lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1TIkKb-0008MJ-QN@titan.mandriva.com>
Date: Mon, 01 Oct 2012 20:03:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:154-1 ] apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2012:154-1
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : apache
 Date    : October 1, 2012
 Affected: 2011.
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in apache
 (ASF HTTPD):
 
 Insecure handling of LD_LIBRARY_PATH was found that could lead to
 the current working directory to be searched for DSOs. This could
 allow a local user to execute code as root if an administrator runs
 apachectl from an untrusted directory (CVE-2012-0883).
 
 Possible XSS for sites which use mod_negotiation and allow untrusted
 uploads to locations which have MultiViews enabled (CVE-2012-2687).
 
 The updated packages have been upgraded to the latest 2.2.23 version
 which is not vulnerable to these issues.

 Update:

 Packages for Mandriva Linux 2011 is also being provided.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
 http://httpd.apache.org/security/vulnerabilities_22.html
 http://www.apache.org/dist/httpd/CHANGES_2.2.23
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2011:
 304de24601ba6d0511bb81b874a0f233  2011/i586/apache-base-2.2.23-0.1-mdv2011.0.i586.rpm
 2cb8260077a6397789fbd5d4a4d085eb  2011/i586/apache-conf-2.2.23-0.1-mdv2011.0.i586.rpm
 30b35a2b7e38d194a2616aabf282fc8e  2011/i586/apache-devel-2.2.23-0.1-mdv2011.0.i586.rpm
 808b441d5f6a4dfe677027f052be5b2e  2011/i586/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm
 48e1b89096e022e2370846ee6be23cb0  2011/i586/apache-htcacheclean-2.2.23-0.1-mdv2011.0.i586.rpm
 69e8ff977665c5ffcaa56a633a9c075d  2011/i586/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.i586.rpm
 cef83ce377d853787f157372d174e43a  2011/i586/apache-mod_cache-2.2.23-0.1-mdv2011.0.i586.rpm
 e727d7356474d2899d971ded9ead528a  2011/i586/apache-mod_dav-2.2.23-0.1-mdv2011.0.i586.rpm
 a6d4a2d3bde1c22f9885e45674acb859  2011/i586/apache-mod_dbd-2.2.23-0.1-mdv2011.0.i586.rpm
 e95a0e806ed2714f58c4931f923dd9ff  2011/i586/apache-mod_deflate-2.2.23-0.1-mdv2011.0.i586.rpm
 eea3f9df618d84f4d7718fa7f7ed7fc2  2011/i586/apache-mod_disk_cache-2.2.23-0.1-mdv2011.0.i586.rpm
 f4e5b517609491cff78e787478701c2d  2011/i586/apache-mod_file_cache-2.2.23-0.1-mdv2011.0.i586.rpm
 e6b6bf3657df8d57f714b376f0a46c17  2011/i586/apache-mod_ldap-2.2.23-0.1-mdv2011.0.i586.rpm
 f08c6df85eee5fb376495a1962fe3b70  2011/i586/apache-mod_mem_cache-2.2.23-0.1-mdv2011.0.i586.rpm
 8e0e8200b769acf3c5e4bbe7726fd915  2011/i586/apache-mod_proxy-2.2.23-0.1-mdv2011.0.i586.rpm
 6c999383b58c6ee96282386b4fb7d9ea  2011/i586/apache-mod_proxy_ajp-2.2.23-0.1-mdv2011.0.i586.rpm
 20b0d2479343f49409b5e31e9338f4dc  2011/i586/apache-mod_proxy_scgi-2.2.23-0.1-mdv2011.0.i586.rpm
 1e51299c37aa0cbd03a65a260d12ddeb  2011/i586/apache-mod_reqtimeout-2.2.23-0.1-mdv2011.0.i586.rpm
 0ddbed217d6677478b0a2a01732ff491  2011/i586/apache-mod_ssl-2.2.23-0.1-mdv2011.0.i586.rpm
 0a14fbf39eab16eb6f306545149d1d08  2011/i586/apache-mod_suexec-2.2.23-0.1-mdv2011.0.i586.rpm
 58a903513f5debd76f3af90df3cb81f2  2011/i586/apache-modules-2.2.23-0.1-mdv2011.0.i586.rpm
 92dc4453fc1412585be0a2d6910ad1bb  2011/i586/apache-mod_userdir-2.2.23-0.1-mdv2011.0.i586.rpm
 a6fcd50c146c04c53adfd63cdeff0886  2011/i586/apache-mpm-event-2.2.23-0.1-mdv2011.0.i586.rpm
 2789b0dff916fbc432705402ccaf48b0  2011/i586/apache-mpm-itk-2.2.23-0.1-mdv2011.0.i586.rpm
 1373ec52e55560feab9bbc4841d121c7  2011/i586/apache-mpm-peruser-2.2.23-0.1-mdv2011.0.i586.rpm
 02b03a8c84896f04ce7c4ee098db88f1  2011/i586/apache-mpm-prefork-2.2.23-0.1-mdv2011.0.i586.rpm
 9fff7197d3b44a8dc4c328ae42b0c78d  2011/i586/apache-mpm-worker-2.2.23-0.1-mdv2011.0.i586.rpm
 b377ef4867bb4bb4740b6c454c673ae9  2011/i586/apache-source-2.2.23-0.1-mdv2011.0.i586.rpm 
 ff8b62d886256d35b4b48b599dde8b42  2011/SRPMS/apache-2.2.23-0.1.src.rpm
 b293c41bc67cd64e55d4f76cbc01e5fa  2011/SRPMS/apache-conf-2.2.23-0.1.src.rpm
 7b26aff710ef4cf8761ee0f2d56335de  2011/SRPMS/apache-mod_suexec-2.2.23-0.1.src.rpm

 Mandriva Linux 2011/X86_64:
 c4985b28e7ec9150a212a50b83acf971  2011/x86_64/apache-base-2.2.23-0.1-mdv2011.0.x86_64.rpm
 1a47380b5c2408302ae45e53c57e3dd7  2011/x86_64/apache-conf-2.2.23-0.1-mdv2011.0.x86_64.rpm
 1ddc2098bd25562f20fb5dc13f15bbb4  2011/x86_64/apache-devel-2.2.23-0.1-mdv2011.0.x86_64.rpm
 98ebe1c72a3f4393089f4dff74478aef  2011/x86_64/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm
 cdd1a070b46dae87bcc56c9ffdf787e1  2011/x86_64/apache-htcacheclean-2.2.23-0.1-mdv2011.0.x86_64.rpm
 b63b8c6c86a1d12c0d7d975965c68520  2011/x86_64/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.x86_64.rpm
 f32eda71a0d502ed40c57160781a4ae7  2011/x86_64/apache-mod_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
 83e739d64bbb194125a94ebd0f48e3dd  2011/x86_64/apache-mod_dav-2.2.23-0.1-mdv2011.0.x86_64.rpm
 480f7d2b5871cf135c94693e51e0304f  2011/x86_64/apache-mod_dbd-2.2.23-0.1-mdv2011.0.x86_64.rpm
 0bb1ce70ccc8faf9446ce4fb876463ac  2011/x86_64/apache-mod_deflate-2.2.23-0.1-mdv2011.0.x86_64.rpm
 b5a054dd23f63b2853e3aedf0feeb0be  2011/x86_64/apache-mod_disk_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
 17d3e7b2f6706d732d141f32a28b0bcc  2011/x86_64/apache-mod_file_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
 afbd5756292b77c910191208530f11f9  2011/x86_64/apache-mod_ldap-2.2.23-0.1-mdv2011.0.x86_64.rpm
 554905b1d3d606fa6d4d27a7fb24f5ab  2011/x86_64/apache-mod_mem_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
 a8052b80204773827087adf071276075  2011/x86_64/apache-mod_proxy-2.2.23-0.1-mdv2011.0.x86_64.rpm
 f5cdac9841f48f9de11cb70477924fd9  2011/x86_64/apache-mod_proxy_ajp-2.2.23-0.1-mdv2011.0.x86_64.rpm
 54f266ab995d16892c9da04e2fe7be7d  2011/x86_64/apache-mod_proxy_scgi-2.2.23-0.1-mdv2011.0.x86_64.rpm
 0cbfba26f9b4afdb27bb47f09d4544d1  2011/x86_64/apache-mod_reqtimeout-2.2.23-0.1-mdv2011.0.x86_64.rpm
 1cada2498b31e1e218b11bce3f971033  2011/x86_64/apache-mod_ssl-2.2.23-0.1-mdv2011.0.x86_64.rpm
 dbb6bbac5f46b0e38b45aa38cd5c264b  2011/x86_64/apache-mod_suexec-2.2.23-0.1-mdv2011.0.x86_64.rpm
 2217d6023cedd9002c9882cc6d420ab9  2011/x86_64/apache-modules-2.2.23-0.1-mdv2011.0.x86_64.rpm
 6e808ea12619204f2df8e1a2f9297652  2011/x86_64/apache-mod_userdir-2.2.23-0.1-mdv2011.0.x86_64.rpm
 ef4f018d2c2d366ae4fefd105a9dc281  2011/x86_64/apache-mpm-event-2.2.23-0.1-mdv2011.0.x86_64.rpm
 4f9347c3375eb9f36207731d11687d15  2011/x86_64/apache-mpm-itk-2.2.23-0.1-mdv2011.0.x86_64.rpm
 55e80fe4664781176c1a10b18c948cc9  2011/x86_64/apache-mpm-peruser-2.2.23-0.1-mdv2011.0.x86_64.rpm
 d1eb3c2f9348686c2dd461389dd28b9e  2011/x86_64/apache-mpm-prefork-2.2.23-0.1-mdv2011.0.x86_64.rpm
 f95c3d4b86d7014b8df2ea025551eadf  2011/x86_64/apache-mpm-worker-2.2.23-0.1-mdv2011.0.x86_64.rpm
 304e6bcde281da5142f612886f9ef182  2011/x86_64/apache-source-2.2.23-0.1-mdv2011.0.x86_64.rpm 
 ff8b62d886256d35b4b48b599dde8b42  2011/SRPMS/apache-2.2.23-0.1.src.rpm
 b293c41bc67cd64e55d4f76cbc01e5fa  2011/SRPMS/apache-conf-2.2.23-0.1.src.rpm
 7b26aff710ef4cf8761ee0f2d56335de  2011/SRPMS/apache-mod_suexec-2.2.23-0.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFQaa9/mqjQ0CJFipgRAhruAJ9EC4FWiuzvbIXRyxeJEa6ifXWfngCfdzew
7eKtlYj6mMOMjJJ0oekKwnQ=
=t10D
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ