Bug 130750 - CAN-2004-0748 Apache child infinite loop
CAN-2004-0748 Apache child infinite loop
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-24 05:43 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.0.51-2.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-23 14:21:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
httpd-2.0.50-ssl_engine_io.patch (455 bytes, patch)
2004-09-02 13:13 EDT, Robert Scheck
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2004-08-24 05:43:57 EDT
Apache bug 29964 is "A remote attacker who forces an SSL connection to
be aborted in a particular state may cause an Apache child process to
enter an infinite loop, consuming CPU resources."  Fixed upstream
Aug11.  This doesn't affect mod_ssl with Apache 1.3

        CAN-2004-0748 Affects: FC1
        CAN-2004-0748 Affects: FC2
Comment 1 Robert Scheck 2004-09-02 13:13:55 EDT
Created attachment 103399 [details]
httpd-2.0.50-ssl_engine_io.patch

This patch should fix CAN-2004-0748, I currently can't find this patch it in
httpd-2.0.50-5...
Comment 2 Joe Orton 2004-09-03 04:20:33 EDT
There will be a 2.0.51 release soon so the current plan is to wait for
that and update to it, since neither of the mod_ssl issues look to be
exploitable.
Comment 3 Joe Orton 2004-09-15 11:35:56 EDT
2.0.51 is now released which fixes:

 * core: CAN-2004-0747
 * mod_dav_fs: CAN-2004-0809
 * mod_ssl: CAN-2004-0751, CAN-2004-0748

along with an apr-util update which fixes CAN-2004-0786.  Updates are
being prepared.
Comment 4 Joe Orton 2004-09-17 12:30:22 EDT
Packages are now available for FC2 from the testing repos:

http://www.redhat.com/archives/fedora-test-list/2004-September/msg00610.html

please post any feedback from testing these to this bug report.
Comment 5 Joe Orton 2004-09-23 14:21:22 EDT
2.0.51-2.7 updates issued, which include the fix for the CAN-2004-0811
regression in upstream 2.0.51.

Note You need to log in before you can comment on or make changes to this bug.