Detections
Analytics

Mandrake Linux Security Advisory : apache2 (MDKSA-2004:096)

high Nessus Plugin ID 14752

Synopsis

The remote Mandrake Linux host is missing one or more security updates.

Description

Two Denial of Service conditions were discovered in the input filter of mod_ssl, the module that enables apache to handle HTTPS requests.

Another vulnerability was discovered by the ASF security team using the Codenomicon HTTP Test Tool. This vulnerability, in the apr-util library, can possibly lead to arbitrary code execution if certain non-default conditions are met (enabling the AP_ENABLE_EXCEPTION_HOOK define).

As well, the SITIC have discovered a buffer overflow when Apache expands environment variables in configuration files such as .htaccess and httpd.conf, which can lead to possible privilege escalation. This can only be done, however, if an attacker is able to place malicious configuration files on the server.

Finally, a crash condition was discovered in the mod_dav module by Julian Reschke, where sending a LOCK refresh request to an indirectly locked resource could crash the server.

The updated packages have been patched to protect against these vulnerabilities.

Solution

Update the affected packages.

See Also

http://www.uniras.gov.uk/vuls/2004/403518/index.htm

Plugin Details

Severity: High

ID: 14752

File Name: mandrake_MDKSA-2004-096.nasl

Version: 1.20

Type: local

Published: 9/16/2004

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:apache2, p-cpe:/a:mandriva:linux:apache2-common, p-cpe:/a:mandriva:linux:apache2-devel, p-cpe:/a:mandriva:linux:apache2-manual, p-cpe:/a:mandriva:linux:apache2-mod_cache, p-cpe:/a:mandriva:linux:apache2-mod_dav, p-cpe:/a:mandriva:linux:apache2-mod_deflate, p-cpe:/a:mandriva:linux:apache2-mod_disk_cache, p-cpe:/a:mandriva:linux:apache2-mod_file_cache, p-cpe:/a:mandriva:linux:apache2-mod_ldap, p-cpe:/a:mandriva:linux:apache2-mod_mem_cache, p-cpe:/a:mandriva:linux:apache2-mod_proxy, p-cpe:/a:mandriva:linux:apache2-mod_ssl, p-cpe:/a:mandriva:linux:apache2-modules, p-cpe:/a:mandriva:linux:apache2-source, p-cpe:/a:mandriva:linux:lib64apr0, p-cpe:/a:mandriva:linux:libapr0, cpe:/o:mandrakesoft:mandrake_linux:10.0, cpe:/o:mandrakesoft:mandrake_linux:9.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 9/15/2004

Reference Information

CVE: CVE-2004-0747, CVE-2004-0748, CVE-2004-0751, CVE-2004-0783, CVE-2004-0786, CVE-2004-0809

MDKSA: 2004:096