Bug 101842 - [RFE] RHN not distributing current and "secure" Apache 2.0.47
Summary: [RFE] RHN not distributing current and "secure" Apache 2.0.47
Status: CLOSED DUPLICATE of bug 101784
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: httpd   
(Show other bugs)
Version: 9
Hardware: All Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Red Hat Satellite QA List
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-08-07 15:12 UTC by Mark Blevis
Modified: 2007-03-27 04:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 18:58:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Mark Blevis 2003-08-07 15:12:26 UTC
Description of problem:
RHN's current version of the Apache webserver is httpd-2.0.40-11.5.  This 
version has a number of security vulnerabilities and fails a number of 
security tests.  The current distribution of Apache web server is 2.0.47.  
Please make the most current, most secure versions of Apache products 
available through RHN.  It concerns me that I'm paying for a service that does 
not keep pace with stable releases.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. rpm -qa |grep httpd
2. Nessus and Nikto scans
3. Publicly available security advisories

Actual results:
-This version allows an attacker to view the source code of CGI scripts via a 
POST request made to a directory with both WebDAV and CGI enabled.
-There is a denial of service vulnerability which may allow an attacker to 
disable basic authentication on this host
-There is a denial of service vulnerability in the mod_dav module which may 
allow an attacker to crash this service remotely
-This version is vulnerable to various flaws which may allow
an attacker to disable this service remotely and/or locally.
-Apache/2.0.40 - Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS 
in basic authentication. CAN-2003-0189.
-Apache/2.0.40 - "Apache 2.0 up 2.0.46 are vulnerable to multiple remote 
problems. CAN-2003-0192. CAN-2003-0253. CAN-2003-0254. CERT VU
-Apache/2.0.40 - Apache versions 2.0.37 through 2.0.45 are vulnerable to a DoS 
in mod_dav. CAN-2003-0245.

Expected results:

Additional info:
Apache released version 2.0.47 some time ago.  Prior to that, other versions 
were released since 2.0.40.

Comment 1 Josef Komenda 2003-08-07 17:39:29 UTC
See bug #101784

*** This bug has been marked as a duplicate of 101784 ***

Comment 2 Red Hat Bugzilla 2006-02-21 18:58:00 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.