PQ90698: Potential denial of service exposure, CAN-2004-0493
 Downloadable files
 
Abstract
Potential denial of service exposure through memory exhaustion and buffer overflow for all current versions of IBM® HTTP Server based on Apache HTTP Server Version 2.0
 
Download Description
PQ90698 resolves the following problems:

DESCRIPTION:
IBM HTTP Server versions based on Apache HTTP Server Version 2.0 are vulnerable to the security exposure described by CAN-2004-0493 as documented by: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493

The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error, leading to a heap-based buffer overflow on 64 bit systems, when using specific types of header lines and/or specific types of characters in the header lines.

SOLUTIONS:
This CAN-2004-0493 exposure, for all affected versions of IBM HTTP Server, is resolved with this interim fix for APAR PQ90698.

Complete list of changes in this interim fix

  • CAN-2004-0493 remote memory allocation vulnerability rotatelogs ability to use local time
  • <VirtualHost myhost> now applies to all IP addresses for myhost
  • Fix mod_deflate to handle zero length responses (such as 304 response codes)
  • PQ89510 PDF files corrupted with acrobat over SSL (Microsoft® Windows®)
  • Unnecessary mod_expires error message in log
  • Microsoft Windows pool corruption at startup leading to restart problems
  • Some random storage logged for excessively long request line
 
Prerequisites
2.0.42.2-PQ85834 or 2.0.47-PQ85834 or 2.0.47.1
 
URL LANGUAGE SIZE(Bytes)
Recommended fixes for IBM HTTP Server US English 100000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 3364
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PQ90698 2.0.42.2 AIX 7/7/2004 US English 4843520 FTP DD
PQ90698 2.0.42.2 HPUX 7/7/2004 US English 17438720 FTP DD
PQ90698 2.0.42.2 Linux for Intel 7/7/2004 US English 3932160 FTP DD
PQ90698 2.0.42.2 Linux zSeries 7/7/2004 US English 4341760 FTP DD
PQ90698 2.0.42.2 Linux i/pSeries 7/7/2004 US English 5775360 FTP DD
PQ90698 2.0.42.2 Windows 7/7/2004 US English 1504022 FTP DD
PQ90698 2.0.42.2 Solaris 7/7/2004 US English 10908160 FTP DD
PQ90698 2.0.47.1 AIX 7/7/2004 US English 4618240 FTP DD
PQ90698 2.0.47.1 HPUX 7/7/2004 US English 17489920 FTP DD
PQ90698 2.0.47.1 Linux for Intel 7/7/2004 US English 3584000 FTP DD
PQ90698 2.0.47.1 Linux zSeries 7/7/2004 US English 4188160 FTP DD
PQ90698 2.0.47.1 Linux i/pSeries 7/7/2004 US English 4976640 FTP DD
PQ90698 2.0.47.1 Windows 7/7/2004 US English 1510490 FTP DD
PQ90698 2.0.47.1 Solaris 7/7/2004 US English 10471936 FTP DD
 
Technical support
1-800-IBM-SERV (U.S. Only)
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server
Problems (APARS) fixed
PQ90698, PQ88381, PQ85834
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Base Server
Operating system(s): Windows XP
Software version: 2.0.47.1
Software edition:
Reference #: 4007451
IBM Group: Software Group
Modified date: Sep 30, 2005