| Description: | Description:
The remote host is missing updates announced in
advisory FLSA-2004:2148.
An issue has been discovered in the mod_ssl module when configured to
use the SSLCipherSuite directive in directory or location context. If
a particular location context has been configured to require a specific
set of cipher suites, then a client will be able to access that location
using any cipher suite allowed by the virtual host configuration. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2004-0885 to this issue.
Problems that apply to Red Hat Linux 7.3 only:
A buffer overflow in mod_include could allow a local user who is
authorised to create server side include (SSI) files to gain the
privileges of a httpd child. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2004-0940 to this
issue.
Problems that apply to Red Hat Linux 9 and Fedora Core 1 only:
An issue has been discovered in the handling of white space in request
header lines using MIME folding. A malicious client could send a
carefully crafted request, forcing the server to consume large amounts
of memory, leading to a denial of service. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CVE-2004-0942 to this issue.
Users of the Apache HTTP server should upgrade to these updated
packages, which contain patches that address these issues.
Affected platforms:
Redhat 7.3
Redhat 9
Fedora Core 1
Solution:
https://secure1.securityspace.com/smysecure/catid.html?in=FLSA-2004:2148
http://www.apacheweek.com/features/security-20
http://www.apacheweek.com/features/security-13
Risk factor : High
CVSS Score:
7.5
|
