| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Apr 2013 21:12:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2013:156 ] apache-mod_security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:156 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : apache-mod_security Date : April 29, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in apache-mod_security: ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) vulnerability (CVE-2013-1915). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 301f6d87bb0605dcfbae4ab94da0c32a mes5/i586/apache-mod_security-2.5.12-0.4mdvmes5.2.i586.rpm d2336ca0da3dd8077819dee6abea2f6e mes5/i586/mlogc-2.5.12-0.4mdvmes5.2.i586.rpm 472a4e549a187d2020b21ab930d81b13 mes5/SRPMS/apache-mod_security-2.5.12-0.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 3b9b65c037b35917bf066b9a543d10fb mes5/x86_64/apache-mod_security-2.5.12-0.4mdvmes5.2.x86_64.rpm edc3c3e1d31c5f0b2c204fc197d5e7b0 mes5/x86_64/mlogc-2.5.12-0.4mdvmes5.2.x86_64.rpm 472a4e549a187d2020b21ab930d81b13 mes5/SRPMS/apache-mod_security-2.5.12-0.4mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: ce1e86534b8d33dafbdc2c25b8ec689b mbs1/x86_64/apache-mod_security-2.6.3-5.2.mbs1.x86_64.rpm d125ba595ee374b31b6f91fed316f30e mbs1/x86_64/mlogc-2.6.3-5.2.mbs1.x86_64.rpm 77a7cb951e047e046ce5b1517c843b9f mbs1/SRPMS/apache-mod_security-2.6.3-5.2.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRfppOmqjQ0CJFipgRAlqIAKCBwhrAPhQh8c3eAxdmDFOFHJDQegCffDX7 egCPmXl064Tm79G96thLXAs= =xi7I -----END PGP SIGNATURE-----
Powered by blists - more mailing lists