lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1UNnBk-0004lV-KQ@titan.mandriva.com>
Date: Thu, 04 Apr 2013 12:39:00 -0400
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2013:015-1 ] apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2013:015-1
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : apache
 Date    : April 4, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in apache
 (ASF HTTPD):
 
 Various XSS (cross-site scripting vulnerability) flaws due to unescaped
 hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap,
 mod_ldap, and mod_proxy_ftp (CVE-2012-3499).
 
 XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager
 interface (CVE-2012-4558).
 
 Additionally the ASF bug 53219 was resolved which provides a way
 to mitigate the CRIME attack vulnerability by disabling TLS-level
 compression. Use the new directive SSLCompression on|off to enable or
 disable TLS-level compression, by default SSLCompression is turned on.
 
 The updated packages have been upgraded to the latest 2.2.24 version
 which is not vulnerable to these issues.

 Update:

 Packages for Mandriva Business Server 1 is being provided.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
 http://httpd.apache.org/security/vulnerabilities_22.html
 http://www.apache.org/dist/httpd/CHANGES_2.2.24
 https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 7509c635731abff8de4726b3f490a65a  mbs1/x86_64/apache-2.2.24-1.mbs1.x86_64.rpm
 c8d15d2347a4186119c59fe34ac83314  mbs1/x86_64/apache-devel-2.2.24-1.mbs1.x86_64.rpm
 e128a1f644d5d96fe4ad08c25278af59  mbs1/x86_64/apache-doc-2.2.24-1.mbs1.noarch.rpm
 f1a8fa36a6f42d9e75570c497a338a21  mbs1/x86_64/apache-htcacheclean-2.2.24-1.mbs1.x86_64.rpm
 b3637ef4aec30f46cef5b4cb6c70fb16  mbs1/x86_64/apache-mod_authn_dbd-2.2.24-1.mbs1.x86_64.rpm
 529da28cbb446db208c3416d57519c31  mbs1/x86_64/apache-mod_cache-2.2.24-1.mbs1.x86_64.rpm
 19cbba7b984d375755ab152af36fa085  mbs1/x86_64/apache-mod_dav-2.2.24-1.mbs1.x86_64.rpm
 1eccf69d4657a3dcc7e73d9fba4ab133  mbs1/x86_64/apache-mod_dbd-2.2.24-1.mbs1.x86_64.rpm
 4cd7e5cddc596281e925e45acf9f2745  mbs1/x86_64/apache-mod_deflate-2.2.24-1.mbs1.x86_64.rpm
 3336f3e2daf72b958e5dafb5212c3c33  mbs1/x86_64/apache-mod_disk_cache-2.2.24-1.mbs1.x86_64.rpm
 7b7ed707bb38b26061d755b981551da2  mbs1/x86_64/apache-mod_file_cache-2.2.24-1.mbs1.x86_64.rpm
 ad7cc8bd814d6fe7123edcd911acd61e  mbs1/x86_64/apache-mod_ldap-2.2.24-1.mbs1.x86_64.rpm
 ea30ba683d4a3c761424d85d127038e9  mbs1/x86_64/apache-mod_mem_cache-2.2.24-1.mbs1.x86_64.rpm
 273dec6dcaa57765722bc617054f4326  mbs1/x86_64/apache-mod_proxy-2.2.24-1.mbs1.x86_64.rpm
 1e2301a111dd7cef51544d46ee2fecd5  mbs1/x86_64/apache-mod_proxy_ajp-2.2.24-1.mbs1.x86_64.rpm
 bf87d20545719e432451c9af603acd26  mbs1/x86_64/apache-mod_proxy_scgi-2.2.24-1.mbs1.x86_64.rpm
 884fb55f90be44415f9cf8a67d2c25bc  mbs1/x86_64/apache-mod_reqtimeout-2.2.24-1.mbs1.x86_64.rpm
 ac91f11c0c7d4b15e30a7f08761a55db  mbs1/x86_64/apache-mod_ssl-2.2.24-1.mbs1.x86_64.rpm
 aa3ee3fd0993015a3ad21af92db10cf3  mbs1/x86_64/apache-mod_suexec-2.2.24-1.mbs1.x86_64.rpm
 bc99a7d1879fff69044d1e0ab716f6d4  mbs1/x86_64/apache-mod_userdir-2.2.24-1.mbs1.x86_64.rpm
 1ebcb5de0cdabdd483d03cd90b37e922  mbs1/x86_64/apache-mpm-event-2.2.24-1.mbs1.x86_64.rpm
 edd2a1509f2f4a0ef6db792db02d6d5f  mbs1/x86_64/apache-mpm-itk-2.2.24-1.mbs1.x86_64.rpm
 8f923499d4f47bd8de82621b15b7e2e0  mbs1/x86_64/apache-mpm-peruser-2.2.24-1.mbs1.x86_64.rpm
 de40119e6d0c18efcc5d42986bcbb92d  mbs1/x86_64/apache-mpm-prefork-2.2.24-1.mbs1.x86_64.rpm
 110746aad4564a1dba52be50c996c582  mbs1/x86_64/apache-mpm-worker-2.2.24-1.mbs1.x86_64.rpm
 a3d0a7163dbe01862ae830eac0ee81b8  mbs1/x86_64/apache-source-2.2.24-1.mbs1.noarch.rpm 
 509beb781e5871d20135d2407aa5cf07  mbs1/SRPMS/apache-2.2.24-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRXYPhmqjQ0CJFipgRAjBUAKCfs39UBaE+CnAcNQKYUkyY8DqRsACeJpFh
GT7PGjhTJKEVC6s2nLYXyfo=
=qb/i
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ