[linux-security] Apache 2 DoS vulnerability; possibly remote exploit

[Martin Siegert <siegert@sfu.ca>]

Topic
=====
DoS vulnerability and possibly remote exploit in Apache version 2

Problem Description
===================
Two vulnerabilities were discovered in the Apache web server that affect
all 2.x versions prior to 2.0.46. The first vulnerability could be triggered
remotely through mod_dav and possibly other mechanisms, causing an Apache
child process to crash resulting in a denial-of-service attack. This
vulnerability may also allow execution of arbitrary code.
The second vulnerability affects basic authentication on Unix platforms and
is related to thread-safety in apr_password_validate(). This vulnerabilty
can result in a DoS attack.

Affected Versions
=================
Apache versions 2.x prior to 2.0.46

Solution
========
upgrade to version 2.0.46 (or patched version for your distribution)

RedHat 8.0
----------
rpm -Fvh httpd-2.0.40-11.5.i386.rpm \
         httpd-devel-2.0.40-11.5.i386.rpm \
         httpd-manual-2.0.40-11.5.i386.rpm \
         mod_ssl-2.0.40-11.5.i386.rpm

restart the web server afterwards: /etc/init.d/httpd restart

RedHat 9
--------
rpm -Fvh httpd-2.0.40-21.3.i386.rpm \
         httpd-devel-2.0.40-21.3.i386.rpm \
         httpd-manual-2.0.40-21.3.i386.rpm \
         mod_ssl-2.0.40-21.3.i386.rpm

restart the web server afterwards: /etc/init.d/httpd restart

Mandrake 9.1
------------
rpm -Fvh apache-conf-2.0.45-2.1mdk.i586.rpm \
         apache2-2.0.45-4.3mdk.i586.rpm \
         apache2-common-2.0.45-4.3mdk.i586.rpm \
         apache2-devel-2.0.45-4.3mdk.i586.rpm \
         apache2-manual-2.0.45-4.3mdk.i586.rpm \
         apache2-mod_dav-2.0.45-4.3mdk.i586.rpm \
         apache2-mod_ldap-2.0.45-4.3mdk.i586.rpm \
         apache2-mod_ssl-2.0.45-4.3mdk.i586.rpm \
         apache2-modules-2.0.45-4.3mdk.i586.rpm \
         apache2-source-2.0.45-4.3mdk.i586.rpm \
         libapr0-2.0.45-4.3mdk.i586.rpm