Bug 738855 - VUL-0: apache2: DoS via partial HTTP requests
VUL-0: apache2: DoS via partial HTTP requests
Status: RESOLVED FIXED
: 741840 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:45139:moderate maint:re...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-29 09:54 UTC by Ludwig Nussel
Modified: 2013-03-15 12:59 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
slowloris.pl exploit script (18.44 KB, application/x-perl)
2012-01-17 10:54 UTC, Roman Drahtmueller
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-12-29 09:54:15 UTC
Your friendly security team received the following report via mitre.
Please respond ASAP.
The issue is public.

-------8<-------
======================================================
Name: CVE-2007-6750

The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.


Reference: MISC: http://ha.ckers.org/slowloris/
Reference: BUGTRAQ: http://archives.neohapsis.com/archives/bugtraq/2007-01/0229.html
Comment 1 Swamp Workflow Management 2011-12-29 23:00:14 UTC
bugbot adjusting priority
Comment 2 Sebastian Krahmer 2012-01-17 10:32:09 UTC
*** Bug 741840 has been marked as a duplicate of this bug. ***
Comment 3 Roman Drahtmueller 2012-01-17 10:52:53 UTC
The DoS is to be taken seriously as there is only little resources needed
on the attacker's side. This vulnerability is being exploited in the wild
more often by now, so there is need to respond.

The backport of mod_reqtimeout.c appears to be the most effective approach.

additional reference: 

https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_reqtimeout.c?view=markup
https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_reqtimeout.c?revision=1209766&view=co

via http://www.sfritsch.de/mod_reqtimeout/

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6750
Comment 4 Roman Drahtmueller 2012-01-17 10:54:53 UTC
Created attachment 471495 [details]
slowloris.pl exploit script

perl slowloris.pl -dns victim.host.name
Comment 5 Swamp Workflow Management 2012-01-24 14:16:52 UTC
The SWAMPID for this issue is 45139.
This issue was rated as moderate.
Please submit fixed packages until 2012-02-07.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 9 Swamp Workflow Management 2012-02-03 12:44:53 UTC
The SWAMPID for this issue is 45322.
This issue was rated as important.
Please submit fixed packages until 2012-02-10.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 10 Bernhard Wiedemann 2012-02-14 05:00:19 UTC
This is an autogenerated message for OBS integration:
This bug (738855) was mentioned in
https://build.opensuse.org/request/show/104860 Evergreen:11.2 / apache2
Comment 11 Swamp Workflow Management 2012-02-18 08:25:35 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker, libapr1, libapr1-32bit, libapr1-debuginfo, libapr1-debuginfo-32bit, libapr1-debugsource, libapr1-devel, libapr1-devel-32bit
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 12 Bernhard Wiedemann 2012-02-19 19:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (738855) was mentioned in
https://build.opensuse.org/request/show/105883 Evergreen:11.1 / apache2
Comment 13 Bernhard Wiedemann 2012-02-20 20:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (738855) was mentioned in
https://build.opensuse.org/request/show/106112 Evergreen:11.1 / apache2
Comment 14 Marcus Meissner 2012-02-23 14:07:00 UTC
back to us for tracking.

not registered for an LTSS update so far.
Comment 15 Swamp Workflow Management 2012-02-28 11:10:00 UTC
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo
Products:
openSUSE 11.4 (debug, i586, x86_64)
Comment 16 Swamp Workflow Management 2012-02-28 12:08:44 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 17 Marcus Meissner 2012-03-01 17:09:27 UTC
released
Comment 18 Swamp Workflow Management 2012-03-06 16:56:13 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 19 Swamp Workflow Management 2013-03-15 12:59:51 UTC
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)