lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1XCSoW-0003QE-Ge@titan.mandriva.com>
Date: Wed, 30 Jul 2014 14:17:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:142 ] apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:142
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : apache
 Date    : July 30, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated apache package fixes security vulnerabilities:
 
 A race condition flaw, leading to heap-based buffer overflows,
 was found in the mod_status httpd module. A remote attacker able to
 access a status page served by mod_status on a server using a threaded
 Multi-Processing Module (MPM) could send a specially crafted request
 that would cause the httpd child process to crash or, possibly,
 allow the attacker to execute arbitrary code with the privileges of
 the apache user (CVE-2014-0226).
 
 A denial of service flaw was found in the way httpd&#039;s mod_deflate
 module handled request body decompression (configured via the DEFLATE
 input filter). A remote attacker able to send a request whose body
 would be decompressed could use this flaw to consume an excessive
 amount of system memory and CPU on the target system (CVE-2014-0118).
 
 A denial of service flaw was found in the way httpd&#039;s mod_cgid module
 executed CGI scripts that did not read data from the standard input. A
 remote attacker could submit a specially crafted request that would
 cause the httpd child process to hang indefinitely (CVE-2014-0231).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
 http://advisories.mageia.org/MGASA-2014-0304.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 e7ed0d96bdef964dcb281969c84ee246  mbs1/x86_64/apache-2.2.27-1.1.mbs1.x86_64.rpm
 630779667690cc0344dc3a130922efb2  mbs1/x86_64/apache-devel-2.2.27-1.1.mbs1.x86_64.rpm
 02f62e776b47bc71917bacc530116601  mbs1/x86_64/apache-doc-2.2.27-1.1.mbs1.noarch.rpm
 5ac808d10784e0a0fed1b1238e965dc8  mbs1/x86_64/apache-htcacheclean-2.2.27-1.1.mbs1.x86_64.rpm
 12d7209a6ac1af471fef5754d1efe901  mbs1/x86_64/apache-mod_authn_dbd-2.2.27-1.1.mbs1.x86_64.rpm
 08e3be5cd2f1b233ead6ba70ee9a7e40  mbs1/x86_64/apache-mod_cache-2.2.27-1.1.mbs1.x86_64.rpm
 9ca153c3ee32b84a5d6e694426d93b06  mbs1/x86_64/apache-mod_dav-2.2.27-1.1.mbs1.x86_64.rpm
 a7df22dbf57ad3f926300dd250a8a34c  mbs1/x86_64/apache-mod_dbd-2.2.27-1.1.mbs1.x86_64.rpm
 93fd5123adf783e19a7e77c49bb2bab8  mbs1/x86_64/apache-mod_deflate-2.2.27-1.1.mbs1.x86_64.rpm
 e967eab04bbfefc1c038460652834e16  mbs1/x86_64/apache-mod_disk_cache-2.2.27-1.1.mbs1.x86_64.rpm
 44c6603d4f40f820b702d107e367838e  mbs1/x86_64/apache-mod_file_cache-2.2.27-1.1.mbs1.x86_64.rpm
 e257e68818d03a7e05f99f872aadb761  mbs1/x86_64/apache-mod_ldap-2.2.27-1.1.mbs1.x86_64.rpm
 7636b2db4a8461242f3eaa58ca6c5810  mbs1/x86_64/apache-mod_mem_cache-2.2.27-1.1.mbs1.x86_64.rpm
 795f09dd6508ce6f84683c0a4e0f50d8  mbs1/x86_64/apache-mod_proxy-2.2.27-1.1.mbs1.x86_64.rpm
 31549291edb6d91b20dda3bbf4376f3e  mbs1/x86_64/apache-mod_proxy_ajp-2.2.27-1.1.mbs1.x86_64.rpm
 231002ea53e9c7b1fdf78d2b415e7ebe  mbs1/x86_64/apache-mod_proxy_scgi-2.2.27-1.1.mbs1.x86_64.rpm
 c5ec340109b8eb0aa36113ea2b9dff8b  mbs1/x86_64/apache-mod_reqtimeout-2.2.27-1.1.mbs1.x86_64.rpm
 7b20b71e0c7e424212d2b941cc8e70b7  mbs1/x86_64/apache-mod_ssl-2.2.27-1.1.mbs1.x86_64.rpm
 fb27d8413c6f22b94af69e23084e61b0  mbs1/x86_64/apache-mod_suexec-2.2.27-1.1.mbs1.x86_64.rpm
 3965833259f643f0a7141451e442c7b2  mbs1/x86_64/apache-mod_userdir-2.2.27-1.1.mbs1.x86_64.rpm
 2b7434565978780882e69bbaa9102907  mbs1/x86_64/apache-mpm-event-2.2.27-1.1.mbs1.x86_64.rpm
 7c350be0d459259ce9c49c1cf51564d3  mbs1/x86_64/apache-mpm-itk-2.2.27-1.1.mbs1.x86_64.rpm
 ef3a271c37fde6b19ab6adaacd3fd046  mbs1/x86_64/apache-mpm-peruser-2.2.27-1.1.mbs1.x86_64.rpm
 cd7752c067797c22144f5299fe782d42  mbs1/x86_64/apache-mpm-prefork-2.2.27-1.1.mbs1.x86_64.rpm
 7d8576115cb675340084b8fbf884fb94  mbs1/x86_64/apache-mpm-worker-2.2.27-1.1.mbs1.x86_64.rpm
 8fd89d82d258f6cdfab8bc8bfa581872  mbs1/x86_64/apache-source-2.2.27-1.1.mbs1.noarch.rpm 
 5dd921dbff39365fa187e6a24975e5e8  mbs1/SRPMS/apache-2.2.27-1.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFT2LgtmqjQ0CJFipgRAjI4AKCa/EAlbAtSuYQmxwqlnBVwnpQQ4ACgqEFK
1ZYV3mxcngE2yTMgkLb4G+U=
=zVB3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ