Bugzilla – Bug 738855
VUL-0: apache2: DoS via partial HTTP requests
Last modified: 2013-03-15 12:59:51 UTC
Your friendly security team received the following report via mitre. Please respond ASAP. The issue is public. -------8<------- ====================================================== Name: CVE-2007-6750 The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15. Reference: MISC: http://ha.ckers.org/slowloris/ Reference: BUGTRAQ: http://archives.neohapsis.com/archives/bugtraq/2007-01/0229.html
bugbot adjusting priority
*** Bug 741840 has been marked as a duplicate of this bug. ***
The DoS is to be taken seriously as there is only little resources needed on the attacker's side. This vulnerability is being exploited in the wild more often by now, so there is need to respond. The backport of mod_reqtimeout.c appears to be the most effective approach. additional reference: https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_reqtimeout.c?view=markup https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_reqtimeout.c?revision=1209766&view=co via http://www.sfritsch.de/mod_reqtimeout/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6750
Created attachment 471495 [details] slowloris.pl exploit script perl slowloris.pl -dns victim.host.name
The SWAMPID for this issue is 45139. This issue was rated as moderate. Please submit fixed packages until 2012-02-07. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
The SWAMPID for this issue is 45322. This issue was rated as important. Please submit fixed packages until 2012-02-10. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This is an autogenerated message for OBS integration: This bug (738855) was mentioned in https://build.opensuse.org/request/show/104860 Evergreen:11.2 / apache2
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker, libapr1, libapr1-32bit, libapr1-debuginfo, libapr1-debuginfo-32bit, libapr1-debugsource, libapr1-devel, libapr1-devel-32bit Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
This is an autogenerated message for OBS integration: This bug (738855) was mentioned in https://build.opensuse.org/request/show/105883 Evergreen:11.1 / apache2
This is an autogenerated message for OBS integration: This bug (738855) was mentioned in https://build.opensuse.org/request/show/106112 Evergreen:11.1 / apache2
back to us for tracking. not registered for an LTSS update so far.
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo Products: openSUSE 11.4 (debug, i586, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
released
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)