[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1THZQH-0005Dv-IP@titan.mandriva.com>
Date: Fri, 28 Sep 2012 14:12:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:154 ] apache
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:154
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apache
Date : September 28, 2012
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in apache
(ASF HTTPD):
Insecure handling of LD_LIBRARY_PATH was found that could lead to
the current working directory to be searched for DSOs. This could
allow a local user to execute code as root if an administrator runs
apachectl from an untrusted directory (CVE-2012-0883).
Possible XSS for sites which use mod_negotiation and allow untrusted
uploads to locations which have MultiViews enabled (CVE-2012-2687).
The updated packages have been upgraded to the latest 2.2.23 version
which is not vulnerable to these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.apache.org/dist/httpd/CHANGES_2.2.23
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
2a6deb52a907ef25643d0bc49d0829aa mes5/i586/apache-base-2.2.23-0.1mdvmes5.2.i586.rpm
cf6c25930c89694dbc23771030bed22b mes5/i586/apache-conf-2.2.23-0.1mdvmes5.2.i586.rpm
5853c6245a92e6a9f50d5ed8ea1f0873 mes5/i586/apache-devel-2.2.23-0.1mdvmes5.2.i586.rpm
96b6bc8398fd9bfe2216a3d34d3efa37 mes5/i586/apache-doc-2.2.23-0.1mdvmes5.2.i586.rpm
4dd0e9f2f8bd5418bb780c33e4030a81 mes5/i586/apache-htcacheclean-2.2.23-0.1mdvmes5.2.i586.rpm
d8537cdd24e5cd259e6cb821e7d78b75 mes5/i586/apache-mod_authn_dbd-2.2.23-0.1mdvmes5.2.i586.rpm
33f926c8833af125afbe89679640e84b mes5/i586/apache-mod_cache-2.2.23-0.1mdvmes5.2.i586.rpm
763647d82824dc5b71a1296830cb04d9 mes5/i586/apache-mod_dav-2.2.23-0.1mdvmes5.2.i586.rpm
891dba584907e14fa965362bbe1e9df3 mes5/i586/apache-mod_dbd-2.2.23-0.1mdvmes5.2.i586.rpm
5778eaef034bb73259bd11d78a3f0474 mes5/i586/apache-mod_deflate-2.2.23-0.1mdvmes5.2.i586.rpm
fa4186b16baa4f528b84af1c1bef6c4d mes5/i586/apache-mod_disk_cache-2.2.23-0.1mdvmes5.2.i586.rpm
05459bbd61b32f06d05082ad6e109a07 mes5/i586/apache-mod_file_cache-2.2.23-0.1mdvmes5.2.i586.rpm
d729802408335fbed5db1553e2a3bef0 mes5/i586/apache-mod_ldap-2.2.23-0.1mdvmes5.2.i586.rpm
a1877e86f5fb446a8adb1c0778bb7ecf mes5/i586/apache-mod_mem_cache-2.2.23-0.1mdvmes5.2.i586.rpm
01ab1dbeb1177af0950a1da7fa70b470 mes5/i586/apache-mod_proxy-2.2.23-0.1mdvmes5.2.i586.rpm
423dadd5f7c9ba6a7da8037ad54c2cde mes5/i586/apache-mod_proxy_ajp-2.2.23-0.1mdvmes5.2.i586.rpm
9c7af6f3f19b1e1697584e692808e86a mes5/i586/apache-mod_proxy_scgi-2.2.23-0.1mdvmes5.2.i586.rpm
8e816b0eeb136e6acfa24f27b4ad903c mes5/i586/apache-mod_reqtimeout-2.2.23-0.1mdvmes5.2.i586.rpm
8000c240a4c0f761017cda0c249282a1 mes5/i586/apache-mod_ssl-2.2.23-0.1mdvmes5.2.i586.rpm
f3a62ecede37f013b2ddaf0b32a77ddb mes5/i586/apache-mod_suexec-2.2.23-0.1mdvmes5.2.i586.rpm
385ca21f2966e8b64c4dd0541996c21d mes5/i586/apache-modules-2.2.23-0.1mdvmes5.2.i586.rpm
a7205d395f2c231acee8c73d8a383dab mes5/i586/apache-mod_userdir-2.2.23-0.1mdvmes5.2.i586.rpm
502eae665036c3973f69f986ce420c07 mes5/i586/apache-mpm-event-2.2.23-0.1mdvmes5.2.i586.rpm
aebac24b0d8a7e24ec4e70b51359db68 mes5/i586/apache-mpm-itk-2.2.23-0.1mdvmes5.2.i586.rpm
5733be6c3a6c9efd63d4439854f55a37 mes5/i586/apache-mpm-peruser-2.2.23-0.1mdvmes5.2.i586.rpm
9c9f7e40e1903040088a1c35835a3c43 mes5/i586/apache-mpm-prefork-2.2.23-0.1mdvmes5.2.i586.rpm
06aaffabfbfda5f6d4f54f8bb58cf810 mes5/i586/apache-mpm-worker-2.2.23-0.1mdvmes5.2.i586.rpm
026532e051d72c31f3078d32249a392f mes5/i586/apache-source-2.2.23-0.1mdvmes5.2.i586.rpm
4682ce2fda81a55007d13c70bb2376f1 mes5/SRPMS/apache-2.2.23-0.1mdvmes5.2.src.rpm
45468b04e766eb6b59356395fd75cfd0 mes5/SRPMS/apache-conf-2.2.23-0.1mdvmes5.2.src.rpm
9680fd9ea4808d5939cd8fa00ef618b5 mes5/SRPMS/apache-mod_suexec-2.2.23-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
edb7104f5e0e69ba1b16155f56cdaf78 mes5/x86_64/apache-base-2.2.23-0.1mdvmes5.2.x86_64.rpm
0c8520eb535312e29fb685d84ac94431 mes5/x86_64/apache-conf-2.2.23-0.1mdvmes5.2.x86_64.rpm
3dc668b4f677ba4c6d11272cdd46d74a mes5/x86_64/apache-devel-2.2.23-0.1mdvmes5.2.x86_64.rpm
665467a06653cd4690d9674407c47183 mes5/x86_64/apache-doc-2.2.23-0.1mdvmes5.2.x86_64.rpm
be95023bf533bba0245d6115aa0d3a21 mes5/x86_64/apache-htcacheclean-2.2.23-0.1mdvmes5.2.x86_64.rpm
8d55fbc21e43d404a95fdabbc4b5c8da mes5/x86_64/apache-mod_authn_dbd-2.2.23-0.1mdvmes5.2.x86_64.rpm
bea7f4a121b78a159a5f7eb782593b2c mes5/x86_64/apache-mod_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
386d2c7ffb035cd282315dd4fbfd71d3 mes5/x86_64/apache-mod_dav-2.2.23-0.1mdvmes5.2.x86_64.rpm
568303f666e0ec8755b2eb386aaf54ad mes5/x86_64/apache-mod_dbd-2.2.23-0.1mdvmes5.2.x86_64.rpm
2df5ec32ada4acb3f7fff12f151bc1a1 mes5/x86_64/apache-mod_deflate-2.2.23-0.1mdvmes5.2.x86_64.rpm
ec4ad6d0f722e225ad2551cbdbcfcc4f mes5/x86_64/apache-mod_disk_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
be2fbe50607b150d8847b84df1ebe8e0 mes5/x86_64/apache-mod_file_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
6e63be0d6867d49e578da8cc3923598c mes5/x86_64/apache-mod_ldap-2.2.23-0.1mdvmes5.2.x86_64.rpm
a96853ec44db86b46ef626a9b1b6bc52 mes5/x86_64/apache-mod_mem_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
ff96dc83bea37765fcf010e6acc38561 mes5/x86_64/apache-mod_proxy-2.2.23-0.1mdvmes5.2.x86_64.rpm
4dccdde9516d099ff6d7d47611c509a2 mes5/x86_64/apache-mod_proxy_ajp-2.2.23-0.1mdvmes5.2.x86_64.rpm
04a4ec93d067626f75d9372e6355f0a2 mes5/x86_64/apache-mod_proxy_scgi-2.2.23-0.1mdvmes5.2.x86_64.rpm
4b66f4a23616a24728e78f5de7ff611b mes5/x86_64/apache-mod_reqtimeout-2.2.23-0.1mdvmes5.2.x86_64.rpm
d1936911f3666dae08a7246047720c58 mes5/x86_64/apache-mod_ssl-2.2.23-0.1mdvmes5.2.x86_64.rpm
12e673bf6b9cf5c3bb8d169bcb1d592a mes5/x86_64/apache-mod_suexec-2.2.23-0.1mdvmes5.2.x86_64.rpm
9c1f3daa78a7c16aef87996e7adb2f7d mes5/x86_64/apache-modules-2.2.23-0.1mdvmes5.2.x86_64.rpm
2e765c5007b9ae87d52fd54adccc02bf mes5/x86_64/apache-mod_userdir-2.2.23-0.1mdvmes5.2.x86_64.rpm
df910acc362dd1d19d684041a3ad3f0d mes5/x86_64/apache-mpm-event-2.2.23-0.1mdvmes5.2.x86_64.rpm
0a451c5cc78971ff3a8a7e7c124384b9 mes5/x86_64/apache-mpm-itk-2.2.23-0.1mdvmes5.2.x86_64.rpm
da8a8853e3c43ba0429bce6965826505 mes5/x86_64/apache-mpm-peruser-2.2.23-0.1mdvmes5.2.x86_64.rpm
f143a74d64b59f0e60a025ef56caebc9 mes5/x86_64/apache-mpm-prefork-2.2.23-0.1mdvmes5.2.x86_64.rpm
536ab2c713bd7dbf8ab1a8fd839fe12d mes5/x86_64/apache-mpm-worker-2.2.23-0.1mdvmes5.2.x86_64.rpm
77e1637d806dbc6d06501bc4c98f1ae4 mes5/x86_64/apache-source-2.2.23-0.1mdvmes5.2.x86_64.rpm
4682ce2fda81a55007d13c70bb2376f1 mes5/SRPMS/apache-2.2.23-0.1mdvmes5.2.src.rpm
45468b04e766eb6b59356395fd75cfd0 mes5/SRPMS/apache-conf-2.2.23-0.1mdvmes5.2.src.rpm
9680fd9ea4808d5939cd8fa00ef618b5 mes5/SRPMS/apache-mod_suexec-2.2.23-0.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFQZWg/mqjQ0CJFipgRAnH7AKCE8P/B3z8Z7c0AKEsKH8YuK/wenACgov5R
nQTUKFMMk3mSevCSc4j5hLk=
=XvNR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists