5 - DSA-558

Executive Summary

Summary
Title	New libapache-mod-dav packages fix potential denial of service

Informations
Name	DSA-558	First vendor Publication	2004-10-06
Vendor	Debian	Last vendor Modification	2004-10-06
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score	5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Julian Reschke reported a problem in mod_dav of Apache 2 in connection with a NULL pointer dereference. When running in a threaded model, especially with Apache 2, a segmentation fault can take out a whole process and hence create a denial of service for the whole server.

For the stable distribution (woody) this problem has been fixed in version 1.0.3-3.1.

For the unstable distribution (sid) this problem has been fixed in version 1.0.3-10 of libapache-mod-dav and in version 2.0.51-1 of Apache 2.

We recommend that you upgrade your mod_dav packages.

Original Source

Url : http://www.debian.org/security/2004/dsa-558

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:9588

Oval ID:	oval:org.mitre.oval:def:9588
Title:	The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.
Description:	The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2004-0809	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3	Product(s):
Definition Synopsis:
RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section httpd-devel is earlier than 0:2.0.46-40.ent AND mod_ssl is earlier than 1:2.0.46-40.ent AND httpd is earlier than 0:2.0.46-40.ent

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Http Server cpe:2.3:a:apache:http_server:2.0.9:::::::* cpe:2.3:a:apache:http_server:2.0.50:::::::* cpe:2.3:a:apache:http_server:2.0.49:::::::* cpe:2.3:a:apache:http_server:2.0.48:::::::* cpe:2.3:a:apache:http_server:2.0.47:::::::* cpe:2.3:a:apache:http_server:2.0.46:::::::* cpe:2.3:a:apache:http_server:2.0.46::win32::::: cpe:2.3:a:apache:http_server:2.0.45:::::::* cpe:2.3:a:apache:http_server:2.0.44:::::::* cpe:2.3:a:apache:http_server:2.0.43:::::::* cpe:2.3:a:apache:http_server:2.0.42:::::::* cpe:2.3:a:apache:http_server:2.0.41:::::::* cpe:2.3:a:apache:http_server:2.0.40:::::::* cpe:2.3:a:apache:http_server:2.0.39:::::::* cpe:2.3:a:apache:http_server:2.0.38:::::::* cpe:2.3:a:apache:http_server:2.0.37:::::::* cpe:2.3:a:apache:http_server:2.0.36:::::::* cpe:2.3:a:apache:http_server:2.0.35:::::::* cpe:2.3:a:apache:http_server:2.0.34:beta:::::: cpe:2.3:a:apache:http_server:2.0.34:beta:win32:::::* cpe:2.3:a:apache:http_server:2.0.34:::::::* cpe:2.3:a:apache:http_server:2.0.33:::::::* cpe:2.3:a:apache:http_server:2.0.32:beta:::::: cpe:2.3:a:apache:http_server:2.0.32:::::::* cpe:2.3:a:apache:http_server:2.0.32:beta:win32:::::* cpe:2.3:a:apache:http_server:2.0.31:::::::* cpe:2.3:a:apache:http_server:2.0.30:::::::* cpe:2.3:a:apache:http_server:2.0.29:::::::* cpe:2.3:a:apache:http_server:2.0.28:beta:::::: cpe:2.3:a:apache:http_server:2.0.28:::::::* cpe:2.3:a:apache:http_server:2.0.28:beta:win32:::::* cpe:2.3:a:apache:http_server:2.0.27:::::::* cpe:2.3:a:apache:http_server:2.0.26:::::::* cpe:2.3:a:apache:http_server:2.0.25:::::::* cpe:2.3:a:apache:http_server:2.0.24:::::::* cpe:2.3:a:apache:http_server:2.0.23:::::::* cpe:2.3:a:apache:http_server:2.0.22:::::::* cpe:2.3:a:apache:http_server:2.0.21:::::::* cpe:2.3:a:apache:http_server:2.0.20:::::::* cpe:2.3:a:apache:http_server:2.0.19:::::::* cpe:2.3:a:apache:http_server:2.0.18:::::::* cpe:2.3:a:apache:http_server:2.0.17:::::::* cpe:2.3:a:apache:http_server:2.0.16:::::::* cpe:2.3:a:apache:http_server:2.0.15:::::::* cpe:2.3:a:apache:http_server:2.0.14:::::::* cpe:2.3:a:apache:http_server:2.0.13:::::::* cpe:2.3:a:apache:http_server:2.0.12:::::::* cpe:2.3:a:apache:http_server:2.0.11:::::::* cpe:2.3:a:apache:http_server:2.0.0:::::::* cpe:2.3:a:apache:http_server:2.0:::::::* cpe:2.3:a:apache:http_server:2.0:alpha9:::::: cpe:2.3:a:apache:http_server:1.99:::::::* cpe:2.3:a:apache:http_server:1.4.0:::::::* cpe:2.3:a:apache:http_server:1.3.9:::::::* cpe:2.3:a:apache:http_server:1.3.9::win32::::: cpe:2.3:a:apache:http_server:1.3.8:::::::* cpe:2.3:a:apache:http_server:1.3.7:::::::* cpe:2.3:a:apache:http_server:1.3.7::dev::::: cpe:2.3:a:apache:http_server:1.3.68:::::::* cpe:2.3:a:apache:http_server:1.3.65:::::::* cpe:2.3:a:apache:http_server:1.3.6:::::::* cpe:2.3:a:apache:http_server:1.3.6::win32::::: cpe:2.3:a:apache:http_server:1.3.5:::::::* cpe:2.3:a:apache:http_server:1.3.42:::::::* cpe:2.3:a:apache:http_server:1.3.41:::::::* cpe:2.3:a:apache:http_server:1.3.40:::::::* cpe:2.3:a:apache:http_server:1.3.4:::::::* cpe:2.3:a:apache:http_server:1.3.39:::::::* cpe:2.3:a:apache:http_server:1.3.38:::::::* cpe:2.3:a:apache:http_server:1.3.37:::::::* cpe:2.3:a:apache:http_server:1.3.36:::::::* cpe:2.3:a:apache:http_server:1.3.35:::::::* cpe:2.3:a:apache:http_server:1.3.34:::::::* cpe:2.3:a:apache:http_server:1.3.33:::::::* cpe:2.3:a:apache:http_server:1.3.32:::::::* cpe:2.3:a:apache:http_server:1.3.31:::::::* cpe:2.3:a:apache:http_server:1.3.30:::::::* cpe:2.3:a:apache:http_server:1.3.3:::::::* cpe:2.3:a:apache:http_server:1.3.29:::::::* cpe:2.3:a:apache:http_server:1.3.28:::::::* cpe:2.3:a:apache:http_server:1.3.27:::::::* cpe:2.3:a:apache:http_server:1.3.26:::::::* cpe:2.3:a:apache:http_server:1.3.26::win32::::: cpe:2.3:a:apache:http_server:1.3.25:::::::* cpe:2.3:a:apache:http_server:1.3.25::win32::::: cpe:2.3:a:apache:http_server:1.3.24:::::::* cpe:2.3:a:apache:http_server:1.3.24::win32::::: cpe:2.3:a:apache:http_server:1.3.23:::::::* cpe:2.3:a:apache:http_server:1.3.23::win32::::: cpe:2.3:a:apache:http_server:1.3.22:::::::* cpe:2.3:a:apache:http_server:1.3.22::win32::::: cpe:2.3:a:apache:http_server:1.3.20:::::::* cpe:2.3:a:apache:http_server:1.3.20::win32::::: cpe:2.3:a:apache:http_server:1.3.2:::::::* cpe:2.3:a:apache:http_server:1.3.19:::::::* cpe:2.3:a:apache:http_server:1.3.19::win32::::: cpe:2.3:a:apache:http_server:1.3.18:::::::* cpe:2.3:a:apache:http_server:1.3.18::win32::::: cpe:2.3:a:apache:http_server:1.3.17:::::::* cpe:2.3:a:apache:http_server:1.3.17::win32::::: cpe:2.3:a:apache:http_server:1.3.16:::::::* cpe:2.3:a:apache:http_server:1.3.16::win32::::: cpe:2.3:a:apache:http_server:1.3.15:::::::* cpe:2.3:a:apache:http_server:1.3.15::win32::::: cpe:2.3:a:apache:http_server:1.3.14:::::::* cpe:2.3:a:apache:http_server:1.3.14::win32::::: cpe:2.3:a:apache:http_server:1.3.14::mac_os::::: cpe:2.3:a:apache:http_server:1.3.13:::::::* cpe:2.3:a:apache:http_server:1.3.13::win32::::: cpe:2.3:a:apache:http_server:1.3.12:::::::* cpe:2.3:a:apache:http_server:1.3.12::win32::::: cpe:2.3:a:apache:http_server:1.3.11:::::::* cpe:2.3:a:apache:http_server:1.3.11::win32::::: cpe:2.3:a:apache:http_server:1.3.10:::::::* cpe:2.3:a:apache:http_server:1.3.1.1:::::::* cpe:2.3:a:apache:http_server:1.3.1:::::::* cpe:2.3:a:apache:http_server:1.3.0:::::::* cpe:2.3:a:apache:http_server:1.3:::::::* cpe:2.3:a:apache:http_server:1.2.9:::::::* cpe:2.3:a:apache:http_server:1.2.6:::::::* cpe:2.3:a:apache:http_server:1.2.5:::::::* cpe:2.3:a:apache:http_server:1.2.4:::::::* cpe:2.3:a:apache:http_server:1.2.0:::::::* cpe:2.3:a:apache:http_server:1.15.17:::::::* cpe:2.3:a:apache:http_server:1.1.1:::::::* cpe:2.3:a:apache:http_server:1.1:::::::* cpe:2.3:a:apache:http_server:1.0.5:::::::* cpe:2.3:a:apache:http_server:1.0.3:::::::* cpe:2.3:a:apache:http_server:1.0.2:::::::* cpe:2.3:a:apache:http_server:1.0:::::::* cpe:2.3:a:apache:http_server:0.8.14:::::::* cpe:2.3:a:apache:http_server:0.8.11:::::::* cpe:2.3:a:apache:http_server:::::::: cpe:2.3:a:apache:http_server:::win32:::::* cpe:2.3:a:apache:http_server:-:::::::*	135
Application	Hp Secure Web Server For Tru64 cpe:2.3:a:hp:secure_web_server_for_tru64:6.3.0:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:5.9.2:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:5.9.1:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:5.8.2:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:5.8.1:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:5.1_a:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:5.1:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:5.0_a:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:4.0_g:::::::* cpe:2.3:a:hp:secure_web_server_for_tru64:4.0_f:::::::*	10
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:3.0:::::::*	1
Os	Gentoo Linux cpe:2.3:o:gentoo:linux:1.4:::::::*	1
Os	Hp Hp-Ux cpe:2.3:o:hp:hp-ux:11.23::ia64_64-bit::::: cpe:2.3:o:hp:hp-ux:11.22:::::::* cpe:2.3:o:hp:hp-ux:11.11:::::::* cpe:2.3:o:hp:hp-ux:11.00:::::::*	4
Os	Mandrakesoft Mandrake Linux cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:::::::* cpe:2.3:o:mandrakesoft:mandrake_linux:10.0::amd64::::: cpe:2.3:o:mandrakesoft:mandrake_linux:9.2:::::::* cpe:2.3:o:mandrakesoft:mandrake_linux:9.2::amd64:::::	4
Os	Redhat Enterprise Linux cpe:2.3:o:redhat:enterprise_linux:3.0::enterprise_server::::: cpe:2.3:o:redhat:enterprise_linux:3.0::workstation_server::::: cpe:2.3:o:redhat:enterprise_linux:3.0::advanced_server:::::	3
Os	Redhat Enterprise Linux Desktop cpe:2.3:o:redhat:enterprise_linux_desktop:3.0:::::::*	1
Os	Trustix Secure Linux cpe:2.3:o:trustix:secure_linux:2.1:::::::* cpe:2.3:o:trustix:secure_linux:2.0:::::::*	2
Os	Turbolinux Turbolinux Desktop cpe:2.3:o:turbolinux:turbolinux_desktop:10.0:::::::*	1
Os	Turbolinux Turbolinux Home cpe:2.3:o:turbolinux:turbolinux_home::::::::	1
Os	Turbolinux Turbolinux Server cpe:2.3:o:turbolinux:turbolinux_server:10.0:::::::*	1

OpenVAS Exploits

Date	Description
2009-10-10	Name : SLES9: Security update for Apache 2 File : nvt/sles9p5009547.nasl
2009-10-10	Name : SLES9: Security update for webdav apache module File : nvt/sles9p5013988.nasl
2009-05-05	Name : HP-UX Update for Apache with PHP HPSBUX01090 File : nvt/gb_hp_ux_HPSBUX01090.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200409-21 (apache) File : nvt/glsa_200409_21.nasl
2008-09-04	Name : FreeBSD Ports: apache File : nvt/freebsd_apache4.nasl
2008-01-17	Name : Debian Security Advisory DSA 558-1 (libapache-mod-dav) File : nvt/deb_558_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
9948	mod_dav for Apache HTTP Server LOCK Request DoS Apache mod_dav contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends a particular sequence of LOCK requests and will result in loss of availability for the httpd child process.

Nessus® Vulnerability Scanner

Date	Description
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_9363.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_013fa252072411d9b45d000c41e2cdad.nasl - Type : ACT_GATHER_INFO
2004-11-10	Name : The remote Debian host is missing a security-related update. File : debian_DSA-558.nasl - Type : ACT_GATHER_INFO
2004-09-24	Name : The remote Fedora Core host is missing a security update. File : fedora_2004-313.nasl - Type : ACT_GATHER_INFO
2004-09-17	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200409-21.nasl - Type : ACT_GATHER_INFO
2004-09-16	Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_0_51.nasl - Type : ACT_GATHER_INFO
2004-09-16	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2004-096.nasl - Type : ACT_GATHER_INFO
2004-09-15	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2004-463.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:33:28	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	1
CPE ID(s)	164
osvdb(s)	1
Openvas Exploit(s)	6
Nessus® Exploit(s)	8

	Related
5	CVE-2004-0809
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

5 - DSA-558

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU