Red Hat Bugzilla – Bug 101842
[RFE] RHN not distributing current and "secure" Apache 2.0.47
Last modified: 2007-03-27 00:08:45 EDT
Description of problem:
RHN's current version of the Apache webserver is httpd-2.0.40-11.5. This
version has a number of security vulnerabilities and fails a number of
security tests. The current distribution of Apache web server is 2.0.47.
Please make the most current, most secure versions of Apache products
available through RHN. It concerns me that I'm paying for a service that does
not keep pace with stable releases.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. rpm -qa |grep httpd
2. Nessus and Nikto scans
3. Publicly available security advisories
-This version allows an attacker to view the source code of CGI scripts via a
POST request made to a directory with both WebDAV and CGI enabled.
-There is a denial of service vulnerability which may allow an attacker to
disable basic authentication on this host
-There is a denial of service vulnerability in the mod_dav module which may
allow an attacker to crash this service remotely
-This version is vulnerable to various flaws which may allow
an attacker to disable this service remotely and/or locally.
-Apache/2.0.40 - Apache versions 2.0.40 through 2.0.45 are vulnerable to a DoS
in basic authentication. CAN-2003-0189.
-Apache/2.0.40 - "Apache 2.0 up 2.0.46 are vulnerable to multiple remote
problems. CAN-2003-0192. CAN-2003-0253. CAN-2003-0254. CERT VU
-Apache/2.0.40 - Apache versions 2.0.37 through 2.0.45 are vulnerable to a DoS
in mod_dav. CAN-2003-0245.
Apache released version 2.0.47 some time ago. Prior to that, other versions
were released since 2.0.40.
See bug #101784
*** This bug has been marked as a duplicate of 101784 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.