GLSA-200407-03 : Apache 2: Remote denial of service attack

This script is Copyright (C) 2004-2015 Tenable Network Security, Inc.

Synopsis :

The remote Gentoo host is missing one or more security-related

Description :

The remote host is affected by the vulnerability described in GLSA-200407-03
(Apache 2: Remote denial of service attack)

A bug in the protocol.c file handling header lines will cause Apache to
allocate memory for header lines starting with TAB or SPACE.

Impact :

An attacker can exploit this vulnerability to perform a Denial of Service
attack by causing Apache to exhaust all memory. On 64 bit systems with more
than 4GB of virtual memory a possible integer signedness error could lead
to a buffer based overflow causing Apache to crash and under some
circumstances execute arbitrary code as the user running Apache, usually

Workaround :

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version:

See also :

Solution :

Apache 2 users should upgrade to the latest version of Apache:
# emerge sync
# emerge -pv '>=www-servers/apache-2.0.49-r4'
# emerge '>=www-servers/apache-2.0.49-r4'

Risk factor :

Medium / CVSS Base Score : 6.4

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14536 (gentoo_GLSA-200407-03.nasl)

Bugtraq ID:

CVE ID: CVE-2004-0493