152774 – CAN-2004-0748 - mod_ssl input filter bug

Bug 152774 - CAN-2004-0748 - mod_ssl input filter bug

Summary: CAN-2004-0748 - mod_ssl input filter bug

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora Legacy
Classification:	Retired
Component:	Package request
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Legacy Bugs
QA Contact:
Docs Contact:
URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	LEGACY
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-09-01 19:41 UTC by Marc Deslauriers
Modified:	2008-05-01 15:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description David Lawrence 2005-03-30 23:26:59 UTC

An input filter bug in mod_ssl was discovered in Apache httpd version
2.0.50 and earlier. A remote attacker could force an SSL connection to be
aborted in a particular state and cause an Apache child process to enter an
infinite loop, consuming CPU resources. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0748 to
this issue.

https://rhn.redhat.com/errata/RHSA-2004-349.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748



------- Additional Comments From moixa 2004-09-02 03:55:23 ----

Note the almost one-liner fix here:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964



------- Additional Comments From dwb7.edu 2004-09-02 05:49:46 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built packages for RH7.3:

sha1sum -b *.rpm
ef5ab48ad356a944c7cc3ba923c9dbb50ef83c5e *krb5-1.2.4-13.legacy.7x.src.rpm
810bb9ffba0ceeffdfe8622077680cd4a27a0152
*krb5-devel-1.2.4-13.legacy.7x.i386.rpm
113cbd9f47f9d141fddb5b6ae9a03deb000a3a35 *krb5-libs-1.2.4-13.legacy.7x.i386.rpm
1a2402efd13a1dff6c5c7935de846c2b3da12595
*krb5-server-1.2.4-13.legacy.7x.i386.rpm
2a7ea85868b70f76f990903a9a8a6223f6ed9e48
*krb5-workstation-1.2.4-13.legacy.7x.i386.rpm

download from 
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/krb5

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBN0C9SY7s7uPf/IURAmaKAKCyzN/UHhzpTtFiUjI4ds5Z8VGrAACfXKUb
nqqbHP2Jd+RAuTAPmPzNKbY=
=8qto
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-09-07 14:17:01 ----

See also bug 1888.



------- Additional Comments From dwb7.edu 2004-09-07 16:40:20 ----

on the 7.3 side, seems this is covered by CAN-2004-0700 (covered in bug 1888)

reference:
https://rhn.redhat.com/errata/RHSA-2004-408.html



------- Additional Comments From marcdeslauriers 2004-09-10 11:01:38 ----

Looking at the source code for httpd 2.0.40, on which rh9 is based, it appears
this bug does not apply.

I am closing this. If someone thinks the bug applies, it can be reopened.



------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 2041 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2041
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Note You need to log in before you can comment on or make changes to this bug.