USN-802-1 fixed vulnerabilities in Apache. The upstream fix for CVE-2009-1891 introduced a regression that would cause Apache children to occasionally segfault when mod_deflate is used. This update fixes the problem.

We apologize for the inconvenience.

It was discovered that mod_proxy_http did not properly handle a large amount of streamed data when used as a reverse proxy. A remote attacker could exploit this and cause a denial of service via memory resource consumption. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04. (CVE-2009-1890)

It was discovered that mod_deflate did not abort compressing large files when the connection was closed. A remote attacker could exploit this and cause a denial of service via CPU resource consumption. (CVE-2009-1891).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of the Apache webserver fixes various security issues :

  - the option IncludesNOEXEC could be bypassed via     .htaccess (CVE-2009-1195) 

  - mod_proxy could run into an infinite loop when used as     reverse proxy (CVE-2009-1890) 

  - mod_deflate continued to compress large files even after     a network connection was closed, causing mod_deflate to     consume large amounts of CPU (CVE-2009-1891)

  - The ap_proxy_ftp_handler function in     modules/proxy/proxy_ftp.c in the mod_proxy_ftp module     allows remote FTP servers to cause a denial of service     (NULL pointer dereference and child process crash) via a     malformed reply to an EPSV command. (CVE-2009-3094)

  - access restriction bypass in mod_proxy_ftp module     (CVE-2009-3095)

Updated httpd packages that fix multiple security issues and a bug are now available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server. The httpd package shipped with Red Hat Enterprise Linux 3 contains embedded copies of the Apache Portable Runtime (APR) libraries, which provide a free library of C data structures and routines, and also additional utility interfaces to support XML parsing, LDAP, database interfaces, URI parsing, and more.

Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the Apache Portable Runtime (APR) manages memory pool and relocatable memory allocations. An attacker could use these flaws to issue a specially crafted request for memory allocation, which would lead to a denial of service (application crash) or, potentially, execute arbitrary code with the privileges of an application using the APR libraries. (CVE-2009-2412)

A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

This update also fixes the following bug :

* in some cases the Content-Length header was dropped from HEAD responses. This resulted in certain sites not working correctly with mod_proxy, such as www.windowsupdate.com. (BZ#506016)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

From Red Hat Security Advisory 2009:1580 :

Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation.
A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation.
(CVE-2009-3555)

Note: This update does not fully resolve the issue for HTTPS servers.
An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information:
http://kbase.redhat.com/faq/docs/DOC-20491

A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

This update includes the latest release of the Apache HTTP Server, version 2.2.13, fixing several security issues: * Fix a potential Denial-of-Service attack against mod_deflate or other modules, by forcing the server to consume CPU time in compressing a large file after a client disconnects. (CVE-2009-1891) * Prevent the 'Includes' Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it. (CVE-2009-1195) * Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration, where a remote attacker can force a proxy process to consume CPU time indefinitely. (CVE-2009-1890) * mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body. (CVE-2009-1191) Many bug fixes are also included; see the upstream changelog for further details:
http://www.apache.org/dist/httpd/CHANGES_2.2.13

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of the Apache webserver fixes various security issues :

  - mod_proxy could run into an infinite loop when used as     reverse proxy. (CVE-2009-1890) 

  - mod_deflate continued to compress large files even after     a network connection was closed, causing mod_deflate to     consume large amounts of CPU. (CVE-2009-1891)

  - The ap_proxy_ftp_handler function in     modules/proxy/proxy_ftp.c in the mod_proxy_ftp module     allows remote FTP servers to cause a denial of service     (NULL pointer dereference and child process crash) via a     malformed reply to an EPSV command. (CVE-2009-3094)

  - access restriction bypass in mod_proxy_ftp module.
    (CVE-2009-3095)

- CVE-2009-1890     A denial of service flaw was found in the Apache     mod_proxy module when it was used as a reverse proxy. A     remote attacker could use this flaw to force a proxy     process to consume large amounts of CPU time. This issue     did not affect Debian 4.0 'etch'.

  - CVE-2009-1891     A denial of service flaw was found in the Apache     mod_deflate module. This module continued to compress     large files until compression was complete, even if the     network connection that requested the content was closed     before compression completed. This would cause     mod_deflate to consume large amounts of CPU if     mod_deflate was enabled for a large file. A similar flaw     related to HEAD requests for compressed content was also     fixed.

The oldstable distribution (etch), these problems have been fixed in version 2.2.3-4+etch9.

According to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities :

  - An unspecified error exists in the handling of requests     without a path segment. (CVE-2010-1452)

  - Several modules, including 'mod_deflate', are     vulnerable to a denial of service attack as the     server can be forced to utilize CPU time compressing     a large file after client disconnect. (CVE-2009-1891)

  - An unspecified error exists in 'mod_proxy' related to     filtration of authentication credentials.     (CVE-2009-3095)  
  - A NULL pointer dereference issue exists in     'mod_proxy_ftp' in some error handling paths.
    (CVE-2009-3094)

  - An error exists in 'mod_ssl' making the server     vulnerable to the TLC renegotiation prefix injection     attack. (CVE-2009-3555)

  - An error exists in the handling of subrequests such     that the parent request headers may be corrupted.
    (CVE-2010-0434)

  - An error exists in 'mod_proxy_http' when handling excessive     interim responses making it vulnerable to a denial of     service attack. (CVE-2008-2364)

  - An error exists in 'mod_isapi' that allows the module     to be unloaded too early, which leaves orphaned callback     pointers. (CVE-2010-0425)

  - An error exists in 'mod_proxy_ftp' when wildcards are     in an FTP URL, which allows for cross-site scripting     attacks. (CVE-2008-2939)

Note that the remote web server may not actually be affected by these vulnerabilities.  Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2009:1580 advisory.

    The Apache HTTP Server is a popular Web server.

    A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure     Sockets Layer) protocols handle session renegotiation. A man-in-the-middle     attacker could use this flaw to prefix arbitrary plain text to a client's     session (for example, an HTTPS connection to a website). This could force     the server to process an attacker's request as if authenticated using the     victim's credentials. This update partially mitigates this flaw for SSL     sessions to HTTP servers using mod_ssl by rejecting client-requested     renegotiation. (CVE-2009-3555)

    Note: This update does not fully resolve the issue for HTTPS servers. An     attack is still possible in configurations that require a server-initiated     renegotiation. Refer to the following Knowledgebase article for further     information: http://kbase.redhat.com/faq/docs/DOC-20491

    A denial of service flaw was found in the Apache mod_deflate module. This     module continued to compress large files until compression was complete,     even if the network connection that requested the content was closed before     compression completed. This would cause mod_deflate to consume large     amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

    A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp     module. A malicious FTP server to which requests are being proxied could     use this flaw to crash an httpd child process via a malformed reply to the     EPSV or PASV commands, resulting in a limited denial of service.
    (CVE-2009-3094)

    A second flaw was found in the Apache mod_proxy_ftp module. In a reverse     proxy configuration, a remote attacker could use this flaw to bypass     intended access restrictions by creating a carefully-crafted HTTP     Authorization header, allowing the attacker to send arbitrary commands to     the FTP server. (CVE-2009-3095)

    All httpd users should upgrade to these updated packages, which contain     backported patches to correct these issues. After installing the updated     packages, the httpd daemon must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate

CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply

CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header

CVE-2009-3555 TLS: MITM attacks via session renegotiation

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handle session renegotiation.
A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update partially mitigates this flaw for SSL sessions to HTTP servers using mod_ssl by rejecting client-requested renegotiation.
(CVE-2009-3555)

Note: This update does not fully resolve the issue for HTTPS servers.
An attack is still possible in configurations that require a server-initiated renegotiation. Refer to the following Knowledgebase article for further information:
http://kbase.redhat.com/faq/docs/DOC-20491

A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891) - SL4 only

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp module. A malicious FTP server to which requests are being proxied could use this flaw to crash an httpd child process via a malformed reply to the EPSV or PASV commands, resulting in a limited denial of service. (CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. (CVE-2009-3095)

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

According to its banner, the version of Apache 2.2.x. running on the remote host is prior to 2.2.12. It is, therefore, affected by the following vulnerabilities :

  - A heap-based buffer underwrite flaw exists in the     function 'apr_strmatch_precompile()' in the bundled copy     of the APR-util library, which could be triggered when     parsing configuration data to crash the daemon.
    (CVE-2009-0023)

  - A flaw in the mod_proxy_ajp module in version 2.2.11     only may allow a remote attacker to obtain sensitive     response data intended for a client that sent an     earlier POST request with no request body.
    (CVE-2009-1191)

  - The server does not limit the use of directives in a     .htaccess file as expected based on directives such     as 'AllowOverride' and 'Options' in the configuration     file, which could enable a local user to bypass     security restrictions. (CVE-2009-1195)

  - Failure to properly handle an amount of streamed data     that exceeds the Content-Length value allows a remote     attacker to force a proxy process to consume CPU time     indefinitely when mod_proxy is used in a reverse proxy     configuration. (CVE-2009-1890)

  - Failure of mod_deflate to stop compressing a file when     the associated network connection is closed may allow a     remote attacker to consume large amounts of CPU if     there is a large (>10 MB) file available that has     mod_deflate enabled. (CVE-2009-1891)

  - Using a specially crafted XML document with a large     number of nested entities, a remote attacker may be     able to consume an excessive amount of memory due to     a flaw in the bundled expat XML parser used by the     mod_dav and mod_dav_svn modules. (CVE-2009-1955)

  - There is an off-by-one overflow in the function     'apr_brigade_vprintf()' in the bundled copy of the     APR-util library in the way it handles a variable list     of arguments, which could be leveraged on big-endian     platforms to perform information disclosure or denial     of service attacks. (CVE-2009-1956)

Note that Nessus has relied solely on the version in the Server response header and did not try to check for the issues themselves or even whether the affected modules are in use.

A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time.
(CVE-2009-1890)

A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

It was discovered that mod_proxy_http did not properly handle a large amount of streamed data when used as a reverse proxy. A remote attacker could exploit this and cause a denial of service via memory resource consumption. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04. (CVE-2009-1890)

It was discovered that mod_deflate did not abort compressing large files when the connection was closed. A remote attacker could exploit this and cause a denial of service via CPU resource consumption.
(CVE-2009-1891).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of the Apache webserver fixes various security issues :

  - the option IncludesNOEXEC could be bypassed via     .htaccess. (CVE-2009-1195)

  - mod_proxy could run into an infinite loop when used as     reverse proxy. (CVE-2009-1890)

  - mod_deflate continued to compress large files even after     a network connection was closed, causing mod_deflate to     consume large amounts of CPU. (CVE-2009-1891)

  - The ap_proxy_ftp_handler function in     modules/proxy/proxy_ftp.c in the mod_proxy_ftp module     allows remote FTP servers to cause a denial of service     (NULL pointer dereference and child process crash) via a     malformed reply to an EPSV command. (CVE-2009-3094)

  - access restriction bypass in mod_proxy_ftp module     (CVE-2009-3095)

Updated httpd packages that fix two security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A denial of service flaw was found in the Apache mod_proxy module when it was used as a reverse proxy. A remote attacker could use this flaw to force a proxy process to consume large amounts of CPU time.
(CVE-2009-1890)

A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

All httpd users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-1148 advisory.

    [2.2.3-22.0.1.el5_3.2]
    - Replace index.html with Oracle's index page oracle_index.html
    - Update vstring and distro in specfile

    [2.2.3-22.el5_3.2]
    - add security fixes for CVE-2009-1890, CVE-2009-1891 (#509782)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied.

This security update contains fixes for the following products :

  - AFP Client
  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - ATS
  - Certificate Assistant
  - CoreGraphics
  - CUPS
  - Dictionary
  - DirectoryService
  - Disk Images
  - Event Monitor
  - fetchmail
  - FTP Server
  - Help Viewer
  - International Components for Unicode
  - IOKit
  - IPSec
  - libsecurity
  - libxml
  - OpenLDAP
  - OpenSSH
  - PHP
  - QuickDraw Manager
  - QuickLook
  - FreeRADIUS
  - Screen Sharing
  - Spotlight
  - Subversion

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
40655	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : apache2 regression (USN-802-2)	Nessus	Ubuntu Local Security Checks	2009/8/20	2021/1/19	high
42248	openSUSE Security Update : apache2 (apache2-1419)	Nessus	SuSE Local Security Checks	2009/10/26	2021/1/14	high
40532	CentOS 3 : httpd (CESA-2009:1205)	Nessus	CentOS Local Security Checks	2009/8/11	2021/1/4	critical
67959	Oracle Linux 4 : httpd (ELSA-2009-1580)	Nessus	Oracle Linux Local Security Checks	2013/7/12	2021/1/14	high
40833	Fedora 11 : httpd-2.2.13-1.fc11 (2009-8812)	Nessus	Fedora Local Security Checks	2009/9/2	2021/1/11	high
42243	SuSE9 Security Update : Apache 2 (YOU Patch Number 12526)	Nessus	SuSE Local Security Checks	2009/10/26	2021/1/14	high
44699	Debian DSA-1834-1 : apache2 - denial of service	Nessus	Debian Local Security Checks	2010/2/24	2021/1/4	high
50069	Apache 2.0.x < 2.0.64 Multiple Vulnerabilities	Nessus	Web Servers	2010/10/20	2018/6/29	high
42470	RHEL 4 : httpd (RHSA-2009:1580)	Nessus	Red Hat Local Security Checks	2009/11/12	2024/11/4	critical
60695	Scientific Linux Security Update : httpd on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	2012/8/1	2021/1/14	high
40467	Apache 2.2.x < 2.2.12 Multiple Vulnerabilities	Nessus	Web Servers	2009/8/2	2020/4/27	high
60614	Scientific Linux Security Update : httpd on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	2012/8/1	2021/1/14	high
39789	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : apache2 vulnerabilities (USN-802-1)	Nessus	Ubuntu Local Security Checks	2009/7/14	2021/1/19	high
42252	SuSE 11 Security Update : Apache 2 (SAT Patch Number 1417)	Nessus	SuSE Local Security Checks	2009/10/26	2021/1/14	high
43768	CentOS 5 : httpd (CESA-2009:1148)	Nessus	CentOS Local Security Checks	2010/1/6	2021/1/4	high
67890	Oracle Linux 5 : httpd (ELSA-2009-1148)	Nessus	Oracle Linux Local Security Checks	2013/7/12	2024/10/23	high
42433	Mac OS X Multiple Vulnerabilities (Security Update 2009-006)	Nessus	MacOS X Local Security Checks	2009/11/9	2024/5/28	critical

检测

插件搜索

high

high

critical

high

high

high

high

high

critical

high

high

high

high

high

high

high

critical