lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MVuPs-0000Un-Jm@titan.mandriva.com>
Date: Tue, 28 Jul 2009 23:41:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:168 ] apache


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:168
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apache
 Date    : July 28, 2009
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in apache:
 
 The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
 module in the Apache HTTP Server before 2.3.3, when a reverse proxy
 is configured, does not properly handle an amount of streamed data
 that exceeds the Content-Length value, which allows remote attackers
 to cause a denial of service (CPU consumption) via crafted requests
 (CVE-2009-1890).
 
 Fix a potential Denial-of-Service attack against mod_deflate or other
 modules, by forcing the server to consume CPU time in compressing a
 large file after a client disconnects (CVE-2009-1891).
 
 This update provides fixes for these vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 a35f4e42ad811635b008deeab1c86aec  mes5/i586/apache-base-2.2.9-12.4mdvmes5.i586.rpm
 e80464f36e994ae9bb6c15ff0169eeba  mes5/i586/apache-devel-2.2.9-12.4mdvmes5.i586.rpm
 28c561e0b2016009381e4f4fa22bce03  mes5/i586/apache-htcacheclean-2.2.9-12.4mdvmes5.i586.rpm
 bc4f6c084ed91c71fc775e12523cc411  mes5/i586/apache-mod_authn_dbd-2.2.9-12.4mdvmes5.i586.rpm
 06c077d73faf913291546b4dc16d1213  mes5/i586/apache-mod_cache-2.2.9-12.4mdvmes5.i586.rpm
 a2ae256b0b1eaa976da0ab253d047b02  mes5/i586/apache-mod_dav-2.2.9-12.4mdvmes5.i586.rpm
 4b9770ce8587ec86ab7cffe6bc1cba90  mes5/i586/apache-mod_dbd-2.2.9-12.4mdvmes5.i586.rpm
 7641eddea949e2c78648c56e953aecf5  mes5/i586/apache-mod_deflate-2.2.9-12.4mdvmes5.i586.rpm
 43b59e5af9d21fb3847d17e0ae122dab  mes5/i586/apache-mod_disk_cache-2.2.9-12.4mdvmes5.i586.rpm
 d282ac6c56c4f9bdc77825150afa7e1c  mes5/i586/apache-mod_file_cache-2.2.9-12.4mdvmes5.i586.rpm
 c9ee1dcbcb330a4da275f9e8b4478c70  mes5/i586/apache-mod_ldap-2.2.9-12.4mdvmes5.i586.rpm
 422cc7b321578d1de3223fbb76ebe29f  mes5/i586/apache-mod_mem_cache-2.2.9-12.4mdvmes5.i586.rpm
 89dc38ba7ad0187ed7d3c5694d6cbf22  mes5/i586/apache-mod_proxy-2.2.9-12.4mdvmes5.i586.rpm
 27096c4f8dada996969a4cfe0f34715f  mes5/i586/apache-mod_proxy_ajp-2.2.9-12.4mdvmes5.i586.rpm
 d1194518bdb208cc50a3fab9c39f8152  mes5/i586/apache-mod_ssl-2.2.9-12.4mdvmes5.i586.rpm
 5738e54feabed82b1e945fbe09731383  mes5/i586/apache-modules-2.2.9-12.4mdvmes5.i586.rpm
 f74ef1df3ab6a3d53549a05e2a4532fe  mes5/i586/apache-mod_userdir-2.2.9-12.4mdvmes5.i586.rpm
 6192bb53d6a3a96f20016f6409b17dd8  mes5/i586/apache-mpm-event-2.2.9-12.4mdvmes5.i586.rpm
 734d101998223302206ff7063c63b3f2  mes5/i586/apache-mpm-itk-2.2.9-12.4mdvmes5.i586.rpm
 440c586651e316e6f78369a7ca0488cb  mes5/i586/apache-mpm-peruser-2.2.9-12.4mdvmes5.i586.rpm
 a2ac9623691bd1e920cbf42c944f91e8  mes5/i586/apache-mpm-prefork-2.2.9-12.4mdvmes5.i586.rpm
 d517fcb16974e97fc29976b883c72653  mes5/i586/apache-mpm-worker-2.2.9-12.4mdvmes5.i586.rpm
 53b6e7fe71e8e7871e0e648784fe9532  mes5/i586/apache-source-2.2.9-12.4mdvmes5.i586.rpm 
 5c04f485825d1c861f4fb7a9b75c8c1b  mes5/SRPMS/apache-2.2.9-12.4mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 2feb99f4443048861680089e81b3d99b  mes5/x86_64/apache-base-2.2.9-12.4mdvmes5.x86_64.rpm
 94e17e3194808a758f40a5a4e604584f  mes5/x86_64/apache-devel-2.2.9-12.4mdvmes5.x86_64.rpm
 b21a88c27e4c890f53f7f086c18661c8  mes5/x86_64/apache-htcacheclean-2.2.9-12.4mdvmes5.x86_64.rpm
 868451cf6682c4bd88fdff123e9f586e  mes5/x86_64/apache-mod_authn_dbd-2.2.9-12.4mdvmes5.x86_64.rpm
 7df675bf863a1c1a8cc7e6f5b0092800  mes5/x86_64/apache-mod_cache-2.2.9-12.4mdvmes5.x86_64.rpm
 6ec73ab804db7873157b856015cee5e7  mes5/x86_64/apache-mod_dav-2.2.9-12.4mdvmes5.x86_64.rpm
 e7dcfeccfa90c0367a9c908804617f3b  mes5/x86_64/apache-mod_dbd-2.2.9-12.4mdvmes5.x86_64.rpm
 1f5b27130438287975e8ed05d1e9d6c3  mes5/x86_64/apache-mod_deflate-2.2.9-12.4mdvmes5.x86_64.rpm
 2ab40847d45382437e6be2f73693450c  mes5/x86_64/apache-mod_disk_cache-2.2.9-12.4mdvmes5.x86_64.rpm
 776d0ce3c8bc6034d403fe7820394490  mes5/x86_64/apache-mod_file_cache-2.2.9-12.4mdvmes5.x86_64.rpm
 73b71de2b1a192c8ea9356fd4569d629  mes5/x86_64/apache-mod_ldap-2.2.9-12.4mdvmes5.x86_64.rpm
 6e3550a6e3937498703f5675998ff634  mes5/x86_64/apache-mod_mem_cache-2.2.9-12.4mdvmes5.x86_64.rpm
 418ef56503d3e500fa66ca275020c018  mes5/x86_64/apache-mod_proxy-2.2.9-12.4mdvmes5.x86_64.rpm
 80c03337e2686ced47d2d269c21436ab  mes5/x86_64/apache-mod_proxy_ajp-2.2.9-12.4mdvmes5.x86_64.rpm
 7545572a06aae7a51292d455760d56b4  mes5/x86_64/apache-mod_ssl-2.2.9-12.4mdvmes5.x86_64.rpm
 a1e4b7bde251d6fc960a4c40834c9528  mes5/x86_64/apache-modules-2.2.9-12.4mdvmes5.x86_64.rpm
 69f3787207a5856b388166ca59459fa4  mes5/x86_64/apache-mod_userdir-2.2.9-12.4mdvmes5.x86_64.rpm
 d204be58a3c99219740f76fc7f53adcd  mes5/x86_64/apache-mpm-event-2.2.9-12.4mdvmes5.x86_64.rpm
 68404cdf1704abb8d560cf34c18e6263  mes5/x86_64/apache-mpm-itk-2.2.9-12.4mdvmes5.x86_64.rpm
 2d72aa5ce503cac036b8972fcb4c36e6  mes5/x86_64/apache-mpm-peruser-2.2.9-12.4mdvmes5.x86_64.rpm
 d948b73264e6228d89d36fd3af7249bf  mes5/x86_64/apache-mpm-prefork-2.2.9-12.4mdvmes5.x86_64.rpm
 45f459c24c0bdf0e2f4f196441fee8ce  mes5/x86_64/apache-mpm-worker-2.2.9-12.4mdvmes5.x86_64.rpm
 b8f6f631798d8383f3b916db35e4d3b0  mes5/x86_64/apache-source-2.2.9-12.4mdvmes5.x86_64.rpm 
 5c04f485825d1c861f4fb7a9b75c8c1b  mes5/SRPMS/apache-2.2.9-12.4mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKb0Y8mqjQ0CJFipgRAsrQAJwK+924Ln64N1SBSndg3bIboARmJwCfXmRy
75KI+UlJfOVBaDb4CJUCzBM=
=MQFn
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ