVISORY)  CONFIRM  http://issues.apache.org/bugzilla/show_bug.cgi?id=29962
http://www.vupen.com/english/advisories/2006/0789
(UNKNOWN)  VUPEN  ADV-2006-0789
http://www.securityfocus.com/archive/1/archive/1/428138/100/0/threaded
(UNKNOWN)  HP  HPSBUX02074
http://secunia.com/advisories/16559/
(VENDOR_ADVISORY)  SECUNIA  16559
http://www.ubuntu.com/usn/usn-177-1
(UNKNOWN)  UBUNTU  USN-177-1
http://www.securityfocus.com/archive/1/archive/1/428138/100/0/threaded
(UNKNOWN)  HP  SSRT051251
http://www.redhat.com/support/errata/RHSA-2005-608.html
(UNKNOWN)  REDHAT  RHSA-2005:608
http://www.novell.com/linux/security/advisories/2005_52_apache2.html
(UNKNOWN)  SUSE  SUSE-SA:2005:052
http://www.novell.com/linux/security/advisories/2005_51_apache2.html
(UNKNOWN)  SUSE  SUSE-SA:2005:051
http://www.mandriva.com/security/advisories?name=MDKSA-2005:161
(UNKNOWN)  MANDRIVA  MDKSA-2005:161
http://www.debian.org/security/2005/dsa-805
(UNKNOWN)  DEBIAN  DSA-805
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1
(UNKNOWN)  SUNALERT  102198
http://securityreason.com/securityalert/604
(UNKNOWN)  SREASON  604
http://secunia.com/advisories/19072
(UNKNOWN)  SECUNIA  19072
http://secunia.com/advisories/18517
(UNKNOWN)  SECUNIA  18517
http://secunia.com/advisories/18333
(UNKNOWN)  SECUNIA  18333
http://secunia.com/advisories/18161
(UNKNOWN)  SECUNIA  18161
http://secunia.com/advisories/17923
(UNKNOWN)  SECUNIA  17923
http://secunia.com/advisories/17831
(UNKNOWN)  SECUNIA  17831
http://secunia.com/advisories/17600
(UNKNOWN)  SECUNIA  17600
http://secunia.com/advisories/17288
(UNKNOWN)  SECUNIA  17288
http://secunia.com/advisories/17036
(UNKNOWN)  SECUNIA  17036
http://secunia.com/advisories/16956
(UNKNOWN)  SECUNIA  16956
http://secunia.com/advisories/16789
(UNKNOWN)  SECUNIA  16789
http://secunia.com/advisories/16769
(UNKNOWN)  SECUNIA  16769
http://secunia.com/advisories/16754
(UNKNOWN)  SECUNIA  16754
http://secunia.com/advisories/16753
(UNKNOWN)  SECUNIA  16753
http://secunia.com/advisories/16746
(UNKNOWN)  SECUNIA  16746
http://secunia.com/advisories/16743
(UNKNOWN)  SECUNIA  16743
http://secunia.com/advisories/16714
(UNKNOWN)  SECUNIA  16714
http://secunia.com/advisories/16705
(UNKNOWN)  SECUNIA  16705
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
(UNKNOWN)  TRUSTIX  TSLSA-2005-0059
ftp://patches.sgi.com/support/free/security/advisories/20060101-01-U
(UNKNOWN)  SGI  20060101-01-U

- 漏洞信息

Apache 拒绝服务漏洞
中危 设计错误
2005-08-30 00:00:00 2005-10-20 00:00:00
远程  
        Apache 2.0系列中2.0.54之前的版本中的字节范围过滤器允许远程攻击者借助于具有大的范围字段的HTTP报头造成拒绝服务(内存损耗)。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Sun Solaris 10
        Sun T120543-02
        http://sunsolve.sun.com/pub-cgi/tpatchDownload.pl?dl.d,T120543-02.zip
        HP HP-UX B.11.11
        HP Apache-Based Web Server 2.0.55.00
        http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE
        Sun Solaris 10.0_x86
        Sun T120544-02
        http://sunsolve.sun.com/pub-cgi/tpatchDownload.pl?dl.d,T120544-02.zip
        HP HP-UX B.11.23
        HP Apache-Based Web Server 2.0.55.00
        http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE
        HP HP-UX B.11.11
        HP Apache-Based Web Server 2.0.55.00
        http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE
        Conectiva Linux 10.0
        Conectiva apache-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-2.0.49-61251U10_5cl .i386.rpm
        Conectiva apache-devel-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10: 09/27/2005
        ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-devel-2.0.49-61251U 10_5cl.i386.rpm
        Conectiva apache-doc-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-doc-2.0.49-61251U10 _5cl.i386.rpm
        Conectiva apache-htpasswd-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/apache-htpasswd-2.0.49-612 51U10_5cl.i386.rpm
        Conectiva libapr-devel-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/libapr-devel-2.0.49-61251U 10_5cl.i386.rpm
        Conectiva libapr-devel-static-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/libapr-devel-static-2.0.49 -61251U10_5cl.i386.rpm
        Conectiva libapr0-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/libapr0-2.0.49-61251U10_5c l.i386.rpm
        Conectiva mod_auth_ldap-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/mod_auth_ldap-2.0.49-61251 U10_5cl.i386.rpm
        Conectiva mod_dav-2.0.49-61251U10_5cl.i386.rpm
        Conectiva 10:
        ftp://atualizacoes.conectiva.com.br/10/RPMS/mod_dav-2.0.49-61251U10_5c l.i386.rpm
        HP HP-UX 11.0
        HP Apache-Based Web Server 2.0.55.00
        http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE
        HP HP-UX 11.11
        HP Apache-Based Web Server 2.0.55.00
        http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE
        HP HP-UX 11.23
        HP Apache-Based Web Server 2.0.55.00
        http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProduc tInfo.pl?productNumber=HPUXWSSUITE
        Apache Software Foundation Apache 2.0
        Apache Software Foundation http_protocol.c
        http://issues.apache.org/bugzilla/attachment.cgi?id=16102
        Apache Software Foundation httpd-2.0.55.tar.gz
        http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz
        Apache Software Foundation Apache 2.0.28 Beta
        Apache Software Foundation http_protocol.c
        http://issues.apache.org/bugzilla/attachment.cgi?id=16102
        Apache Software Foundation httpd-2.0.55.tar.gz
        http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz
        Apache Software Foundation Apache 2.0.32
        Apache Software Foundation http_protocol.c
        http://issues.apache.org/bugzilla/attachment.cgi?id=16102
        Apache Software Foundation httpd-2.0.55.tar.gz
        http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz
        Apache Software Foundation Apache 2.0.35
        Apache Software Foundation http_protocol.c
        http://issues.apache.org/bugzilla/attachment.cgi?id=16102
        Apache Software Foundation httpd-2.0.55.tar.gz
        http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz
        Apache Software Foundation Apache 2.0.36
        Apache Software Foundation http_protocol.c
        http://issues.apache.org/bugzilla/attachment.cgi?id=16102
        Apache Software Foundation httpd-2.0.55.tar.gz
        http://www.apache.org/dist/httpd/httpd-2.0.55.tar.gz
        

- 漏洞信息 (F41672)

HP Security Bulletin 2005-12.51 (PacketStormID:F41672)
2005-11-20 00:00:00
Hewlett Packard  hp.com
advisory,denial of service,arbitrary,vulnerability
hpux
CVE-2005-2491,CVE-2005-1268,CVE-2005-2728,CVE-2005-2088
[点击下载]

HP Security Bulletin - Potential security vulnerabilities have been identified with Apache running on HP-UX. These vulnerability could be exploited remotely to allow execution of arbitrary code, Denial of Service (DoS), or unauthorized access.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00555254
Version: 1

HPSBUX02074 SSRT051251 - Apache-based Web Server on HP-UX mod_ssl,
proxy_http, Remote Execution of Arbitrary Code, Denial of Service
(DoS), and Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted
upon as soon as possible.

Release Date: 2005-11-10
Last Updated: 2005-11-15

Potential Security Impact: Remote execution of arbitrary code,
Denial of Service (DoS), and unauthorized access.

Source: Hewlett-Packard Company,
        HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with
Apache running on HP-UX. These vulnerability could be exploited
remotely to allow execution of arbitrary code, Denial of Service
(DoS), or unauthorized access.

References: CVE-2005-2491, CVE-2005-1268, CVE-2005-2728,
            CVE-2005-2088.

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.00, B.11.11, B.11.23 running Apache-based Web Server
prior to v.2.0.55.

BACKGROUND

The following potential security vulnerabilities are resolved in
the software updates listed below:

CVE-2005-2088 (cve.mitre.org): HTTP Request Smuggling.

CVE-2005-2491 (cve.mitre.org): Integer overflow in pcre_compile.c.

CVE-2005-2728 (cve.mitre.org): Remote denial of service.

CVE-2005-1268 (cve.mitre.org): Remote denial of service.

AFFECTED VERSIONS

For IPv4:
HP-UX B.11.00
HP-UX B.11.11
=============
hpuxwsAPACHE
action: install revision A.2.0.55.00 or subsequent

For IPv6:
HP-UX B.11.11
=============
hpuxwsAPACHE,revision=B.1.0.00.01
hpuxwsAPACHE,revision=B.1.0.07.01
hpuxwsAPACHE,revision=B.1.0.08.01
hpuxwsAPACHE,revision=B.1.0.09.01
hpuxwsAPACHE,revision=B.1.0.10.01
hpuxwsAPACHE,revision=B.2.0.48.00
hpuxwsAPACHE,revision=B.2.0.49.00
hpuxwsAPACHE,revision=B.2.0.50.00
hpuxwsAPACHE,revision=B.2.0.51.00
hpuxwsAPACHE,revision=B.2.0.52.00
hpuxwsAPACHE,revision=B.2.0.53.00
hpuxwsAPACHE,revision=B.2.0.54.00
action: install revision B.2.0.55.00 or subsequent

HP-UX B.11.23
=============
hpuxwsAPACHE
action: install revision B.2.0.55.00 or subsequent

END AFFECTED VERSIONS

RESOLUTION

HP has made the following software updates available to resolve
the issue.

Software updates for the Apache-based Web Server are available
from: http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=HPUXWSSUITE


HP-UX B.11.00, B.11.11 and HP-UX B.11.23 require the Apache-based
Web Server v.2.0.55.00 or subsequent.

Apache Update Procedure

 Check for Apache Installation
 ----------------------------

To determine if the Apache web server from HP is installed on your
system, use Software Distributor's swlist command. All three
revisions of the product may co-exist on a single system.

For example, the results of the command

swlist -l product | grep -i apache

hpuxwsAPACHE B.2.0.54.00 HP-UX Apache-based Web Server

 Stop Apache
 -------------
Before updating, make sure to stop any previous Apache binary.
Otherwise, the previous binary will continue running, preventing
the new one from starting, although the installation would be
successful. After determining which Apache is installed, stop
Apache with the following commands:

for hpuxwsAPACHE: /opt/hpws/apache[32]/bin/apachectl stop

 Download and Install Apache
 -----------------------------
Download Apache from Software Depot:
http://h20293.www2.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=HPUXWSSUITE
Verify successful download by comparing the cksum with the value
specified on the installation web page.

Use SD to swinstall the depot.
Installation of this new revision of HP Apache over an existing HP
Apache installation is supported, while installation over a non-HP
Apache is NOT supported.


 Removing Apache Installation
 ----------------------------
If you prefer to remove Apache from your system instead of
installing a newer revision to resolve the security problem, use
both Software Distributor's "swremove" command and also "rm -rf"
the home location as specified in the rc.config.d file "HOME"
variables.
 %ls /etc/rc.config.d |
 grep apache hpapache2conf hpws_apache[32]conf


MANUAL ACTIONS: Yes - Update plus other actions
Install the revision of the product.


PRODUCT SPECIFIC INFORMATION

HP-UX Security Patch Check: Security Patch Check revision B.02.00
analyzes all HP-issued Security Bulletins to provide a subset of
recommended actions that potentially affect a specific HP-UX
system. For more information:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi
displayProductInfo.pl?productnumber=B6834AAtN

UPDATE HISTORY

Initial release: 15 November 2005



Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@hp.com.  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: security-alert@hp.com
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
    continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
    save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
    - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

    GN = HP General SW,
    MA = HP Management Agents,
    MI = Misc. 3rd party SW,
    MP = HP MPE/iX,
    NS = HP NonStop Servers,
    OV = HP OpenVMS,
    PI = HP Printing & Imaging,
    ST = HP Storage SW,
    TL = HP Trusted Linux,
    TU = HP Tru64 UNIX,
    UX = HP-UX,
    VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2005 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQ3sfWOAfOvwtKn1ZEQKcWQCgiwu/tFKJGfFL6h6UqXv4R8dlN20AnAtX
AdO0xbRlYS0bWjiXvNb1K4Qj
=5gHE
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F39983)

Mandriva Linux Security Advisory 2005.161 (PacketStormID:F39983)
2005-09-13 00:00:00
Mandriva  mandriva.com
advisory,denial of service,cgi,php
linux,mandriva
CVE-2005-2700,CVE-2005-2728
[点击下载]

Mandriva Linux Security Update Advisory - A flaw was discovered in mod_ssl's handling of the SSLVerifyClient directive. This flaw occurs if a virtual host is configured using SSLVerifyClient optional and a directive SSLVerifyClient required is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           apache2
 Advisory ID:            MDKSA-2005:161
 Date:                   September 8th, 2005

 Affected versions:	 10.0, 10.1, 10.2, Corporate 3.0,
			 Multi Network Firewall 2.0
 ______________________________________________________________________

 Problem Description:

 A flaw was discovered in mod_ssl's handling of the "SSLVerifyClient"
 directive. This flaw occurs if a virtual host is configured
 using "SSLVerifyClient optional" and a directive "SSLVerifyClient
 required" is set for a specific location. For servers configured in
 this fashion, an attacker may be able to access resources that should
 otherwise be protected, by not supplying a client certificate when
 connecting. (CAN-2005-2700)
 
 A flaw was discovered in Apache httpd where the byterange filter would
 buffer certain responses into memory. If a server has a dynamic
 resource such as a CGI script or PHP script that generates a large
 amount of data, an attacker could send carefully crafted requests in
 order to consume resources, potentially leading to a Denial of Service.
 (CAN-2005-2728)
 
 The updated packages have been patched to address these issues.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 c3ed23adb5520b012f1c10bd631c6018  10.0/RPMS/apache2-2.0.48-6.11.100mdk.i586.rpm
 f8761ef4e61ce7744b75c8a8de61cdf1  10.0/RPMS/apache2-common-2.0.48-6.11.100mdk.i586.rpm
 de2e7f74e89ebb37a6ef718a12be902f  10.0/RPMS/apache2-devel-2.0.48-6.11.100mdk.i586.rpm
 ed0b72d5309626b96c3c38f1015c2860  10.0/RPMS/apache2-manual-2.0.48-6.11.100mdk.i586.rpm
 f65a339780a083298403712270bf517a  10.0/RPMS/apache2-mod_cache-2.0.48-6.11.100mdk.i586.rpm
 9810ac0cdc1d6215c4704f29eb315d0e  10.0/RPMS/apache2-mod_dav-2.0.48-6.11.100mdk.i586.rpm
 1ec5364b1fcacfe2a38a9ec1d25b114b  10.0/RPMS/apache2-mod_deflate-2.0.48-6.11.100mdk.i586.rpm
 b82a66e437c462e401fd3722a465bcf4  10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.11.100mdk.i586.rpm
 e0fddaa3c8655c76dddeaefb3e0570ac  10.0/RPMS/apache2-mod_file_cache-2.0.48-6.11.100mdk.i586.rpm
 59363c9c0d6525b269a40f975f4a6259  10.0/RPMS/apache2-mod_ldap-2.0.48-6.11.100mdk.i586.rpm
 5b43545c79965b11d7957e6adba2313e  10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.11.100mdk.i586.rpm
 dfcdfb0d8650d7c930172a3a5db3f441  10.0/RPMS/apache2-mod_proxy-2.0.48-6.11.100mdk.i586.rpm
 0ce6233be2b2e36b0b386497bf208bc7  10.0/RPMS/apache2-mod_ssl-2.0.48-6.11.100mdk.i586.rpm
 70dacf1f98682b910d0eaffd8b8e0eb9  10.0/RPMS/apache2-modules-2.0.48-6.11.100mdk.i586.rpm
 7c409711aa895c8ea8cd3e7518e57bcb  10.0/RPMS/apache2-source-2.0.48-6.11.100mdk.i586.rpm
 9bad55274b504895e56c53311c6b549f  10.0/RPMS/libapr0-2.0.48-6.11.100mdk.i586.rpm
 8d29bf56013554140ee53950fcca9410  10.0/SRPMS/apache2-2.0.48-6.11.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 5959aa420b784a3c948a654f321cd2b9  amd64/10.0/RPMS/apache2-2.0.48-6.11.100mdk.amd64.rpm
 111ac8f83281fb77a5dbc6736acacdb0  amd64/10.0/RPMS/apache2-common-2.0.48-6.11.100mdk.amd64.rpm
 24ace7ff54ed9ca30ad63d2db911e488  amd64/10.0/RPMS/apache2-devel-2.0.48-6.11.100mdk.amd64.rpm
 4d0c62200bcddbb537babe29ab8ee86a  amd64/10.0/RPMS/apache2-manual-2.0.48-6.11.100mdk.amd64.rpm
 86bc78ee571b5e447d0db8178e0a4862  amd64/10.0/RPMS/apache2-mod_cache-2.0.48-6.11.100mdk.amd64.rpm
 c7d69bd5d51eb9f234c818199fddbdea  amd64/10.0/RPMS/apache2-mod_dav-2.0.48-6.11.100mdk.amd64.rpm
 4785b9e8da509317f018c582ea2fe9f4  amd64/10.0/RPMS/apache2-mod_deflate-2.0.48-6.11.100mdk.amd64.rpm
 ce00c70b1079da0a0a5432abc1d708a0  amd64/10.0/RPMS/apache2-mod_disk_cache-2.0.48-6.11.100mdk.amd64.rpm
 51e31767d8722fdd7e15fd7fc2c1bdde  amd64/10.0/RPMS/apache2-mod_file_cache-2.0.48-6.11.100mdk.amd64.rpm
 562604623e02b8e4ad814dedb2c775eb  amd64/10.0/RPMS/apache2-mod_ldap-2.0.48-6.11.100mdk.amd64.rpm
 5f8bf2dab896c449e41702e400175d06  amd64/10.0/RPMS/apache2-mod_mem_cache-2.0.48-6.11.100mdk.amd64.rpm
 ea55786b6fc44014f08711fd6b94118e  amd64/10.0/RPMS/apache2-mod_proxy-2.0.48-6.11.100mdk.amd64.rpm
 0c4ee48682525c6c019ceaf7f3ffc21e  amd64/10.0/RPMS/apache2-mod_ssl-2.0.48-6.11.100mdk.amd64.rpm
 171cd403c98c5ffbc7085e458b52bbad  amd64/10.0/RPMS/apache2-modules-2.0.48-6.11.100mdk.amd64.rpm
 f07995ed367ce585efa450d282a39f2a  amd64/10.0/RPMS/apache2-source-2.0.48-6.11.100mdk.amd64.rpm
 7516f39fd25dfbe9df156d050cd5cf37  amd64/10.0/RPMS/lib64apr0-2.0.48-6.11.100mdk.amd64.rpm
 8d29bf56013554140ee53950fcca9410  amd64/10.0/SRPMS/apache2-2.0.48-6.11.100mdk.src.rpm

 Mandrakelinux 10.1:
 9298f100a016ebf91e7ed2bb68ffa782  10.1/RPMS/apache2-2.0.50-7.4.101mdk.i586.rpm
 c3c7c01a71aca7d898071fe38b9e0029  10.1/RPMS/apache2-common-2.0.50-7.4.101mdk.i586.rpm
 06c7b2f7a0e294d7115472ec2795c6eb  10.1/RPMS/apache2-devel-2.0.50-7.4.101mdk.i586.rpm
 3241deb8bfdce1d810552e1da4172eca  10.1/RPMS/apache2-manual-2.0.50-7.4.101mdk.i586.rpm
 547d637c9af30e21159b7e5ca55f2e9e  10.1/RPMS/apache2-mod_cache-2.0.50-7.4.101mdk.i586.rpm
 0d3b51a87cc28953a2f8e62a10060c78  10.1/RPMS/apache2-mod_dav-2.0.50-7.4.101mdk.i586.rpm
 4a3e71db64f56229805ced06a2796143  10.1/RPMS/apache2-mod_deflate-2.0.50-7.4.101mdk.i586.rpm
 7a14a53f7eb3c356c5f1aa377938e69d  10.1/RPMS/apache2-mod_disk_cache-2.0.50-7.4.101mdk.i586.rpm
 aa39ba4d397d0095a0854ee77ae72e1f  10.1/RPMS/apache2-mod_file_cache-2.0.50-7.4.101mdk.i586.rpm
 a314cc48a755408e80bb9626e7a28731  10.1/RPMS/apache2-mod_ldap-2.0.50-7.4.101mdk.i586.rpm
 b97420430cfd9190917dfb7a41e5f8d0  10.1/RPMS/apache2-mod_mem_cache-2.0.50-7.4.101mdk.i586.rpm
 5922f944a8fcf74ff0c9b45cffbb09f6  10.1/RPMS/apache2-mod_proxy-2.0.50-7.4.101mdk.i586.rpm
 51111f25851c1bb2f4965070caf5ef0b  10.1/RPMS/apache2-mod_ssl-2.0.50-4.3.101mdk.i586.rpm
 18d3410a2f360d821b60b46b3ec018a3  10.1/RPMS/apache2-modules-2.0.50-7.4.101mdk.i586.rpm
 a5beb9688175b863ed6f6892bf23bed4  10.1/RPMS/apache2-source-2.0.50-7.4.101mdk.i586.rpm
 bf038c8af8453bb09a25bd86d7a5d63f  10.1/RPMS/apache2-worker-2.0.50-7.4.101mdk.i586.rpm
 02670d7f806c01e9733af31a5a829127  10.1/SRPMS/apache2-2.0.50-7.4.101mdk.src.rpm
 bde0511732391a216ab69617740b1285  10.1/SRPMS/apache2-mod_ssl-2.0.50-4.3.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 cf3ffc2f4c6f77bef3fe9fdfbfa6ab18  x86_64/10.1/RPMS/apache2-2.0.50-7.4.101mdk.x86_64.rpm
 0b859489be6190cc8864dd43ea25f6c9  x86_64/10.1/RPMS/apache2-common-2.0.50-7.4.101mdk.x86_64.rpm
 f79e4889060bdaef1a0ba1f2e5e2d109  x86_64/10.1/RPMS/apache2-devel-2.0.50-7.4.101mdk.x86_64.rpm
 9210487fb9bb2198ea9f7a344686ddfa  x86_64/10.1/RPMS/apache2-manual-2.0.50-7.4.101mdk.x86_64.rpm
 2a003b0b92cf73dbd97357cdc83f7a80  x86_64/10.1/RPMS/apache2-mod_cache-2.0.50-7.4.101mdk.x86_64.rpm
 e9158f8904f42917b109d8c29a1eaef5  x86_64/10.1/RPMS/apache2-mod_dav-2.0.50-7.4.101mdk.x86_64.rpm
 7bc7ada5cb2e49eafacd58658a804e23  x86_64/10.1/RPMS/apache2-mod_deflate-2.0.50-7.4.101mdk.x86_64.rpm
 3c2eb02ec0b6996b40ec2ed63ba0461b  x86_64/10.1/RPMS/apache2-mod_disk_cache-2.0.50-7.4.101mdk.x86_64.rpm
 c5ef16ceace6b39b02980a2c1b2926db  x86_64/10.1/RPMS/apache2-mod_file_cache-2.0.50-7.4.101mdk.x86_64.rpm
 c8c0bd27d380053ae9639355a1879e12  x86_64/10.1/RPMS/apache2-mod_ldap-2.0.50-7.4.101mdk.x86_64.rpm
 a0d9bb42c623783e2b69ace91ef8fe89  x86_64/10.1/RPMS/apache2-mod_mem_cache-2.0.50-7.4.101mdk.x86_64.rpm
 4e01447b5b84020d1fef62334d134054  x86_64/10.1/RPMS/apache2-mod_proxy-2.0.50-7.4.101mdk.x86_64.rpm
 b9452df883f869eb41ee8f1cbecbfe99  x86_64/10.1/RPMS/apache2-mod_ssl-2.0.50-4.3.101mdk.x86_64.rpm
 f27ab73ba4c86da7d28185d01defa216  x86_64/10.1/RPMS/apache2-modules-2.0.50-7.4.101mdk.x86_64.rpm
 f5b12191de96443e50de6d066e27bfa9  x86_64/10.1/RPMS/apache2-source-2.0.50-7.4.101mdk.x86_64.rpm
 b9cec7a4e167a1f270452d4701447cb3  x86_64/10.1/RPMS/apache2-worker-2.0.50-7.4.101mdk.x86_64.rpm
 02670d7f806c01e9733af31a5a829127  x86_64/10.1/SRPMS/apache2-2.0.50-7.4.101mdk.src.rpm
 bde0511732391a216ab69617740b1285  x86_64/10.1/SRPMS/apache2-mod_ssl-2.0.50-4.3.101mdk.src.rpm

 Mandrakelinux 10.2:
 181b063de484c836a09b4722f5062506  10.2/RPMS/apache2-2.0.53-9.2.102mdk.i586.rpm
 1fec497d53d79ee8cc18a91d60986f87  10.2/RPMS/apache2-common-2.0.53-9.2.102mdk.i586.rpm
 bcec08901215dc2e8848b877f04c23a0  10.2/RPMS/apache2-devel-2.0.53-9.2.102mdk.i586.rpm
 f74f6cf726ab9108e617b9762388dd30  10.2/RPMS/apache2-manual-2.0.53-9.2.102mdk.i586.rpm
 73772bfd561fc0ae7afb8eb374cc77d4  10.2/RPMS/apache2-mod_cache-2.0.53-9.2.102mdk.i586.rpm
 39d5a0f538314926bc186071ca647425  10.2/RPMS/apache2-mod_dav-2.0.53-9.2.102mdk.i586.rpm
 28226ee4f14f57a41dbbd91d83e9fdab  10.2/RPMS/apache2-mod_deflate-2.0.53-9.2.102mdk.i586.rpm
 c252d21e6bcd0145152252f3f425aac4  10.2/RPMS/apache2-mod_disk_cache-2.0.53-9.2.102mdk.i586.rpm
 01bcf1dad802d65b8b4286f757561a0a  10.2/RPMS/apache2-mod_file_cache-2.0.53-9.2.102mdk.i586.rpm
 c96c60e2f826aa9b6f1d639964541fd9  10.2/RPMS/apache2-mod_ldap-2.0.53-9.2.102mdk.i586.rpm
 987c814d31bb5a7ef93d66902dfadbb4  10.2/RPMS/apache2-mod_mem_cache-2.0.53-9.2.102mdk.i586.rpm
 716e0be8b6f25d115b5ee01b5420db12  10.2/RPMS/apache2-mod_proxy-2.0.53-9.2.102mdk.i586.rpm
 dd81510cb09113cdf2f9bc4acb4d4b1a  10.2/RPMS/apache2-mod_ssl-2.0.53-8.2.102mdk.i586.rpm
 b9d81d6c8b1dcd45ae703b4507bdd3ac  10.2/RPMS/apache2-modules-2.0.53-9.2.102mdk.i586.rpm
 51cb7958b2889d397d8d60d7f9a90a1b  10.2/RPMS/apache2-peruser-2.0.53-9.2.102mdk.i586.rpm
 836bd59908b4db2796320ea09f5412a3  10.2/RPMS/apache2-source-2.0.53-9.2.102mdk.i586.rpm
 d7d0f19642a1385224efc128d8081349  10.2/RPMS/apache2-worker-2.0.53-9.2.102mdk.i586.rpm
 8a16e42b311c162399f3ae97d0744bbc  10.2/SRPMS/apache2-2.0.53-9.2.102mdk.src.rpm
 9a0a2bd52a58f0ef58c5b0801487087a  10.2/SRPMS/apache2-mod_ssl-2.0.53-8.2.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 2da8a90a9b91e7428f87682ea11c18f0  x86_64/10.2/RPMS/apache2-2.0.53-9.2.102mdk.x86_64.rpm
 e6242e8e02054a42492a981c11ac0c75  x86_64/10.2/RPMS/apache2-common-2.0.53-9.2.102mdk.x86_64.rpm
 f6588bf6413735ead6f1f711fc8fa5ef  x86_64/10.2/RPMS/apache2-devel-2.0.53-9.2.102mdk.x86_64.rpm
 6cdd4bde0e62373d0348b998b485a7c9  x86_64/10.2/RPMS/apache2-manual-2.0.53-9.2.102mdk.x86_64.rpm
 bb1a0816904d1676b7607412fd1e8f96  x86_64/10.2/RPMS/apache2-mod_cache-2.0.53-9.2.102mdk.x86_64.rpm
 bc363f2c9b88261a3c5b02c15d0602a5  x86_64/10.2/RPMS/apache2-mod_dav-2.0.53-9.2.102mdk.x86_64.rpm
 4c7b1e938461c2919637fab4a56c1385  x86_64/10.2/RPMS/apache2-mod_deflate-2.0.53-9.2.102mdk.x86_64.rpm
 8c4c5dace9c2c938a42cb6b9e6b5632f  x86_64/10.2/RPMS/apache2-mod_disk_cache-2.0.53-9.2.102mdk.x86_64.rpm
 5a80b6838b2c801b2542aaacf2530767  x86_64/10.2/RPMS/apache2-mod_file_cache-2.0.53-9.2.102mdk.x86_64.rpm
 b7d2919c2c7aae6af042ee49f5cf02e6  x86_64/10.2/RPMS/apache2-mod_ldap-2.0.53-9.2.102mdk.x86_64.rpm
 607abd1359be2164b57e4b9c69f8cc4f  x86_64/10.2/RPMS/apache2-mod_mem_cache-2.0.53-9.2.102mdk.x86_64.rpm
 a676736f1b21bd03cacca254b2ede632  x86_64/10.2/RPMS/apache2-mod_proxy-2.0.53-9.2.102mdk.x86_64.rpm
 2c771caff3e1d1d51a9b92b97fffd3c4  x86_64/10.2/RPMS/apache2-mod_ssl-2.0.53-8.2.102mdk.x86_64.rpm
 5fd1df0e98c9e8216063b5445f0f7793  x86_64/10.2/RPMS/apache2-modules-2.0.53-9.2.102mdk.x86_64.rpm
 45fbea3de4bcf57d751cc277d1ab4894  x86_64/10.2/RPMS/apache2-peruser-2.0.53-9.2.102mdk.x86_64.rpm
 344afa889c8eb9600f6a5c3064a12637  x86_64/10.2/RPMS/apache2-source-2.0.53-9.2.102mdk.x86_64.rpm
 12f27ff5da9f84cfc21880bc241fad43  x86_64/10.2/RPMS/apache2-worker-2.0.53-9.2.102mdk.x86_64.rpm
 8a16e42b311c162399f3ae97d0744bbc  x86_64/10.2/SRPMS/apache2-2.0.53-9.2.102mdk.src.rpm
 9a0a2bd52a58f0ef58c5b0801487087a  x86_64/10.2/SRPMS/apache2-mod_ssl-2.0.53-8.2.102mdk.src.rpm

 Multi Network Firewall 2.0:
 ccade36dd4e32cfdea5aef5aabd9445d  mnf/2.0/RPMS/apache2-2.0.48-6.11.M20mdk.i586.rpm
 c783539dc24d982c08475aaa3ce9a87b  mnf/2.0/RPMS/apache2-common-2.0.48-6.11.M20mdk.i586.rpm
 062c695c4da5ba755e011b2aefe0f713  mnf/2.0/RPMS/apache2-mod_cache-2.0.48-6.11.M20mdk.i586.rpm
 3bd4e212dde1b64cdc56c28ed04874b6  mnf/2.0/RPMS/apache2-mod_proxy-2.0.48-6.11.M20mdk.i586.rpm
 8cd23bc9fa7986d2863cf8340b0ef260  mnf/2.0/RPMS/apache2-mod_ssl-2.0.48-6.11.M20mdk.i586.rpm
 337ae7000dd56f6c0484ce0b23ae2fa6  mnf/2.0/RPMS/apache2-modules-2.0.48-6.11.M20mdk.i586.rpm
 2925793c7118e7a223b30e0b070fbfa4  mnf/2.0/RPMS/libapr0-2.0.48-6.11.M20mdk.i586.rpm
 b49bc4fa15deb0acd5d7365ce85c077b  mnf/2.0/SRPMS/apache2-2.0.48-6.11.M20mdk.src.rpm

 Corporate 3.0:
 22e18eaab021cfccf717d5eaec082ab1  corporate/3.0/RPMS/apache2-2.0.48-6.11.C30mdk.i586.rpm
 24c63b872a0a532910acd4e700f69a06  corporate/3.0/RPMS/apache2-common-2.0.48-6.11.C30mdk.i586.rpm
 764978136b58e99af9c26d57ef6f3b31  corporate/3.0/RPMS/apache2-manual-2.0.48-6.11.C30mdk.i586.rpm
 4295a667e7658163c7b3f90556adce47  corporate/3.0/RPMS/apache2-mod_cache-2.0.48-6.11.C30mdk.i586.rpm
 001d15856d121400c0dcfb3b5a1e9f3c  corporate/3.0/RPMS/apache2-mod_dav-2.0.48-6.11.C30mdk.i586.rpm
 7d9c3ea628e86fbe2385c07f2b04a69d  corporate/3.0/RPMS/apache2-mod_disk_cache-2.0.48-6.11.C30mdk.i586.rpm
 eb7869e4b3f2e73b0636e6b06fce364a  corporate/3.0/RPMS/apache2-mod_ldap-2.0.48-6.11.C30mdk.i586.rpm
 457a47ed2f7279f303cc2e9d86030cda  corporate/3.0/RPMS/apache2-mod_proxy-2.0.48-6.11.C30mdk.i586.rpm
 4f929704feed4dcb3c9c443f3bed01dd  corporate/3.0/RPMS/apache2-mod_ssl-2.0.48-6.11.C30mdk.i586.rpm
 f7738c77a130fbbae2ee44b3af16e4a0  corporate/3.0/RPMS/apache2-modules-2.0.48-6.11.C30mdk.i586.rpm
 d131b9a5dcd101b61779ee0ce619d105  corporate/3.0/RPMS/libapr0-2.0.48-6.11.C30mdk.i586.rpm
 d9878cfe7baf397d8380155859a44f94  corporate/3.0/SRPMS/apache2-2.0.48-6.11.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 0a84ad543a6cf712509e12a0c013ab2a  x86_64/corporate/3.0/RPMS/apache2-2.0.48-6.11.C30mdk.x86_64.rpm
 55b54f2b22a8f83e32fc73ec70f65f77  x86_64/corporate/3.0/RPMS/apache2-common-2.0.48-6.11.C30mdk.x86_64.rpm
 02c191cae831d661661b579ca8e1c256  x86_64/corporate/3.0/RPMS/apache2-manual-2.0.48-6.11.C30mdk.x86_64.rpm
 33fe9167e0a6d32d89161f8bed0bc814  x86_64/corporate/3.0/RPMS/apache2-mod_cache-2.0.48-6.11.C30mdk.x86_64.rpm
 074cde9d633f8be9da84e0083650b18c  x86_64/corporate/3.0/RPMS/apache2-mod_dav-2.0.48-6.11.C30mdk.x86_64.rpm
 4f6720edec1098c086840ce9bf299c07  x86_64/corporate/3.0/RPMS/apache2-mod_disk_cache-2.0.48-6.11.C30mdk.x86_64.rpm
 d080f16e0dd5ce782e3bf9e0090b4b90  x86_64/corporate/3.0/RPMS/apache2-mod_ldap-2.0.48-6.11.C30mdk.x86_64.rpm
 9b4be46d6b38c4e5532b34b8505a7bd8  x86_64/corporate/3.0/RPMS/apache2-mod_proxy-2.0.48-6.11.C30mdk.x86_64.rpm
 aa57fbec9ce8209025aacf4dcd810fab  x86_64/corporate/3.0/RPMS/apache2-mod_ssl-2.0.48-6.11.C30mdk.x86_64.rpm
 dd1c0390079c7417f9cb39b999644413  x86_64/corporate/3.0/RPMS/apache2-modules-2.0.48-6.11.C30mdk.x86_64.rpm
 f1f046407392a27a740a5a63270b0ed3  x86_64/corporate/3.0/RPMS/lib64apr0-2.0.48-6.11.C30mdk.x86_64.rpm
 d9878cfe7baf397d8380155859a44f94  x86_64/corporate/3.0/SRPMS/apache2-2.0.48-6.11.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDIJLkmqjQ0CJFipgRAkBjAKDtyVdb8XvLgewd//Fuo4pakvM47QCg1Z9f
kc38SoVUAbx1Bks6HJIPtFE=
=LTDR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F39961)

Debian Linux Security Advisory 805-1 (PacketStormID:F39961)
2005-09-10 00:00:00
Debian  debian.org
advisory,web,vulnerability
linux,debian
CVE-2005-1268,CVE-2005-2088,CVE-2005-2700,CVE-2005-2728
[点击下载]

Debian Security Advisory DSA 805-1 - Several problems have been discovered in Apache2, the next generation, scalable, extendible web server. The Common Vulnerabilities and Exposures project identifies the following problems:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 805-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 8th, 2005                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : apache2
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CAN-2005-1268 CAN-2005-2088 CAN-2005-2700 CAN-2005-2728
BugTraq ID     : 14660
Debian Bugs    : 316173 320048 320063 326435

Several problems have been discovered in Apache2, the next generation,
scalable, extendable web server.  The Common Vulnerabilities and
Exposures project identifies the following problems:

CAN-2005-1268

    Marc Stern discovered an off-by-one error in the mod_ssl
    Certificate Revocation List (CRL) verification callback.  When
    Apache is configured to use a CRL this can be used to cause a
    denial of service.

CAN-2005-2088

    A vulnerability has been discovered in the Apache web server.
    When it is acting as an HTTP proxy, it allows remote attackers to
    poison the web cache, bypass web application firewall protection,
    and conduct cross-site scripting attacks, which causes Apache to
    incorrectly handle and forward the body of the request.

CAN-2005-2700

    A problem has been discovered in mod_ssl, which provides strong
    cryptography (HTTPS support) for Apache that allows remote
    attackers to bypass access restrictions.

CAN-2005-2728

    The byte-range filter in Apache 2.0 allows remote attackers to
    cause a denial of service via an HTTP header with a large Range
    field.

The old stable distribution (woody) does not contain Apache2 packages.

For the stable distribution (sarge) these problems have been fixed in
version 2.0.54-5.

For the unstable distribution (sid) these problems have been fixed in
version 2.0.54-5.

We recommend that you upgrade your apache2 packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5.dsc
      Size/MD5 checksum:     1141 779558a3a1edad615114d9e951d44352
    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5.diff.gz
      Size/MD5 checksum:   110044 3f51c615473cb57d4d182e1abbeffcd4
    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54.orig.tar.gz
      Size/MD5 checksum:  7493636 37d0d0a3e25ad93d37f0483021e70409

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.0.54-5_all.deb
      Size/MD5 checksum:  3861324 429e520dda920f145468b39f4b3f2c2c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb
      Size/MD5 checksum:    33460 df584a81cd27a1858014ac52cfdd9ab9

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_alpha.deb
      Size/MD5 checksum:    33380 6b79f9d492027d367c61604068f0d9d4
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_alpha.deb
      Size/MD5 checksum:   865256 35799c3a99a6bf00ab6912c062f6e688
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_alpha.deb
      Size/MD5 checksum:   246262 898ac33f06c871d251bb661e0f6bd214
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_alpha.deb
      Size/MD5 checksum:   241370 73e3c57d0a294829c88dcc1532720e64
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_alpha.deb
      Size/MD5 checksum:   245574 76324bf7139b28f909f3b20d5fa7e264
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_alpha.deb
      Size/MD5 checksum:   167582 1dde0667290c8a7cb467125c3b0196c2
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_alpha.deb
      Size/MD5 checksum:   168322 4a7cde084ac397d4065069aa5aae1810
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_alpha.deb
      Size/MD5 checksum:    97434 790fee8043ace4b008de01a572376e4d
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_alpha.deb
      Size/MD5 checksum:   155684 859a64401d2e62a38b254cb71a64be74
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_alpha.deb
      Size/MD5 checksum:   315136 216e4e5bc44c80be8d7652d3da7c58e1

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_amd64.deb
      Size/MD5 checksum:    33380 ed2ad5506faff830f641e22874d87f0d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_amd64.deb
      Size/MD5 checksum:   826590 333b8e6067c0b5b071b9233e4a299477
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_amd64.deb
      Size/MD5 checksum:   221254 7fa0efb05dba185f0d392172a625408e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_amd64.deb
      Size/MD5 checksum:   216702 5f7672249bdf52cdbc06d5a9a515e78e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_amd64.deb
      Size/MD5 checksum:   220486 47697857b82b03715b0aee60baa05db5
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_amd64.deb
      Size/MD5 checksum:   167570 8653f01104d7abf6a8b1e4ae7d08a11c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_amd64.deb
      Size/MD5 checksum:   168298 ebc158cf1767c2f52ee47bc106639c8a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_amd64.deb
      Size/MD5 checksum:    92628 1ce73449a400d72cbd3c639c2a4c3be2
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_amd64.deb
      Size/MD5 checksum:   137212 86c22d780802d7b98489caadcdc93a1e
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_amd64.deb
      Size/MD5 checksum:   278712 64da54b20a2bfccd63871a3150917cf7

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_arm.deb
      Size/MD5 checksum:    33388 ee560fb40ce2199a3605c9d3070287b3
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_arm.deb
      Size/MD5 checksum:   793648 dd2dac8513f797dbf4f95d448a6b5c5c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_arm.deb
      Size/MD5 checksum:   202212 f08e6a2edfdb14556f1a7765606bc807
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_arm.deb
      Size/MD5 checksum:   197848 ed05c9efdfe150499d41d6882c7db201
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_arm.deb
      Size/MD5 checksum:   201246 c6170179756435d8ddbcb0737e11578d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_arm.deb
      Size/MD5 checksum:   167610 c82b3286884b7c20c77adfad118cb4e8
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_arm.deb
      Size/MD5 checksum:   168352 efd48c27b8b15ea4e2cfd06056b6a57d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_arm.deb
      Size/MD5 checksum:    92542 b9632cb88b7f63e4532e3f6b09971a8e
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_arm.deb
      Size/MD5 checksum:   122294 c0f845ef93a0c879031205c8d3758610
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_arm.deb
      Size/MD5 checksum:   267804 d975fb73ed0fea9472556443f2cf8775

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_i386.deb
      Size/MD5 checksum:    33384 f2bb4abd8a56f74165641a1ffb98268d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_i386.deb
      Size/MD5 checksum:   799800 143fb414c293aaa8d89e178306dca35a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb
      Size/MD5 checksum:   206602 8cb83e70bbe05872ba5a9de9eacdadc2
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb
      Size/MD5 checksum:   202826 670721077006223829903285d28b428d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb
      Size/MD5 checksum:   206374 824b90f8be18f53abef31e66aca2b0dd
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb
      Size/MD5 checksum:   167626 46926e9e39dba00825c06b1bc6afa847
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb
      Size/MD5 checksum:   168356 a22f739befa46e30b9c9f5ad8e6b2bc7
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_i386.deb
      Size/MD5 checksum:    90962 3dc37ae17bb34d4068f5153bfd2ffd54
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_i386.deb
      Size/MD5 checksum:   130614 0f1b46d69ed1665dbc7175fd777dc9eb
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_i386.deb
      Size/MD5 checksum:   259890 f877c48fae275c3e011dcdcddf6f4bdc

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_ia64.deb
      Size/MD5 checksum:    33378 16ea158380bb44a31025300b0cd09c9c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_ia64.deb
      Size/MD5 checksum:   973576 dee3c239893171c050526423c13a19e8
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_ia64.deb
      Size/MD5 checksum:   289172 a785101466af9f71123b22228555b66b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_ia64.deb
      Size/MD5 checksum:   281186 857a2a8796e7bfed8f0d38c7ce8d5454
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_ia64.deb
      Size/MD5 checksum:   287774 b59ac38a030ec2f415322ff151281ae4
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_ia64.deb
      Size/MD5 checksum:   167598 0b45eadf799958a8cf9c834b34a4585d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_ia64.deb
      Size/MD5 checksum:   168330 01cd617a7c005fbda78606e3545c678c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_ia64.deb
      Size/MD5 checksum:   106294 d51ebb22c4f40e973ce48f39c724bf8e
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_ia64.deb
      Size/MD5 checksum:   177728 2ae0b000991bf01eb3c8a152407663d7
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_ia64.deb
      Size/MD5 checksum:   328378 49a1257846b48e59fc7103e26b68bb60

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_hppa.deb
      Size/MD5 checksum:    33386 ff69db1811e9bd56d86fba73852e2e17
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_hppa.deb
      Size/MD5 checksum:   880128 996bfa2e0569f2fe6cd1846cf2087b0c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_hppa.deb
      Size/MD5 checksum:   228680 4cfac3f9d40fa33d3d4f372006ebd981
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_hppa.deb
      Size/MD5 checksum:   222678 2f78edc1cf89c7b39efae57759f0ed3f
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_hppa.deb
      Size/MD5 checksum:   227508 697f93a4465c091c852c13bee07aee57
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_hppa.deb
      Size/MD5 checksum:   167598 d9764a237d76b8943da9fb47b3813a3d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_hppa.deb
      Size/MD5 checksum:   168332 9e4b1b975718853053bf059c6671ae7f
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_hppa.deb
      Size/MD5 checksum:    98724 86a838af0191b1c2ef441063ba043a32
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_hppa.deb
      Size/MD5 checksum:   144892 d913a23b61e3a6ddbb9be5a89f2041e4
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_hppa.deb
      Size/MD5 checksum:   284900 e8c14c0d1a4f2da6dcf50ea4a631ec24

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_m68k.deb
      Size/MD5 checksum:    33390 c8ebf9432602c6f8ba4d4a8a5d40ba3c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_m68k.deb
      Size/MD5 checksum:   783284 13bfa82dbb83773e89088762d1b05904
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_m68k.deb
      Size/MD5 checksum:   188788 fcec0cadfdab8d84a2da76e2b2163ab8
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_m68k.deb
      Size/MD5 checksum:   185370 9af7ee0ab1b8efc8eec259a7f9bfa804
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_m68k.deb
      Size/MD5 checksum:   188202 3ec4e66f1c3dcf8e86ec9cebb2c25c0c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_m68k.deb
      Size/MD5 checksum:   167638 79e2e99b10dd27fb80c2e41b61380f50
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_m68k.deb
      Size/MD5 checksum:   168372 09f65665053dd9ca357466135ddfb141
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_m68k.deb
      Size/MD5 checksum:    87918 a048bd1b67d4b25261a32f1efb8bbd3a
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_m68k.deb
      Size/MD5 checksum:   117434 452edee7e17df559290add73e05e8d50
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_m68k.deb
      Size/MD5 checksum:   249912 95b76222d325b8debe4dbd771b075005

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_mips.deb
      Size/MD5 checksum:    33386 64d4455bd417d27a86f654cb478b0910
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_mips.deb
      Size/MD5 checksum:   807432 351414d10d9404d339a3176eeb3a2522
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_mips.deb
      Size/MD5 checksum:   217848 a51ce033722f6450ff840141515537e9
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_mips.deb
      Size/MD5 checksum:   213062 0c78a1693b34b2958706cefdb5933dd5
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_mips.deb
      Size/MD5 checksum:   217232 d9753aa6eaa6e5c59bb58aecda7eb3fc
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_mips.deb
      Size/MD5 checksum:   167602 12e79648f3f01f2d13e017898a0d4af1
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_mips.deb
      Size/MD5 checksum:   168330 f021c67c7a6b77986695595bb399025c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_mips.deb
      Size/MD5 checksum:   102890 cc929a885c1a94ca7f05966611ba899c
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_mips.deb
      Size/MD5 checksum:   134356 2bb882cb3f14de3395f15808c7122944
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_mips.deb
      Size/MD5 checksum:   286392 3d969e211240450e6f89740659382111

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_mipsel.deb
      Size/MD5 checksum:    33388 08da26a58e9a33ebe8c46d694153df0e
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   807240 c415e8b3edf74e1d1a24b893bfe1a1cc
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   217130 ee3f0c080d8489f2b42330123f36b527
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   212480 f9ebfc61cdc737e99bbabd93e8d226bb
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   216356 4a514ad5c2193c9f192112765c54a76a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   167608 89389a45144930d019970613fed37c73
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   168328 c9ab2d3f7c69218aa1f7fa6b61175844
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   102810 751df40f1a1efaa412f314f7b725bf63
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   134404 5a6fb39068de5daee05c8c70ffd2876e
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_mipsel.deb
      Size/MD5 checksum:   287028 a1f5e5c12eb23992a3785308c792cd84

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_powerpc.deb
      Size/MD5 checksum:    33386 19875b5ac54cb9a6d6e0621d8428f65a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   856028 eab66e90e0070de689cf9639ad0fe294
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   214548 e1dd7ce5ab6b566d13efcef31d14dcb2
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   209618 3907930dad17e1d3339a1183d9aeaa1d
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   213610 1a116ca5f4e098be2696b5ef557e4359
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   167590 e5ccd009647e41e7e48d573cc0149003
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   168338 895dd813f4220f1e3eaff483b40d1a46
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   101966 f621a7cec5ad678721020c058536c7a0
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   134202 92b5b6e0632f8dd6abc155aedcd30b87
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_powerpc.deb
      Size/MD5 checksum:   271900 87a95d99fa922a4e508b88240e5f6aed

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_s390.deb
      Size/MD5 checksum:    33388 c8cb1b656bdfb21d0e7ae52c4f5b410b
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_s390.deb
      Size/MD5 checksum:   836870 89e41b35884d42361df869a3a922f640
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_s390.deb
      Size/MD5 checksum:   223826 a85cba45f51831e2d8cc1644c18b74ad
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_s390.deb
      Size/MD5 checksum:   219688 4038e67e7950f1e635a27aa1d8c769b2
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_s390.deb
      Size/MD5 checksum:   223210 065871dc4c96f330c225ed7470cd8724
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_s390.deb
      Size/MD5 checksum:   167598 ac630af622500cb8d275b01d94ec4f5a
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_s390.deb
      Size/MD5 checksum:   168330 11ac0fc59fd5a7303da34d1e639ecdc7
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_s390.deb
      Size/MD5 checksum:    95782 44c89383fa73caef05d2d1e63f9cc7cd
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_s390.deb
      Size/MD5 checksum:   145898 14070b311d4a90ae83203e33c257ebbe
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_s390.deb
      Size/MD5 checksum:   275138 9fb591f2f9bf0120f437842ab159165f

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/apache2/apache2_2.0.54-5_sparc.deb
      Size/MD5 checksum:    33388 8a1db10a708878f634f63dfbb69f50c2
    http://security.debian.org/pool/updates/main/a/apache2/apache2-common_2.0.54-5_sparc.deb
      Size/MD5 checksum:   802602 e1440b38879a691d3b2b7e7a4916d822
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.0.54-5_sparc.deb
      Size/MD5 checksum:   205498 ff2f786da35c0c9d639ee429d30d4a11
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.0.54-5_sparc.deb
      Size/MD5 checksum:   200778 2c2c0bfbb9e04d66b51f38fc429b5cd9
    http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.0.54-5_sparc.deb
      Size/MD5 checksum:   204426 9aecd2ce11734643416867a97298aa5c
    http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.0.54-5_sparc.deb
      Size/MD5 checksum:   167612 26aa5df84d0c5d329cfc69facf6c3acb
    http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.0.54-5_sparc.deb
      Size/MD5 checksum:   168348 8cc7ada29f653ab4dae52267c988a2c3
    http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.0.54-5_sparc.deb
      Size/MD5 checksum:    90910 d34cabdb839a784da5952ba42782fb8d
    http://security.debian.org/pool/updates/main/a/apache2/libapr0_2.0.54-5_sparc.deb
      Size/MD5 checksum:   123508 313f29dc0f626016e7af021b0415d403
    http://security.debian.org/pool/updates/main/a/apache2/libapr0-dev_2.0.54-5_sparc.deb
      Size/MD5 checksum:   260382 77dff3b820bb1f6d9198fa45e9feda96


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDIH3wW5ql+IAeqTIRAr/GAJ0chT7BVfrCggkWaBBPcig27CFvoACfbpP8
/pKnRdcSs2/mcx//JVQe+Xo=
=FgZM
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F39907)

Ubuntu Security Notice 177-1 (PacketStormID:F39907)
2005-09-08 00:00:00
Ubuntu,Martin Pitt  security.ubuntu.com
advisory,remote,denial of service,vulnerability
linux,ubuntu
CVE-2005-2700,CVE-2005-2728
[点击下载]

Ubuntu Security Notice USN-177-1 - apache2, libapache-mod-ssl vulnerabilities - Apache did not honour the "SSLVerifyClient require" directive within a block if the surrounding block contained a directive "SSLVerifyClient optional". This allowed clients to bypass client certificate validation on servers with the above configuration. Also, Filip Sneppe discovered a Denial of Service vulnerability in the byte range filter handler. By requesting certain large byte ranges, a remote attacker could cause memory exhaustion in the server.

===========================================================
Ubuntu Security Notice USN-177-1         September 07, 2005
apache2, libapache-mod-ssl vulnerabilities
CAN-2005-2700, CAN-2005-2728
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

apache2-mpm-perchild
apache2-mpm-prefork
apache2-mpm-threadpool
apache2-mpm-worker
libapache-mod-ssl

The problem can be corrected by upgrading the affected package to
version 2.0.50-12ubuntu4.8 (for Ubuntu 4.10), or 2.0.53-5ubuntu5.3
(for Ubuntu 5.04). In general, a standard system upgrade is sufficient
to effect the necessary changes.

Details follow:

Apache did not honour the "SSLVerifyClient require" directive within a
<Location> block if the surrounding <VirtualHost> block contained a
directive "SSLVerifyClient optional". This allowed clients to bypass
client certificate validation on servers with the above configuration.
(CAN-2005-2700)

Filip Sneppe discovered a Denial of Service vulnerability in the byte
range filter handler. By requesting certain large byte ranges, a
remote attacker could cause memory exhaustion in the server.
(CAN-2005-2728)

The updated libapache-mod-ssl also fixes two older Denial of Service
vulnerabilities: A format string error in the ssl_log() function which
could be exploited to crash the server (CAN-2004-0700), and a flaw in
the SSL cipher negotiation which could be exploited to terminate a
session (CAN-2004-0885). Please note that Apache 1.3 and
libapache-mod-ssl are not officially supported (they are in the
"universe" component of the Ubuntu archive).


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8.diff.gz
      Size/MD5:   101542 107c0d44c3668596c431b922cef7108e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8.dsc
      Size/MD5:     1152 e46ab252f55b3cddca6eff7411e6310c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz
      Size/MD5:  6321209 9d0767f8a1344229569fcd8272156f8b
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1.diff.gz
      Size/MD5:    31850 278b1fcaebc9890ac6a667c5fe59adf2
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1.dsc
      Size/MD5:      779 007a277c901888314ed8e4990ff2af2d
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18.orig.tar.gz
      Size/MD5:   754214 4e966d62bb9304fef153b03868756543

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.50-12ubuntu4.8_all.deb
      Size/MD5:  3178708 565d44192bafdd109d63118e1d6d5b7a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.50-12ubuntu4.8_all.deb
      Size/MD5:   164190 0ec49ffa716a6445fabac9bc9d06a489
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.50-12ubuntu4.8_all.deb
      Size/MD5:   164948 b6a7d940115538ad527c550ae4ce8657
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.18-1ubuntu1_all.deb
      Size/MD5:   241864 0c99f46f47f35727dd196ea9eb05d321

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   865078 4add6aaacd6cb4017181c8021c2cfa0f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   230852 11820237e93e180e9f4e5c0e57ee6f2a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   225986 7726092ac1240af2ecb41f9cc48f9705
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   229380 697a89ca93a06638eef0b750f06f36fa
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   229972 17ba241c871bc17def12e3ad8eb810c1
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:    30422 ef1853a71c3388dc0cac851973054327
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1_amd64.deb
      Size/MD5:   270432 170f9d455846b887004e2c64d87a992c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   275918 7dd8c94be42b83dbdcbe9ead03920785
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   133872 c9cd10aa94e7e1e4d742b8f770a33957

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   826546 a6c92d2edd9aaafa1b96e8f35a8d82e5
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   209822 25d102841a8494ccf421b0472bdf8d53
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   206050 5d7950b25e7ab9c0852fcc467bffc74e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   208668 354af55e832a285b487772b291800488
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   209090 9ab76bcb30f1c443a3bcea970050e281
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:    30420 4637c7201b4b408f71892aba01008cf6
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1_i386.deb
      Size/MD5:   264636 b99ac93cf8ff93e62938e61a5ccb5af9
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   253894 b964f6601460e231a5c5dd230c83c089
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   124582 b66c3aea329c2b6dc025127f86059583

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   904286 5c5789d62a13d3c1e24975e87b88b07a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   223468 d6ef031ea962f5c085c4bd36c1c37614
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   218452 a84a424566e61ceeb781f67a92375733
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   221620 74362295b70416d0423ede1516eabeb6
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   222266 ad439ebd9f706b371efd97c9960a96b0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:    30420 fc36959ab3f88cb8717baa471eb1bb0a
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1_powerpc.deb
      Size/MD5:   265958 49f7f02d9394fd118a38af9d0bc1d83c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   269696 ddfbfc9fc83e1aeba16c964d21d7537a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   131190 3d7fd0e28009a1e2ebd7ac2c89e681da

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3.diff.gz
      Size/MD5:   108139 d03a3b3df92bd7492384468dd85c5507
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3.dsc
      Size/MD5:     1159 9cdcd80b25f4fa25ef5bd14197f273ff
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53.orig.tar.gz
      Size/MD5:  6925351 40507bf19919334f07355eda2df017e5
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1.diff.gz
      Size/MD5:    30251 693e83c3a2524250bdf3dc6ab85d4e1d
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1.dsc
      Size/MD5:      779 53fb3e656c367b4d6e2271604acf92e5
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22.orig.tar.gz
      Size/MD5:   754606 cdfdf1f576f77768c90825b43b462405

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.53-5ubuntu5.3_all.deb
      Size/MD5:  3578466 c24a5911a13e99450e3fc7486547c0a8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.53-5ubuntu5.3_all.deb
      Size/MD5:    33994 cae1dd595b93a1bd3b319a96eb2e11bd
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.22-1ubuntu1_all.deb
      Size/MD5:   242090 c9c3cf415c3749209fc502fb5097b3e6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   826284 9650bd1a22f98f1b1d4af14688ea3e76
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   221240 8a3cfa2b21fc4c9d1b96c81c67431783
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   216848 bdec5002d94f62d2a4c93f9a648cea36
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   220154 a480c0bd2c251cdc25eda4fbe8a0c9bb
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   167632 3444694d537aa13cd4649606fe81679c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   168424 fb844405e54d417c9affcb28d7f8faff
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:    93100 7c672ca16d9c391ec162f59514c5dd40
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:    33924 536d5c36d3442a7f5a7cec88b27ccfb0
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1_amd64.deb
      Size/MD5:   270652 da0946f35ebbc03417ca82e2ac0ca91b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   279284 414825aa0c9d5b589bd3b992a8627f96
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   137782 69207c4f0ae64ba5e2a62b1c843061d2

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   789218 74e54616f41a62f493de7b2e22369d53
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   201476 fa27b66ff83ae2605eab28f1a586f158
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   197270 436e4305f8049145ed211ca76a30fb42
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   200786 e3b4add317694211d3e80d8e9f998834
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   167650 b9f859657ccd36041db0977b3db0524f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   168432 1aba6200de75acd2c28e39b269d8f818
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:    90826 36aa38206b2baa7c22dac4f34f86ed2b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:    33926 c1c4a38d7617152d9182ec001323f552
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1_i386.deb
      Size/MD5:   264862 ef4af4c79aa84b8a82ba67ecddfbbba9
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   257212 360c94079c15d1153d1b84a953c1ba83
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   128458 e3545f4a18f2075c7eaed563b6eb0a23

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   855598 8a9bd931ea0a916a12fa39056b24155b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   214500 ce9445f7ed32874512310a4dcb7fc123
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   209610 09e02ae4aaf35bae60ecc434f6ec17ef
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   213582 06ab4351176e2f5b694f1802d79a6bac
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   167640 cd141d1be3b94959b5f431cf522d23bf
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   168432 8963433136779a45cffeb80ec709b39e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   102532 3cfb0c483d3d17b5478aad6eda621848
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:    33928 6f6bb36cc446bcec882617bed9084a4a
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1_powerpc.deb
      Size/MD5:   266154 219ff4adadb5d02899628360ba993c4c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   272508 d1074f544adf38457bd1ee45076a12a4
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   134814 1e07eeb86b32019796f14182db0f0965
    

- 漏洞信息

18977
Apache HTTP Server Crafted HTTP Range Header DoS
Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-25 2004-07-07
Unknow Unknow

- 解决方案

Upgrade to version 2.0.55 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apache CGI Byterange Request Denial of Service Vulnerability
Design Error 14660
Yes No
2005-08-25 12:00:00 2006-09-11 06:47:00
Discovery credited to Filip Sneppe <filip.sneppe@uptime.be>.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Sun Solaris 10.0_x86
Sun Solaris 10.0
Sun Solaris 10
SGI ProPack 3.0 SP6
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Enterprise Server 9
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
IBM HTTP Server 2.0.47 .1
IBM HTTP Server 2.0.47
IBM HTTP Server 2.0.42 .2
IBM HTTP Server 2.0.42 .1
IBM HTTP Server 2.0.42
HP HP-UX 11.23
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX B.11.23
HP HP-UX B.11.11
HP HP-UX B.11.11
HP HP-UX B.11.00
Gentoo Linux
Conectiva Linux 10.0
Avaya Integrated Management 2.1
Avaya Integrated Management
Avaya CVLAN
Apache Software Foundation Apache 2.1.5
Apache Software Foundation Apache 2.1.4
Apache Software Foundation Apache 2.1.3
Apache Software Foundation Apache 2.1.2
Apache Software Foundation Apache 2.1.1
Apache Software Foundation Apache 2.1
Apache Software Foundation Apache 2.0.54
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
Apache Software Foundation Apache 2.0.53
Apache Software Foundation Apache 2.0.52
+ Apple Mac OS X 10.3.6
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.6
+ Apple Mac OS X Server 10.2.8
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ Sun Solaris 10
Apache Software Foundation Apache 2.0.51
Apache Software Foundation Apache 2.0.50
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
Apache Software Foundation Apache 2.0.49
+ S.u.S.E. Linux Personal 9.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Apache Software Foundation Apache 2.0.48
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Apache Software Foundation Apache 2.0.47
+ Apple Mac OS X Server 10.3.5
+ Apple Mac OS X Server 10.3.4
+ Apple Mac OS X Server 10.3.3
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.7
+ Apple Mac OS X Server 10.2.6
+ Apple Mac OS X Server 10.2.5
+ Apple Mac OS X Server 10.2.4
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ Apple Mac OS X Server 10.1.5
+ Apple Mac OS X Server 10.1.4
+ Apple Mac OS X Server 10.1.3
+ Apple Mac OS X Server 10.1.2
+ Apple Mac OS X Server 10.1.1
+ Apple Mac OS X Server 10.1
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Apache Software Foundation Apache 2.0.46
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ Trustix Secure Linux 2.0
Apache Software Foundation Apache 2.0.45
- Apple Mac OS X 10.2.6
- Apple Mac OS X 10.2.5
- Apple Mac OS X 10.2.4
- Apple Mac OS X 10.2.3
- Apple Mac OS X 10.2.2
- Apple Mac OS X 10.2.1
- Apple Mac OS X 10.2
- Apple Mac OS X 10.1.5
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.3
- Apple Mac OS X 10.0.2
- Apple Mac OS X 10.0.1
- Apple Mac OS X 10.0
+ Conectiva Linux 9.0
Apache Software Foundation Apache 2.0.44
Apache Software Foundation Apache 2.0.43
Apache Software Foundation Apache 2.0.42
Apache Software Foundation Apache 2.0.41
Apache Software Foundation Apache 2.0.40
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0
+ Terra Soft Solutions Yellow Dog Linux 3.0
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.32
Apache Software Foundation Apache 2.0.28 Beta
Apache Software Foundation Apache 2.0.28
Apache Software Foundation Apache 2.0 a9
Apache Software Foundation Apache 2.0
Apache Software Foundation Apache 2.1.6
Apache Software Foundation Apache 2.0.55

- 不受影响的程序版本

Apache Software Foundation Apache 2.1.6
Apache Software Foundation Apache 2.0.55

- 漏洞讨论

Apache is prone to a denial of service when handling large CGI byterange requests.

- 漏洞利用

An exploit is not required.

- 解决方案

Please see the referenced vendor advisories for further information.


Sun Solaris 10

HP HP-UX B.11.11

Sun Solaris 10.0_x86

HP HP-UX B.11.23

HP HP-UX B.11.11

Conectiva Linux 10.0

HP HP-UX 11.0

HP HP-UX 11.11

HP HP-UX 11.23

Apache Software Foundation Apache 2.0

Apache Software Foundation Apache 2.0.28 Beta

Apache Software Foundation Apache 2.0.32

Apache Software Foundation Apache 2.0.35

Apache Software Foundation Apache 2.0.36

Apache Software Foundation Apache 2.0.37

Apache Software Foundation Apache 2.0.38

Apache Software Foundation Apache 2.0.39

Apache Software Foundation Apache 2.0.40

Apache Software Foundation Apache 2.0.41

IBM HTTP Server 2.0.42 .1

IBM HTTP Server 2.0.42 .2

IBM HTTP Server 2.0.42

Apache Software Foundation Apache 2.0.43

Apache Software Foundation Apache 2.0.44

Apache Software Foundation Apache 2.0.45

Apache Software Foundation Apache 2.0.46

IBM HTTP Server 2.0.47 .1

Apache Software Foundation Apache 2.0.47

Apache Software Foundation Apache 2.0.48

Apache Software Foundation Apache 2.0.49

Apache Software Foundation Apache 2.0.50

Apache Software Foundation Apache 2.0.52

Apache Software Foundation Apache 2.0.53

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站