Mandrake Linux Security Advisory : apache2 (MDKSA-2003:075-1)
Medium Nessus Plugin ID 14058
SynopsisThe remote Mandrake Linux host is missing a security update.
DescriptionSeveral vulnerabilities were discovered in Apache 2.x versions prior to 2.0.47. From the Apache 2.0.47 release notes :
Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the new one (CVE-2003-0192).
Certain errors returned by accept() on rarely accessed ports could cause temporary Denial of Service due to a bug in the prefork MPM (CVE-2003-0253).
Denial of Service was caused when target host is IPv6 but FTP proxy server can't create IPv6 socket (CVE-2003-0254).
The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests (VU#379828).
The Apache Software Foundation thanks Saheed Akhtar and Yoshioka Tsuneo for responsibly reporting these issues.
To upgrade these apache packages, first stop Apache by issuing, as root :
service httpd stop
After the upgrade, restart Apache with :
service httpd start
The previously released packages had a manpage conflict between apache2-common and apache-1.3 that prevented both packages from being installed at the same time. This update provides a fixed apache2-common package.
SolutionUpdate the affected apache2-common package.