lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1THZQH-0005Dv-IP@titan.mandriva.com>
Date: Fri, 28 Sep 2012 14:12:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:154 ] apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:154
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apache
 Date    : September 28, 2012
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in apache
 (ASF HTTPD):
 
 Insecure handling of LD_LIBRARY_PATH was found that could lead to
 the current working directory to be searched for DSOs. This could
 allow a local user to execute code as root if an administrator runs
 apachectl from an untrusted directory (CVE-2012-0883).
 
 Possible XSS for sites which use mod_negotiation and allow untrusted
 uploads to locations which have MultiViews enabled (CVE-2012-2687).
 
 The updated packages have been upgraded to the latest 2.2.23 version
 which is not vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
 http://httpd.apache.org/security/vulnerabilities_22.html
 http://www.apache.org/dist/httpd/CHANGES_2.2.23
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 2a6deb52a907ef25643d0bc49d0829aa  mes5/i586/apache-base-2.2.23-0.1mdvmes5.2.i586.rpm
 cf6c25930c89694dbc23771030bed22b  mes5/i586/apache-conf-2.2.23-0.1mdvmes5.2.i586.rpm
 5853c6245a92e6a9f50d5ed8ea1f0873  mes5/i586/apache-devel-2.2.23-0.1mdvmes5.2.i586.rpm
 96b6bc8398fd9bfe2216a3d34d3efa37  mes5/i586/apache-doc-2.2.23-0.1mdvmes5.2.i586.rpm
 4dd0e9f2f8bd5418bb780c33e4030a81  mes5/i586/apache-htcacheclean-2.2.23-0.1mdvmes5.2.i586.rpm
 d8537cdd24e5cd259e6cb821e7d78b75  mes5/i586/apache-mod_authn_dbd-2.2.23-0.1mdvmes5.2.i586.rpm
 33f926c8833af125afbe89679640e84b  mes5/i586/apache-mod_cache-2.2.23-0.1mdvmes5.2.i586.rpm
 763647d82824dc5b71a1296830cb04d9  mes5/i586/apache-mod_dav-2.2.23-0.1mdvmes5.2.i586.rpm
 891dba584907e14fa965362bbe1e9df3  mes5/i586/apache-mod_dbd-2.2.23-0.1mdvmes5.2.i586.rpm
 5778eaef034bb73259bd11d78a3f0474  mes5/i586/apache-mod_deflate-2.2.23-0.1mdvmes5.2.i586.rpm
 fa4186b16baa4f528b84af1c1bef6c4d  mes5/i586/apache-mod_disk_cache-2.2.23-0.1mdvmes5.2.i586.rpm
 05459bbd61b32f06d05082ad6e109a07  mes5/i586/apache-mod_file_cache-2.2.23-0.1mdvmes5.2.i586.rpm
 d729802408335fbed5db1553e2a3bef0  mes5/i586/apache-mod_ldap-2.2.23-0.1mdvmes5.2.i586.rpm
 a1877e86f5fb446a8adb1c0778bb7ecf  mes5/i586/apache-mod_mem_cache-2.2.23-0.1mdvmes5.2.i586.rpm
 01ab1dbeb1177af0950a1da7fa70b470  mes5/i586/apache-mod_proxy-2.2.23-0.1mdvmes5.2.i586.rpm
 423dadd5f7c9ba6a7da8037ad54c2cde  mes5/i586/apache-mod_proxy_ajp-2.2.23-0.1mdvmes5.2.i586.rpm
 9c7af6f3f19b1e1697584e692808e86a  mes5/i586/apache-mod_proxy_scgi-2.2.23-0.1mdvmes5.2.i586.rpm
 8e816b0eeb136e6acfa24f27b4ad903c  mes5/i586/apache-mod_reqtimeout-2.2.23-0.1mdvmes5.2.i586.rpm
 8000c240a4c0f761017cda0c249282a1  mes5/i586/apache-mod_ssl-2.2.23-0.1mdvmes5.2.i586.rpm
 f3a62ecede37f013b2ddaf0b32a77ddb  mes5/i586/apache-mod_suexec-2.2.23-0.1mdvmes5.2.i586.rpm
 385ca21f2966e8b64c4dd0541996c21d  mes5/i586/apache-modules-2.2.23-0.1mdvmes5.2.i586.rpm
 a7205d395f2c231acee8c73d8a383dab  mes5/i586/apache-mod_userdir-2.2.23-0.1mdvmes5.2.i586.rpm
 502eae665036c3973f69f986ce420c07  mes5/i586/apache-mpm-event-2.2.23-0.1mdvmes5.2.i586.rpm
 aebac24b0d8a7e24ec4e70b51359db68  mes5/i586/apache-mpm-itk-2.2.23-0.1mdvmes5.2.i586.rpm
 5733be6c3a6c9efd63d4439854f55a37  mes5/i586/apache-mpm-peruser-2.2.23-0.1mdvmes5.2.i586.rpm
 9c9f7e40e1903040088a1c35835a3c43  mes5/i586/apache-mpm-prefork-2.2.23-0.1mdvmes5.2.i586.rpm
 06aaffabfbfda5f6d4f54f8bb58cf810  mes5/i586/apache-mpm-worker-2.2.23-0.1mdvmes5.2.i586.rpm
 026532e051d72c31f3078d32249a392f  mes5/i586/apache-source-2.2.23-0.1mdvmes5.2.i586.rpm 
 4682ce2fda81a55007d13c70bb2376f1  mes5/SRPMS/apache-2.2.23-0.1mdvmes5.2.src.rpm
 45468b04e766eb6b59356395fd75cfd0  mes5/SRPMS/apache-conf-2.2.23-0.1mdvmes5.2.src.rpm
 9680fd9ea4808d5939cd8fa00ef618b5  mes5/SRPMS/apache-mod_suexec-2.2.23-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 edb7104f5e0e69ba1b16155f56cdaf78  mes5/x86_64/apache-base-2.2.23-0.1mdvmes5.2.x86_64.rpm
 0c8520eb535312e29fb685d84ac94431  mes5/x86_64/apache-conf-2.2.23-0.1mdvmes5.2.x86_64.rpm
 3dc668b4f677ba4c6d11272cdd46d74a  mes5/x86_64/apache-devel-2.2.23-0.1mdvmes5.2.x86_64.rpm
 665467a06653cd4690d9674407c47183  mes5/x86_64/apache-doc-2.2.23-0.1mdvmes5.2.x86_64.rpm
 be95023bf533bba0245d6115aa0d3a21  mes5/x86_64/apache-htcacheclean-2.2.23-0.1mdvmes5.2.x86_64.rpm
 8d55fbc21e43d404a95fdabbc4b5c8da  mes5/x86_64/apache-mod_authn_dbd-2.2.23-0.1mdvmes5.2.x86_64.rpm
 bea7f4a121b78a159a5f7eb782593b2c  mes5/x86_64/apache-mod_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
 386d2c7ffb035cd282315dd4fbfd71d3  mes5/x86_64/apache-mod_dav-2.2.23-0.1mdvmes5.2.x86_64.rpm
 568303f666e0ec8755b2eb386aaf54ad  mes5/x86_64/apache-mod_dbd-2.2.23-0.1mdvmes5.2.x86_64.rpm
 2df5ec32ada4acb3f7fff12f151bc1a1  mes5/x86_64/apache-mod_deflate-2.2.23-0.1mdvmes5.2.x86_64.rpm
 ec4ad6d0f722e225ad2551cbdbcfcc4f  mes5/x86_64/apache-mod_disk_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
 be2fbe50607b150d8847b84df1ebe8e0  mes5/x86_64/apache-mod_file_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
 6e63be0d6867d49e578da8cc3923598c  mes5/x86_64/apache-mod_ldap-2.2.23-0.1mdvmes5.2.x86_64.rpm
 a96853ec44db86b46ef626a9b1b6bc52  mes5/x86_64/apache-mod_mem_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm
 ff96dc83bea37765fcf010e6acc38561  mes5/x86_64/apache-mod_proxy-2.2.23-0.1mdvmes5.2.x86_64.rpm
 4dccdde9516d099ff6d7d47611c509a2  mes5/x86_64/apache-mod_proxy_ajp-2.2.23-0.1mdvmes5.2.x86_64.rpm
 04a4ec93d067626f75d9372e6355f0a2  mes5/x86_64/apache-mod_proxy_scgi-2.2.23-0.1mdvmes5.2.x86_64.rpm
 4b66f4a23616a24728e78f5de7ff611b  mes5/x86_64/apache-mod_reqtimeout-2.2.23-0.1mdvmes5.2.x86_64.rpm
 d1936911f3666dae08a7246047720c58  mes5/x86_64/apache-mod_ssl-2.2.23-0.1mdvmes5.2.x86_64.rpm
 12e673bf6b9cf5c3bb8d169bcb1d592a  mes5/x86_64/apache-mod_suexec-2.2.23-0.1mdvmes5.2.x86_64.rpm
 9c1f3daa78a7c16aef87996e7adb2f7d  mes5/x86_64/apache-modules-2.2.23-0.1mdvmes5.2.x86_64.rpm
 2e765c5007b9ae87d52fd54adccc02bf  mes5/x86_64/apache-mod_userdir-2.2.23-0.1mdvmes5.2.x86_64.rpm
 df910acc362dd1d19d684041a3ad3f0d  mes5/x86_64/apache-mpm-event-2.2.23-0.1mdvmes5.2.x86_64.rpm
 0a451c5cc78971ff3a8a7e7c124384b9  mes5/x86_64/apache-mpm-itk-2.2.23-0.1mdvmes5.2.x86_64.rpm
 da8a8853e3c43ba0429bce6965826505  mes5/x86_64/apache-mpm-peruser-2.2.23-0.1mdvmes5.2.x86_64.rpm
 f143a74d64b59f0e60a025ef56caebc9  mes5/x86_64/apache-mpm-prefork-2.2.23-0.1mdvmes5.2.x86_64.rpm
 536ab2c713bd7dbf8ab1a8fd839fe12d  mes5/x86_64/apache-mpm-worker-2.2.23-0.1mdvmes5.2.x86_64.rpm
 77e1637d806dbc6d06501bc4c98f1ae4  mes5/x86_64/apache-source-2.2.23-0.1mdvmes5.2.x86_64.rpm 
 4682ce2fda81a55007d13c70bb2376f1  mes5/SRPMS/apache-2.2.23-0.1mdvmes5.2.src.rpm
 45468b04e766eb6b59356395fd75cfd0  mes5/SRPMS/apache-conf-2.2.23-0.1mdvmes5.2.src.rpm
 9680fd9ea4808d5939cd8fa00ef618b5  mes5/SRPMS/apache-mod_suexec-2.2.23-0.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQZWg/mqjQ0CJFipgRAnH7AKCE8P/B3z8Z7c0AKEsKH8YuK/wenACgov5R
nQTUKFMMk3mSevCSc4j5hLk=
=XvNR
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ