BugTraq
[ MDVSA-2014:142 ] apache Jul 30 2014 12:17PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:142
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : apache
Date : July 30, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated apache package fixes security vulnerabilities:

A race condition flaw, leading to heap-based buffer overflows,
was found in the mod_status httpd module. A remote attacker able to
access a status page served by mod_status on a server using a threaded
Multi-Processing Module (MPM) could send a specially crafted request
that would cause the httpd child process to crash or, possibly,
allow the attacker to execute arbitrary code with the privileges of
the apache user (CVE-2014-0226).

A denial of service flaw was found in the way httpd's mod_deflate
module handled request body decompression (configured via the DEFLATE
input filter). A remote attacker able to send a request whose body
would be decompressed could use this flaw to consume an excessive
amount of system memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd's mod_cgid module
executed CGI scripts that did not read data from the standard input. A
remote attacker could submit a specially crafted request that would
cause the httpd child process to hang indefinitely (CVE-2014-0231).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
http://advisories.mageia.org/MGASA-2014-0304.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
e7ed0d96bdef964dcb281969c84ee246 mbs1/x86_64/apache-2.2.27-1.1.mbs1.x86_64.rpm
630779667690cc0344dc3a130922efb2 mbs1/x86_64/apache-devel-2.2.27-1.1.mbs1.x86_64.rpm
02f62e776b47bc71917bacc530116601 mbs1/x86_64/apache-doc-2.2.27-1.1.mbs1.noarch.rpm
5ac808d10784e0a0fed1b1238e965dc8 mbs1/x86_64/apache-htcacheclean-2.2.27-1.1.mbs1.x86_64.rpm
12d7209a6ac1af471fef5754d1efe901 mbs1/x86_64/apache-mod_authn_dbd-2.2.27-1.1.mbs1.x86_64.rpm
08e3be5cd2f1b233ead6ba70ee9a7e40 mbs1/x86_64/apache-mod_cache-2.2.27-1.1.mbs1.x86_64.rpm
9ca153c3ee32b84a5d6e694426d93b06 mbs1/x86_64/apache-mod_dav-2.2.27-1.1.mbs1.x86_64.rpm
a7df22dbf57ad3f926300dd250a8a34c mbs1/x86_64/apache-mod_dbd-2.2.27-1.1.mbs1.x86_64.rpm
93fd5123adf783e19a7e77c49bb2bab8 mbs1/x86_64/apache-mod_deflate-2.2.27-1.1.mbs1.x86_64.rpm
e967eab04bbfefc1c038460652834e16 mbs1/x86_64/apache-mod_disk_cache-2.2.27-1.1.mbs1.x86_64.rpm
44c6603d4f40f820b702d107e367838e mbs1/x86_64/apache-mod_file_cache-2.2.27-1.1.mbs1.x86_64.rpm
e257e68818d03a7e05f99f872aadb761 mbs1/x86_64/apache-mod_ldap-2.2.27-1.1.mbs1.x86_64.rpm
7636b2db4a8461242f3eaa58ca6c5810 mbs1/x86_64/apache-mod_mem_cache-2.2.27-1.1.mbs1.x86_64.rpm
795f09dd6508ce6f84683c0a4e0f50d8 mbs1/x86_64/apache-mod_proxy-2.2.27-1.1.mbs1.x86_64.rpm
31549291edb6d91b20dda3bbf4376f3e mbs1/x86_64/apache-mod_proxy_ajp-2.2.27-1.1.mbs1.x86_64.rpm
231002ea53e9c7b1fdf78d2b415e7ebe mbs1/x86_64/apache-mod_proxy_scgi-2.2.27-1.1.mbs1.x86_64.rpm
c5ec340109b8eb0aa36113ea2b9dff8b mbs1/x86_64/apache-mod_reqtimeout-2.2.27-1.1.mbs1.x86_64.rpm
7b20b71e0c7e424212d2b941cc8e70b7 mbs1/x86_64/apache-mod_ssl-2.2.27-1.1.mbs1.x86_64.rpm
fb27d8413c6f22b94af69e23084e61b0 mbs1/x86_64/apache-mod_suexec-2.2.27-1.1.mbs1.x86_64.rpm
3965833259f643f0a7141451e442c7b2 mbs1/x86_64/apache-mod_userdir-2.2.27-1.1.mbs1.x86_64.rpm
2b7434565978780882e69bbaa9102907 mbs1/x86_64/apache-mpm-event-2.2.27-1.1.mbs1.x86_64.rpm
7c350be0d459259ce9c49c1cf51564d3 mbs1/x86_64/apache-mpm-itk-2.2.27-1.1.mbs1.x86_64.rpm
ef3a271c37fde6b19ab6adaacd3fd046 mbs1/x86_64/apache-mpm-peruser-2.2.27-1.1.mbs1.x86_64.rpm
cd7752c067797c22144f5299fe782d42 mbs1/x86_64/apache-mpm-prefork-2.2.27-1.1.mbs1.x86_64.rpm
7d8576115cb675340084b8fbf884fb94 mbs1/x86_64/apache-mpm-worker-2.2.27-1.1.mbs1.x86_64.rpm
8fd89d82d258f6cdfab8bc8bfa581872 mbs1/x86_64/apache-source-2.2.27-1.1.mbs1.noarch.rpm
5dd921dbff39365fa187e6a24975e5e8 mbs1/SRPMS/apache-2.2.27-1.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFT2LgtmqjQ0CJFipgRAjI4AKCa/EAlbAtSuYQmxwqlnBVwnpQQ4ACgqEFK
1ZYV3mxcngE2yTMgkLb4G+U=
=zVB3
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus