Mandrake Linux Security Advisory : apache2 (MDKSA-2005:161)
Critical Nessus Plugin ID 19916
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionA flaw was discovered in mod_ssl's handling of the 'SSLVerifyClient' directive. This flaw occurs if a virtual host is configured using 'SSLVerifyClient optional' and a directive 'SSLVerifyClient required' is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting. (CVE-2005-2700)
A flaw was discovered in Apache httpd where the byterange filter would buffer certain responses into memory. If a server has a dynamic resource such as a CGI script or PHP script that generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service. (CVE-2005-2728)
The updated packages have been patched to address these issues.
SolutionUpdate the affected packages.