LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: December 22nd, 2014
Linux Advisory Watch: December 19th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2013:015-1: apache Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD): Various XSS (cross-site scripting vulnerability) flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2013:015-1
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : apache
 Date    : April 4, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in apache
 (ASF HTTPD):
 
 Various XSS (cross-site scripting vulnerability) flaws due to unescaped
 hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap,
 mod_ldap, and mod_proxy_ftp (CVE-2012-3499).
 
 XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager
 interface (CVE-2012-4558).
 
 Additionally the ASF bug 53219 was resolved which provides a way
 to mitigate the CRIME attack vulnerability by disabling TLS-level
 compression. Use the new directive SSLCompression on|off to enable or
 disable TLS-level compression, by default SSLCompression is turned on.
 
 The updated packages have been upgraded to the latest 2.2.24 version
 which is not vulnerable to these issues.

 Update:

 Packages for Mandriva Business Server 1 is being provided.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
 http://httpd.apache.org/security/vulnerabilities_22.html
 http://www.apache.org/dist/httpd/CHANGES_2.2.24
 https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 7509c635731abff8de4726b3f490a65a  mbs1/x86_64/apache-2.2.24-1.mbs1.x86_64.rpm
 c8d15d2347a4186119c59fe34ac83314  mbs1/x86_64/apache-devel-2.2.24-1.mbs1.x86_64.rpm
 e128a1f644d5d96fe4ad08c25278af59  mbs1/x86_64/apache-doc-2.2.24-1.mbs1.noarch.rpm
 f1a8fa36a6f42d9e75570c497a338a21  mbs1/x86_64/apache-htcacheclean-2.2.24-1.mbs1.x86_64.rpm
 b3637ef4aec30f46cef5b4cb6c70fb16  mbs1/x86_64/apache-mod_authn_dbd-2.2.24-1.mbs1.x86_64.rpm
 529da28cbb446db208c3416d57519c31  mbs1/x86_64/apache-mod_cache-2.2.24-1.mbs1.x86_64.rpm
 19cbba7b984d375755ab152af36fa085  mbs1/x86_64/apache-mod_dav-2.2.24-1.mbs1.x86_64.rpm
 1eccf69d4657a3dcc7e73d9fba4ab133  mbs1/x86_64/apache-mod_dbd-2.2.24-1.mbs1.x86_64.rpm
 4cd7e5cddc596281e925e45acf9f2745  mbs1/x86_64/apache-mod_deflate-2.2.24-1.mbs1.x86_64.rpm
 3336f3e2daf72b958e5dafb5212c3c33  mbs1/x86_64/apache-mod_disk_cache-2.2.24-1.mbs1.x86_64.rpm
 7b7ed707bb38b26061d755b981551da2  mbs1/x86_64/apache-mod_file_cache-2.2.24-1.mbs1.x86_64.rpm
 ad7cc8bd814d6fe7123edcd911acd61e  mbs1/x86_64/apache-mod_ldap-2.2.24-1.mbs1.x86_64.rpm
 ea30ba683d4a3c761424d85d127038e9  mbs1/x86_64/apache-mod_mem_cache-2.2.24-1.mbs1.x86_64.rpm
 273dec6dcaa57765722bc617054f4326  mbs1/x86_64/apache-mod_proxy-2.2.24-1.mbs1.x86_64.rpm
 1e2301a111dd7cef51544d46ee2fecd5  mbs1/x86_64/apache-mod_proxy_ajp-2.2.24-1.mbs1.x86_64.rpm
 bf87d20545719e432451c9af603acd26  mbs1/x86_64/apache-mod_proxy_scgi-2.2.24-1.mbs1.x86_64.rpm
 884fb55f90be44415f9cf8a67d2c25bc  mbs1/x86_64/apache-mod_reqtimeout-2.2.24-1.mbs1.x86_64.rpm
 ac91f11c0c7d4b15e30a7f08761a55db  mbs1/x86_64/apache-mod_ssl-2.2.24-1.mbs1.x86_64.rpm
 aa3ee3fd0993015a3ad21af92db10cf3  mbs1/x86_64/apache-mod_suexec-2.2.24-1.mbs1.x86_64.rpm
 bc99a7d1879fff69044d1e0ab716f6d4  mbs1/x86_64/apache-mod_userdir-2.2.24-1.mbs1.x86_64.rpm
 1ebcb5de0cdabdd483d03cd90b37e922  mbs1/x86_64/apache-mpm-event-2.2.24-1.mbs1.x86_64.rpm
 edd2a1509f2f4a0ef6db792db02d6d5f  mbs1/x86_64/apache-mpm-itk-2.2.24-1.mbs1.x86_64.rpm
 8f923499d4f47bd8de82621b15b7e2e0  mbs1/x86_64/apache-mpm-peruser-2.2.24-1.mbs1.x86_64.rpm
 de40119e6d0c18efcc5d42986bcbb92d  mbs1/x86_64/apache-mpm-prefork-2.2.24-1.mbs1.x86_64.rpm
 110746aad4564a1dba52be50c996c582  mbs1/x86_64/apache-mpm-worker-2.2.24-1.mbs1.x86_64.rpm
 a3d0a7163dbe01862ae830eac0ee81b8  mbs1/x86_64/apache-source-2.2.24-1.mbs1.noarch.rpm 
 509beb781e5871d20135d2407aa5cf07  mbs1/SRPMS/apache-2.2.24-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.