First published: Wed Nov 11 2009(Updated: )
The Apache HTTP Server is a popular Web server.<br>A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure<br>Sockets Layer) protocols handle session renegotiation. A man-in-the-middle<br>attacker could use this flaw to prefix arbitrary plain text to a client's<br>session (for example, an HTTPS connection to a website). This could force<br>the server to process an attacker's request as if authenticated using the<br>victim's credentials. This update partially mitigates this flaw for SSL<br>sessions to HTTP servers using mod_ssl by rejecting client-requested<br>renegotiation. (CVE-2009-3555)<br>Note: This update does not fully resolve the issue for HTTPS servers. An<br>attack is still possible in configurations that require a server-initiated<br>renegotiation. Refer to the following Knowledgebase article for further<br>information: <a href="http://kbase.redhat.com/faq/docs/DOC-20491" target="_blank">http://kbase.redhat.com/faq/docs/DOC-20491</a> A denial of service flaw was found in the Apache mod_deflate module. This<br>module continued to compress large files until compression was complete,<br>even if the network connection that requested the content was closed before<br>compression completed. This would cause mod_deflate to consume large<br>amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)<br>A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp<br>module. A malicious FTP server to which requests are being proxied could<br>use this flaw to crash an httpd child process via a malformed reply to the<br>EPSV or PASV commands, resulting in a limited denial of service.<br>(CVE-2009-3094)<br>A second flaw was found in the Apache mod_proxy_ftp module. In a reverse<br>proxy configuration, a remote attacker could use this flaw to bypass<br>intended access restrictions by creating a carefully-crafted HTTP<br>Authorization header, allowing the attacker to send arbitrary commands to<br>the FTP server. (CVE-2009-3095)<br>All httpd users should upgrade to these updated packages, which contain<br>backported patches to correct these issues. After installing the updated<br>packages, the httpd daemon must be restarted for the update to take effect.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.