This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 101842 - [RFE] RHN not distributing current and "secure" Apache 2.0.47
[RFE] RHN not distributing current and "secure" Apache 2.0.47
Status: CLOSED DUPLICATE of bug 101784
Product: Red Hat Linux
Classification: Retired
Component: httpd (Show other bugs)
9
All Linux
high Severity medium
: ---
: ---
Assigned To: Joe Orton
Red Hat Satellite QA List
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-07 11:12 EDT by Mark Blevis
Modified: 2007-03-27 00:08 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 13:58:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mark Blevis 2003-08-07 11:12:26 EDT
Description of problem:
RHN's current version of the Apache webserver is httpd-2.0.40-11.5.  This 
version has a number of security vulnerabilities and fails a number of 
security tests.  The current distribution of Apache web server is 2.0.47.  
Please make the most current, most secure versions of Apache products 
available through RHN.  It concerns me that I'm paying for a service that does 
not keep pace with stable releases.


Version-Release number of selected component (if applicable):
httpd-2.0.40-11.5


How reproducible:
Every time


Steps to Reproduce:
1. rpm -qa |grep httpd
2. Nessus and Nikto scans
3. Publicly available security advisories

    
Actual results:
-This version allows an attacker to view the source code of CGI scripts via a 
POST request made to a directory with both WebDAV and CGI enabled.
-There is a denial of service vulnerability which may allow an attacker to 
disable basic authentication on this host
-There is a denial of service vulnerability in the mod_dav module which may 
allow an attacker to crash this service remotely
-This version is vulnerable to various flaws which may allow
an attacker to disable this service remotely and/or locally.
-Apache/2.0.40 - Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS 
in basic authentication. CAN-2003-0189.
-Apache/2.0.40 - "Apache 2.0 up 2.0.46 are vulnerable to multiple remote 
problems. CAN-2003-0192. CAN-2003-0253. CAN-2003-0254. CERT VU
-Apache/2.0.40 - Apache versions 2.0.37 through 2.0.45 are vulnerable to a DoS 
in mod_dav. CAN-2003-0245.


Expected results:


Additional info:
Apache released version 2.0.47 some time ago.  Prior to that, other versions 
were released since 2.0.40.
Comment 1 Josef Komenda 2003-08-07 13:39:29 EDT
See bug #101784



*** This bug has been marked as a duplicate of 101784 ***
Comment 2 Red Hat Bugzilla 2006-02-21 13:58:00 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.