lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MOMmL-0006to-Hz@titan.mandriva.com>
Date: Wed, 08 Jul 2009 04:21:01 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2009:124-1 ] apache


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2009:124-1
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apache
 Date    : July 8, 2009
 Affected: 2008.1
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in apache:
 
 Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c
 in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to
 cause a denial of service (memory consumption) via multiple calls, as
 demonstrated by initial SSL client handshakes to the Apache HTTP Server
 mod_ssl that specify a compression algorithm (CVE-2008-1678). Note
 that this security issue does not really apply as zlib compression
 is not enabled in the openssl build provided by Mandriva, but apache
 is patched to address this issue anyway (conserns 2008.1 only).
 
 Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the
 mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c
 in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions,
 allows remote attackers to inject arbitrary web script or HTML via
 wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this
 security issue was initially addressed with MDVSA-2008:195 but the
 patch fixing the issue was added but not applied in 2009.0.
 
 The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not
 properly handle Options=IncludesNOEXEC in the AllowOverride directive,
 which allows local users to gain privileges by configuring (1) Options
 Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a
 .htaccess file, and then inserting an exec element in a .shtml file
 (CVE-2009-1195).
 
 This update provides fixes for these vulnerabilities.

 Update:

 The patch for fixing CVE-2009-1195 for Mandriva Linux 2008.1 was
 incomplete, this update addresses the problem.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 d7522600c193783ccb5f41447175a331  2008.1/i586/apache-base-2.2.8-6.4mdv2008.1.i586.rpm
 9ca131724b9fd905f7ac864d4511b459  2008.1/i586/apache-devel-2.2.8-6.4mdv2008.1.i586.rpm
 e7750b82d83fdd68225f663679ac4460  2008.1/i586/apache-htcacheclean-2.2.8-6.4mdv2008.1.i586.rpm
 e28b73346363d5183bf43b9a894703eb  2008.1/i586/apache-mod_authn_dbd-2.2.8-6.4mdv2008.1.i586.rpm
 03d7b234afa3a83f04fd2dd951359961  2008.1/i586/apache-mod_cache-2.2.8-6.4mdv2008.1.i586.rpm
 506e31a2a592818cb6b9ca9417902562  2008.1/i586/apache-mod_dav-2.2.8-6.4mdv2008.1.i586.rpm
 1f79c942c9f477eb7af43fa0bbf7f75d  2008.1/i586/apache-mod_dbd-2.2.8-6.4mdv2008.1.i586.rpm
 942abf88d6fa0b73b587c3cf2920c55b  2008.1/i586/apache-mod_deflate-2.2.8-6.4mdv2008.1.i586.rpm
 d3b92574868f79d02a5189fdcd6df425  2008.1/i586/apache-mod_disk_cache-2.2.8-6.4mdv2008.1.i586.rpm
 cf6ce38ae0f100a35e39fb3b09be7507  2008.1/i586/apache-mod_file_cache-2.2.8-6.4mdv2008.1.i586.rpm
 c5ed7754beb38dd51b68bbd6604a0ca9  2008.1/i586/apache-mod_ldap-2.2.8-6.4mdv2008.1.i586.rpm
 9d29c79f0b889aeca78c7b426073cd3e  2008.1/i586/apache-mod_mem_cache-2.2.8-6.4mdv2008.1.i586.rpm
 84a1b51f4d8be06ab763bb95b572909f  2008.1/i586/apache-mod_proxy-2.2.8-6.4mdv2008.1.i586.rpm
 78723bd3586753bcb37ac83a9f8449f7  2008.1/i586/apache-mod_proxy_ajp-2.2.8-6.4mdv2008.1.i586.rpm
 5418461f01217d6567ce4cc27e8b95bf  2008.1/i586/apache-mod_ssl-2.2.8-6.4mdv2008.1.i586.rpm
 439787696a120705c0b79ac7f8a5c538  2008.1/i586/apache-modules-2.2.8-6.4mdv2008.1.i586.rpm
 8275595502f0ad78166b8d060e2d9b3c  2008.1/i586/apache-mod_userdir-2.2.8-6.4mdv2008.1.i586.rpm
 0b3edd8559484552cdad948faef19203  2008.1/i586/apache-mpm-event-2.2.8-6.4mdv2008.1.i586.rpm
 1fa2b3101a3b34c2d0f9fc817bc1a1df  2008.1/i586/apache-mpm-itk-2.2.8-6.4mdv2008.1.i586.rpm
 2b6e72b32712a335b1678f492842d2fc  2008.1/i586/apache-mpm-prefork-2.2.8-6.4mdv2008.1.i586.rpm
 3c1e840a0fa813e1057effba641959b7  2008.1/i586/apache-mpm-worker-2.2.8-6.4mdv2008.1.i586.rpm
 043d5127cea48a3eeab8faa4875cf084  2008.1/i586/apache-source-2.2.8-6.4mdv2008.1.i586.rpm 
 da999274b381e43a575829d178c8bf6d  2008.1/SRPMS/apache-2.2.8-6.4mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 30fbbec5b54767fb1163d24a85caa017  2008.1/x86_64/apache-base-2.2.8-6.4mdv2008.1.x86_64.rpm
 8998a37f170228812f7335a6d1c137ed  2008.1/x86_64/apache-devel-2.2.8-6.4mdv2008.1.x86_64.rpm
 e0a8fbfe76fa2c8cb16ef4726155bf0b  2008.1/x86_64/apache-htcacheclean-2.2.8-6.4mdv2008.1.x86_64.rpm
 a8bfb98f0354d15b1e5b33df2a06079a  2008.1/x86_64/apache-mod_authn_dbd-2.2.8-6.4mdv2008.1.x86_64.rpm
 97ce6d10fea3d251f0a1a6038dcc04e3  2008.1/x86_64/apache-mod_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
 efe82f8b6e60ab89bb6a043bebd47973  2008.1/x86_64/apache-mod_dav-2.2.8-6.4mdv2008.1.x86_64.rpm
 7acf0e9e13cd0a442c32dc33427569e5  2008.1/x86_64/apache-mod_dbd-2.2.8-6.4mdv2008.1.x86_64.rpm
 71a503f117bebfda8db53b929499b6d8  2008.1/x86_64/apache-mod_deflate-2.2.8-6.4mdv2008.1.x86_64.rpm
 098266a9b737c0aa974e9818bc843531  2008.1/x86_64/apache-mod_disk_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
 2d90465f7a75a794bf333129b8e105c7  2008.1/x86_64/apache-mod_file_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
 6778a8746ba0b543dc3aebdab9fc6f08  2008.1/x86_64/apache-mod_ldap-2.2.8-6.4mdv2008.1.x86_64.rpm
 2a9d64c016f1beb2ccbbd5c5b9e0b8df  2008.1/x86_64/apache-mod_mem_cache-2.2.8-6.4mdv2008.1.x86_64.rpm
 3777616f0f0771c96921b83af29c9fa8  2008.1/x86_64/apache-mod_proxy-2.2.8-6.4mdv2008.1.x86_64.rpm
 657dfd4b249cb59834957373acca4f89  2008.1/x86_64/apache-mod_proxy_ajp-2.2.8-6.4mdv2008.1.x86_64.rpm
 e05f1450a507379bd4f394f739e0fc60  2008.1/x86_64/apache-mod_ssl-2.2.8-6.4mdv2008.1.x86_64.rpm
 1832c96d6d0a1bff8bc84f7463f92ccf  2008.1/x86_64/apache-modules-2.2.8-6.4mdv2008.1.x86_64.rpm
 ef96e999154ac771c47e760a7a978460  2008.1/x86_64/apache-mod_userdir-2.2.8-6.4mdv2008.1.x86_64.rpm
 0312ba63abb5816f8077a14b201ee989  2008.1/x86_64/apache-mpm-event-2.2.8-6.4mdv2008.1.x86_64.rpm
 0fc10dbdcc127018954280312e6ddd2b  2008.1/x86_64/apache-mpm-itk-2.2.8-6.4mdv2008.1.x86_64.rpm
 1178cf5ee9c13d0320f8d334707240f7  2008.1/x86_64/apache-mpm-prefork-2.2.8-6.4mdv2008.1.x86_64.rpm
 b52a6d91a14cfda1080af5fe16cbb479  2008.1/x86_64/apache-mpm-worker-2.2.8-6.4mdv2008.1.x86_64.rpm
 909f1aeafcf101c0af655c13809731d6  2008.1/x86_64/apache-source-2.2.8-6.4mdv2008.1.x86_64.rpm 
 da999274b381e43a575829d178c8bf6d  2008.1/SRPMS/apache-2.2.8-6.4mdv2008.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKU9d5mqjQ0CJFipgRAlzsAJ0Zpu0rH8JBOfgOJFqA9Tl3H1eJTwCfeA+M
+JKiXIAM+zbCDRymCVguXjo=
=66R9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ