[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ MDVSA-2009:124-1 ] apache
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [ MDVSA-2009:124-1 ] apache
- From: security@xxxxxxxxxxxx
- Date: Wed, 08 Jul 2009 04:21:01 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:124-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apache
Date : July 8, 2009
Affected: 2008.1
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in apache:
Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c
in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to
cause a denial of service (memory consumption) via multiple calls, as
demonstrated by initial SSL client handshakes to the Apache HTTP Server
mod_ssl that specify a compression algorithm (CVE-2008-1678). Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the
mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c
in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions,
allows remote attackers to inject arbitrary web script or HTML via
wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this
security issue was initially addressed with MDVSA-2008:195 but the
patch fixing the issue was added but not applied in 2009.0.
The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not
properly handle Options=IncludesNOEXEC in the AllowOverride directive,
which allows local users to gain privileges by configuring (1) Options
Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a
.htaccess file, and then inserting an exec element in a .shtml file
(CVE-2009-1195).
This update provides fixes for these vulnerabilities.
Update:
The patch for fixing CVE-2009-1195 for Mandriva Linux 2008.1 was
incomplete, this update addresses the problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
d7522600c193783ccb5f41447175a331
2008.1/i586/apache-base-2.2.8-6.4mdv2008.1.i586.rpm
9ca131724b9fd905f7ac864d4511b459
2008.1/i586/apache-devel-2.2.8-6.4mdv2008.1.i586.rpm
e7750b82d83fdd68225f663679ac4460
2008.1/i586/apache-htcacheclean-2.2.8-6.4mdv2008.1.i586.rpm
e28b73346363d5183bf43b9a894703eb
2008.1/i586/apache-mod_authn_dbd-2.2.8-6.4mdv2008.1.i586.rpm
03d7b234afa3a83f04fd2dd951359961
2008.1/i586/apache-mod_cache-2.2.8-6.4mdv2008.1.i586.rpm
506e31a2a592818cb6b9ca9417902562
2008.1/i586/apache-mod_dav-2.2.8-6.4mdv2008.1.i586.rpm
1f79c942c9f477eb7af43fa0bbf7f75d
2008.1/i586/apache-mod_dbd-2.2.8-6.4mdv2008.1.i586.rpm
942abf88d6fa0b73b587c3cf2920c55b
2008.1/i586/apache-mod_deflate-2.2.8-6.4mdv2008.1.i586.rpm
d3b92574868f79d02a5189fdcd6df425
2008.1/i586/apache-mod_disk_cache-2.2.8-6.4mdv2008.1.i586.rpm
cf6ce38ae0f100a35e39fb3b09be7507
2008.1/i586/apache-mod_file_cache-2.2.8-6.4mdv2008.1.i586.rpm
c5ed7754beb38dd51b68bbd6604a0ca9
2008.1/i586/apache-mod_ldap-2.2.8-6.4mdv2008.1.i586.rpm
9d29c79f0b889aeca78c7b426073cd3e
2008.1/i586/apache-mod_mem_cache-2.2.8-6.4mdv2008.1.i586.rpm
84a1b51f4d8be06ab763bb95b572909f
2008.1/i586/apache-mod_proxy-2.2.8-6.4mdv2008.1.i586.rpm
78723bd3586753bcb37ac83a9f8449f7
2008.1/i586/apache-mod_proxy_ajp-2.2.8-6.4mdv2008.1.i586.rpm
5418461f01217d6567ce4cc27e8b95bf
2008.1/i586/apache-mod_ssl-2.2.8-6.4mdv2008.1.i586.rpm
439787696a120705c0b79ac7f8a5c538
2008.1/i586/apache-modules-2.2.8-6.4mdv2008.1.i586.rpm
8275595502f0ad78166b8d060e2d9b3c
2008.1/i586/apache-mod_userdir-2.2.8-6.4mdv2008.1.i586.rpm
0b3edd8559484552cdad948faef19203
2008.1/i586/apache-mpm-event-2.2.8-6.4mdv2008.1.i586.rpm
1fa2b3101a3b34c2d0f9fc817bc1a1df
2008.1/i586/apache-mpm-itk-2.2.8-6.4mdv2008.1.i586.rpm
2b6e72b32712a335b1678f492842d2fc
2008.1/i586/apache-mpm-prefork-2.2.8-6.4mdv2008.1.i586.rpm
3c1e840a0fa813e1057effba641959b7
2008.1/i586/apache-mpm-worker-2.2.8-6.4mdv2008.1.i586.rpm
043d5127cea48a3eeab8faa4875cf084
2008.1/i586/apache-source-2.2.8-6.4mdv2008.1.i586.rpm
da999274b381e43a575829d178c8bf6d
2008.1/SRPMS/apache-2.2.8-6.4mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
30fbbec5b54767fb1163d24a85caa017
2008.1/x86_64/apache-base-2.2.8-6.4mdv2008.1.x86_64.rpm
8998a37f170228812f7335a6d1c137ed
2008.1/x86_64/apache-devel-2.2.8-6.4mdv2008.1.x86_64.rpm
e0a8fbfe76fa2c8cb16ef4726155bf0b
2008.1/x86_64/apache-htcacheclean-2.2.8-6.4mdv2008.1.x86_64.rpm
a8bfb98f0354d15b1e5b33df2a06079a
2008.1/x86_64/apache-mod_authn_dbd-2.2.8-6.4mdv2008.1.x86_64.rpm
97ce6d10fea3d251f0a1a6038dcc04e3
2008.1/x86_64/apache-mod_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
efe82f8b6e60ab89bb6a043bebd47973
2008.1/x86_64/apache-mod_dav-2.2.8-6.4mdv2008.1.x86_64.rpm
7acf0e9e13cd0a442c32dc33427569e5
2008.1/x86_64/apache-mod_dbd-2.2.8-6.4mdv2008.1.x86_64.rpm
71a503f117bebfda8db53b929499b6d8
2008.1/x86_64/apache-mod_deflate-2.2.8-6.4mdv2008.1.x86_64.rpm
098266a9b737c0aa974e9818bc843531
2008.1/x86_64/apache-mod_disk_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
2d90465f7a75a794bf333129b8e105c7
2008.1/x86_64/apache-mod_file_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
6778a8746ba0b543dc3aebdab9fc6f08
2008.1/x86_64/apache-mod_ldap-2.2.8-6.4mdv2008.1.x86_64.rpm
2a9d64c016f1beb2ccbbd5c5b9e0b8df
2008.1/x86_64/apache-mod_mem_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
3777616f0f0771c96921b83af29c9fa8
2008.1/x86_64/apache-mod_proxy-2.2.8-6.4mdv2008.1.x86_64.rpm
657dfd4b249cb59834957373acca4f89
2008.1/x86_64/apache-mod_proxy_ajp-2.2.8-6.4mdv2008.1.x86_64.rpm
e05f1450a507379bd4f394f739e0fc60
2008.1/x86_64/apache-mod_ssl-2.2.8-6.4mdv2008.1.x86_64.rpm
1832c96d6d0a1bff8bc84f7463f92ccf
2008.1/x86_64/apache-modules-2.2.8-6.4mdv2008.1.x86_64.rpm
ef96e999154ac771c47e760a7a978460
2008.1/x86_64/apache-mod_userdir-2.2.8-6.4mdv2008.1.x86_64.rpm
0312ba63abb5816f8077a14b201ee989
2008.1/x86_64/apache-mpm-event-2.2.8-6.4mdv2008.1.x86_64.rpm
0fc10dbdcc127018954280312e6ddd2b
2008.1/x86_64/apache-mpm-itk-2.2.8-6.4mdv2008.1.x86_64.rpm
1178cf5ee9c13d0320f8d334707240f7
2008.1/x86_64/apache-mpm-prefork-2.2.8-6.4mdv2008.1.x86_64.rpm
b52a6d91a14cfda1080af5fe16cbb479
2008.1/x86_64/apache-mpm-worker-2.2.8-6.4mdv2008.1.x86_64.rpm
909f1aeafcf101c0af655c13809731d6
2008.1/x86_64/apache-source-2.2.8-6.4mdv2008.1.x86_64.rpm
da999274b381e43a575829d178c8bf6d
2008.1/SRPMS/apache-2.2.8-6.4mdv2008.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKU9d5mqjQ0CJFipgRAlzsAJ0Zpu0rH8JBOfgOJFqA9Tl3H1eJTwCfeA+M
+JKiXIAM+zbCDRymCVguXjo=
=66R9
-----END PGP SIGNATURE-----