mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop.

Skip to content

*   *   Console
    *   Support
    *   Developers
    *   Partner Connect
    *   redhat.com
    *   Start a trial
    

Contact us

Welcome,

Log in to your Red Hat account

Log in

Your Red Hat account gives you access to your member profile and preferences, and the following services based on your customer status:

*   Customer Portal
*   User management

*   Certification Central

Register now

Not registered yet? Here are a few reasons why you should be:

*   Browse Knowledgebase articles, manage support cases and subscriptions, download updates, and more from one place.
*   View users in your organization, and edit their account information, preferences, and permissions.
*   Manage your Red Hat certifications, view exam history, and download certification-related logos and documents.

For your security, if you're on a public computer and have finished using your Red Hat services, please be sure to log out.

Log out

Account Log in

*   Products
*   Solutions
*   Services & support
*   Resources
*   Partners
*   About

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

**Check out our support channels**

**Have questions?**

CVE-2004-0748: Support

The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.

Several vulnerabilities have been found in Apache 2 and mod\_dav for Apache 1.3 which could allow a remote attacker to cause a Denial of Service or a local user to get escalated privileges.

The Apache HTTP server is one of most popular web servers on the internet. mod\_ssl provides SSL v2/v3 and TLS v1 support for it and mod\_dav is the Apache module for Distributed Authoring and Versioning (DAV).

A potential infinite loop has been found in the input filter of mod\_ssl (CAN-2004-0748) as well as a possible segmentation fault in the char\_buffer\_read function if reverse proxying to a SSL server is being used (CAN-2004-0751). Furthermore, mod\_dav, as shipped in Apache httpd 2 or mod\_dav 1.0.x for Apache 1.3, contains a NULL pointer dereference which can be triggered remotely (CAN-2004-0809). The third issue is an input validation error found in the IPv6 URI parsing routines within the apr-util library (CAN-2004-0786). Additionally a possible buffer overflow has been reported when expanding environment variables during the parsing of configuration files (CAN-2004-0747).

A remote attacker could cause a Denial of Service either by aborting a SSL connection in a special way, resulting in CPU consumption, by exploiting the segmentation fault in mod\_ssl or the mod\_dav flaw. A remote attacker could also crash a httpd child process by sending a specially crafted URI. The last vulnerabilty could be used by a local user to gain the privileges of a httpd child, if the server parses a carefully prepared .htaccess file.

There is no known workaround at this time.

All Apache 2 users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=www-servers/apache-2.0.51"
 # emerge ">=www-servers/apache-2.0.51"

All mod\_dav users should upgrade to the latest version:

 # emerge sync

 # emerge -pv ">=net-www/mod\_dav-1.0.3-r2"
 # emerge ">=net-www/mod\_dav-1.0.3-r2"

CVE-2004-0809: Multiple vulnerabilities (GLSA 200409-21) — Gentoo security

Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.

Privacy Statement Terms & Conditions Cookie Policy Accessibility Statement Do Not Sell My Personal Information (for CA)

© 2021 Accenture. All Rights Reserved.

CVE-2004-0488: Bugtraq

X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.

CVE-2003-1229

The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.

Tag

#ssl