-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:015 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apache Date : February 26, 2013 Affected: 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD): Various XSS (cross-site scripting vulnerability) flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp (CVE-2012-3499). XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager interface (CVE-2012-4558). Additionally the ASF bug 53219 was resolved which provides a way to mitigate the CRIME attack vulnerability by disabling TLS-level compression. Use the new directive SSLCompression on|off to enable or disable TLS-level compression, by default SSLCompression is turned on. The updated packages have been upgraded to the latest 2.2.24 version which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558 http://httpd.apache.org/security/vulnerabilities_22.html http://www.apache.org/dist/httpd/CHANGES_2.2.24 https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 289c89be234a9162175b0294e16c591c 2011/i586/apache-base-2.2.24-0.1-mdv2011.0.i586.rpm 5f8af3db34637d99db3a6bc848c01cac 2011/i586/apache-conf-2.2.24-0.1-mdv2011.0.i586.rpm 991acd2fbed937e78acbc04cd3ddf2e7 2011/i586/apache-devel-2.2.24-0.1-mdv2011.0.i586.rpm a185aaa60a5f6ffa689bfdd30969129e 2011/i586/apache-doc-2.2.24-0.1-mdv2011.0.noarch.rpm a069735af2947a3bf3c62137a88ffeca 2011/i586/apache-htcacheclean-2.2.24-0.1-mdv2011.0.i586.rpm 9dbd40a1889977c6e2de4192b3a49f04 2011/i586/apache-mod_authn_dbd-2.2.24-0.1-mdv2011.0.i586.rpm df089c2da852993c46071cf9f1d20ab2 2011/i586/apache-mod_cache-2.2.24-0.1-mdv2011.0.i586.rpm e1227b41c3aa254f9f882c439dbb60a8 2011/i586/apache-mod_dav-2.2.24-0.1-mdv2011.0.i586.rpm defb1c86a285c224b2a15880ad803040 2011/i586/apache-mod_dbd-2.2.24-0.1-mdv2011.0.i586.rpm c6202714af4799b5111615ae9a88e89d 2011/i586/apache-mod_deflate-2.2.24-0.1-mdv2011.0.i586.rpm dd7c2831321debb9687208aef93f7e78 2011/i586/apache-mod_disk_cache-2.2.24-0.1-mdv2011.0.i586.rpm 4b9d9e4c68e41f06e237dc300b358dbc 2011/i586/apache-mod_file_cache-2.2.24-0.1-mdv2011.0.i586.rpm 20e3419c7a05893eaebb216680abf364 2011/i586/apache-mod_ldap-2.2.24-0.1-mdv2011.0.i586.rpm af66de0cae0be6b615866a1a5bf87c94 2011/i586/apache-mod_mem_cache-2.2.24-0.1-mdv2011.0.i586.rpm 4fff2e9db4b76b080c6b28a41191067e 2011/i586/apache-mod_proxy-2.2.24-0.1-mdv2011.0.i586.rpm 0185029b460e360a89fe5b39631a1fff 2011/i586/apache-mod_proxy_ajp-2.2.24-0.1-mdv2011.0.i586.rpm 8c9285340ee4392717266dc11653f806 2011/i586/apache-mod_proxy_scgi-2.2.24-0.1-mdv2011.0.i586.rpm a72f9c38ee460de6bc1dc44634225467 2011/i586/apache-mod_reqtimeout-2.2.24-0.1-mdv2011.0.i586.rpm 9a1ce119bf75d10ec14d1dd3bb61e7f0 2011/i586/apache-mod_ssl-2.2.24-0.1-mdv2011.0.i586.rpm ba2613c1bc16fc1caff121744911467a 2011/i586/apache-mod_suexec-2.2.24-0.1-mdv2011.0.i586.rpm fe90da4a35bb6709dc3707ea3ef8f7b0 2011/i586/apache-modules-2.2.24-0.1-mdv2011.0.i586.rpm 97e6288872ec47204673b474f505fc5b 2011/i586/apache-mod_userdir-2.2.24-0.1-mdv2011.0.i586.rpm 4bfb7faf0754646ca77e6920eca7a994 2011/i586/apache-mpm-event-2.2.24-0.1-mdv2011.0.i586.rpm 724b8fd1ef97242a50643c19ad5bea28 2011/i586/apache-mpm-itk-2.2.24-0.1-mdv2011.0.i586.rpm ecf0644523a56fa84fae17eb0eb7bdc1 2011/i586/apache-mpm-peruser-2.2.24-0.1-mdv2011.0.i586.rpm 7ca86c4b6d18a8f7d2dbd36e6d6fedc9 2011/i586/apache-mpm-prefork-2.2.24-0.1-mdv2011.0.i586.rpm 3e4f9253120b07eab512985583fe9b17 2011/i586/apache-mpm-worker-2.2.24-0.1-mdv2011.0.i586.rpm f9d6a24fc521f5efb6db1e2b48eaaa6a 2011/i586/apache-source-2.2.24-0.1-mdv2011.0.i586.rpm 60a51c26a9615f8fe5fd238e324fad53 2011/SRPMS/apache-2.2.24-0.1.src.rpm 0f8670c68f91c0eac08191f7b4c59459 2011/SRPMS/apache-conf-2.2.24-0.1.src.rpm 4561b162b6214482270a1c1f9f9bff45 2011/SRPMS/apache-mod_suexec-2.2.24-0.1.src.rpm Mandriva Linux 2011/X86_64: 2bebc91d05e6f2e522899221351a68e0 2011/x86_64/apache-base-2.2.24-0.1-mdv2011.0.x86_64.rpm 828297781615028d0112d392ed9e3009 2011/x86_64/apache-conf-2.2.24-0.1-mdv2011.0.x86_64.rpm ed77958d6201a8242214e05fe3b67425 2011/x86_64/apache-devel-2.2.24-0.1-mdv2011.0.x86_64.rpm 3ead1940727ce086d97c334d6a41223b 2011/x86_64/apache-doc-2.2.24-0.1-mdv2011.0.noarch.rpm b83de49c32acb5334d479d6f07d3df30 2011/x86_64/apache-htcacheclean-2.2.24-0.1-mdv2011.0.x86_64.rpm b62eac92a967a099cc9b392c8df76db5 2011/x86_64/apache-mod_authn_dbd-2.2.24-0.1-mdv2011.0.x86_64.rpm 67d4c4f45e88abfa322b3a3dcff8eff6 2011/x86_64/apache-mod_cache-2.2.24-0.1-mdv2011.0.x86_64.rpm f81cc5b0656aa6d6ed61a8f204bdba9e 2011/x86_64/apache-mod_dav-2.2.24-0.1-mdv2011.0.x86_64.rpm 7f7a259d5793d9f0830da2ce42be9c68 2011/x86_64/apache-mod_dbd-2.2.24-0.1-mdv2011.0.x86_64.rpm b73243f05bedd112946467e2dd470349 2011/x86_64/apache-mod_deflate-2.2.24-0.1-mdv2011.0.x86_64.rpm 757818100b90779f5636dc8a405b045f 2011/x86_64/apache-mod_disk_cache-2.2.24-0.1-mdv2011.0.x86_64.rpm 95ab9bed5935a49661fed89d0bbde413 2011/x86_64/apache-mod_file_cache-2.2.24-0.1-mdv2011.0.x86_64.rpm 361667caa3aff7861afafc7236abe511 2011/x86_64/apache-mod_ldap-2.2.24-0.1-mdv2011.0.x86_64.rpm 8e4cc050ab8248857d98891b6a7cd663 2011/x86_64/apache-mod_mem_cache-2.2.24-0.1-mdv2011.0.x86_64.rpm e89d9282d5bcb90ae77f33578fb814cc 2011/x86_64/apache-mod_proxy-2.2.24-0.1-mdv2011.0.x86_64.rpm 1d2478b41bec0bf4098258c1cfb54a4c 2011/x86_64/apache-mod_proxy_ajp-2.2.24-0.1-mdv2011.0.x86_64.rpm 22526d7fa623427945524f346a4365e1 2011/x86_64/apache-mod_proxy_scgi-2.2.24-0.1-mdv2011.0.x86_64.rpm f58d3f49a90827f1e06a972891a35ce3 2011/x86_64/apache-mod_reqtimeout-2.2.24-0.1-mdv2011.0.x86_64.rpm 764c5337a0afde50815ec4926324911f 2011/x86_64/apache-mod_ssl-2.2.24-0.1-mdv2011.0.x86_64.rpm 615a698090d208e3af1fa0126edd4104 2011/x86_64/apache-mod_suexec-2.2.24-0.1-mdv2011.0.x86_64.rpm 2b087b76a1d2457c2a3e0b1d82028a90 2011/x86_64/apache-modules-2.2.24-0.1-mdv2011.0.x86_64.rpm 1b85512bbfeb4b1ac03c2e7b5019a7ad 2011/x86_64/apache-mod_userdir-2.2.24-0.1-mdv2011.0.x86_64.rpm 2af96a1eb1a3e7c0d97b70c382e15105 2011/x86_64/apache-mpm-event-2.2.24-0.1-mdv2011.0.x86_64.rpm a4f2ef243034a6d8902822d19dc85475 2011/x86_64/apache-mpm-itk-2.2.24-0.1-mdv2011.0.x86_64.rpm 141410f4cae45ddc07bc0664330aaf16 2011/x86_64/apache-mpm-peruser-2.2.24-0.1-mdv2011.0.x86_64.rpm 92fbed1befec4c0f45b3c0c0f092be30 2011/x86_64/apache-mpm-prefork-2.2.24-0.1-mdv2011.0.x86_64.rpm 72af42ba5a5594ce561d56d5c6d9a4e2 2011/x86_64/apache-mpm-worker-2.2.24-0.1-mdv2011.0.x86_64.rpm 5013cde8136c71938c2e053ab5d70995 2011/x86_64/apache-source-2.2.24-0.1-mdv2011.0.x86_64.rpm 60a51c26a9615f8fe5fd238e324fad53 2011/SRPMS/apache-2.2.24-0.1.src.rpm 0f8670c68f91c0eac08191f7b4c59459 2011/SRPMS/apache-conf-2.2.24-0.1.src.rpm 4561b162b6214482270a1c1f9f9bff45 2011/SRPMS/apache-mod_suexec-2.2.24-0.1.src.rpm Mandriva Enterprise Server 5: 6dd6edb0b5d97314ee4d4d81d50d6e4d mes5/i586/apache-base-2.2.24-0.1mdvmes5.2.i586.rpm 319fe02e7b972f21dd9ec29e0185f44f mes5/i586/apache-conf-2.2.24-0.1mdvmes5.2.i586.rpm e8bd3eae8d128fd5e244045caf5ee6f5 mes5/i586/apache-devel-2.2.24-0.1mdvmes5.2.i586.rpm 0b0832377327154aa4a98c51fb147919 mes5/i586/apache-doc-2.2.24-0.1mdvmes5.2.i586.rpm f8937aebec292a0e8f976048db096e71 mes5/i586/apache-htcacheclean-2.2.24-0.1mdvmes5.2.i586.rpm 69373e51a9330ea5849de39ec400dbe3 mes5/i586/apache-mod_authn_dbd-2.2.24-0.1mdvmes5.2.i586.rpm 43feca16e72b04e66ef6342a252b2bb7 mes5/i586/apache-mod_cache-2.2.24-0.1mdvmes5.2.i586.rpm af8313cba733be280e0b3e30c32be0c9 mes5/i586/apache-mod_dav-2.2.24-0.1mdvmes5.2.i586.rpm 91fec82e5d3952f17a15b38f9ec03d68 mes5/i586/apache-mod_dbd-2.2.24-0.1mdvmes5.2.i586.rpm 8bf734067c73d04cef99b6bf25f66bc9 mes5/i586/apache-mod_deflate-2.2.24-0.1mdvmes5.2.i586.rpm 27ecd86d710980c332c6fbf6010c3092 mes5/i586/apache-mod_disk_cache-2.2.24-0.1mdvmes5.2.i586.rpm aa4985381121d8b627f98ac18f5f25d2 mes5/i586/apache-mod_file_cache-2.2.24-0.1mdvmes5.2.i586.rpm 7f698e5ea494e573636580e974c5fc2f mes5/i586/apache-mod_ldap-2.2.24-0.1mdvmes5.2.i586.rpm 160134ad93e70eb964897fbbc1632fbc mes5/i586/apache-mod_mem_cache-2.2.24-0.1mdvmes5.2.i586.rpm 2fa5c492d5af50f867b20233c327ea05 mes5/i586/apache-mod_proxy-2.2.24-0.1mdvmes5.2.i586.rpm 4185214fd00c80d9e4574168ceb14009 mes5/i586/apache-mod_proxy_ajp-2.2.24-0.1mdvmes5.2.i586.rpm 81a50e40f0bf364b94fd9a6ccf8655c2 mes5/i586/apache-mod_proxy_scgi-2.2.24-0.1mdvmes5.2.i586.rpm ff5a337656b958c3241fc5a978b75b18 mes5/i586/apache-mod_reqtimeout-2.2.24-0.1mdvmes5.2.i586.rpm 425b81046acc1e05024c8c67dc56796e mes5/i586/apache-mod_ssl-2.2.24-0.1mdvmes5.2.i586.rpm 27fb0fcb9cf681f1b235061fe85b73c1 mes5/i586/apache-mod_suexec-2.2.24-0.1mdvmes5.2.i586.rpm 5e951c0c3d694bde145b5810893c5b5c mes5/i586/apache-modules-2.2.24-0.1mdvmes5.2.i586.rpm 9ae777a24be2d3518d130ddd58249e2c mes5/i586/apache-mod_userdir-2.2.24-0.1mdvmes5.2.i586.rpm 01c66caefbf0963fdc792368a83c34a6 mes5/i586/apache-mpm-event-2.2.24-0.1mdvmes5.2.i586.rpm a3da55a7a39e49a6628788db4150a8df mes5/i586/apache-mpm-itk-2.2.24-0.1mdvmes5.2.i586.rpm 8152d5a34bd829ba28b4e449df14a03f mes5/i586/apache-mpm-peruser-2.2.24-0.1mdvmes5.2.i586.rpm ed3f4674858e134cbdf8db082ccff2ac mes5/i586/apache-mpm-prefork-2.2.24-0.1mdvmes5.2.i586.rpm c0cd47361e5d8a979f71dd8e98ffbfe4 mes5/i586/apache-mpm-worker-2.2.24-0.1mdvmes5.2.i586.rpm b444e18873265bb6b7fbd3add66ff64a mes5/i586/apache-source-2.2.24-0.1mdvmes5.2.i586.rpm dbe3d441997f0e06d51c96c8981e834f mes5/SRPMS/apache-2.2.24-0.1mdvmes5.2.src.rpm 6f9c20607fff35b57811e8b566b688fc mes5/SRPMS/apache-conf-2.2.24-0.1mdvmes5.2.src.rpm 4ef70aa09145ec2b8f15ea2c21c5dea0 mes5/SRPMS/apache-mod_suexec-2.2.24-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 0e59782d03138d935b38f93653047abc mes5/x86_64/apache-base-2.2.24-0.1mdvmes5.2.x86_64.rpm 178694544c089940994cafb3358bd66c mes5/x86_64/apache-conf-2.2.24-0.1mdvmes5.2.x86_64.rpm d8f21f8b075664de084ee5462d235b84 mes5/x86_64/apache-devel-2.2.24-0.1mdvmes5.2.x86_64.rpm a6c0072d3be0d0fd90f61dbd9872a950 mes5/x86_64/apache-doc-2.2.24-0.1mdvmes5.2.x86_64.rpm da165aea085b8500165d244e97f5ca58 mes5/x86_64/apache-htcacheclean-2.2.24-0.1mdvmes5.2.x86_64.rpm 163714433a88eaf3140e297a0f7b049a mes5/x86_64/apache-mod_authn_dbd-2.2.24-0.1mdvmes5.2.x86_64.rpm 09e47dae25b0c2a5cc4ad59f21ebce3e mes5/x86_64/apache-mod_cache-2.2.24-0.1mdvmes5.2.x86_64.rpm f9d3ee959228eb91bbf6dad0370e5368 mes5/x86_64/apache-mod_dav-2.2.24-0.1mdvmes5.2.x86_64.rpm ead999610ce5785ece13781d2f5b0d66 mes5/x86_64/apache-mod_dbd-2.2.24-0.1mdvmes5.2.x86_64.rpm bba1850efa371d493cd6a608fafadd34 mes5/x86_64/apache-mod_deflate-2.2.24-0.1mdvmes5.2.x86_64.rpm a67e8403f7acb225b50e9ae3b92d6d65 mes5/x86_64/apache-mod_disk_cache-2.2.24-0.1mdvmes5.2.x86_64.rpm 20eddbde328e178d9a67bb57d275a4b4 mes5/x86_64/apache-mod_file_cache-2.2.24-0.1mdvmes5.2.x86_64.rpm ac154e173a5429742559237f2b0d014b mes5/x86_64/apache-mod_ldap-2.2.24-0.1mdvmes5.2.x86_64.rpm 596013759868c8e22739c058e2ea61f6 mes5/x86_64/apache-mod_mem_cache-2.2.24-0.1mdvmes5.2.x86_64.rpm f5742a3e437fdfdb85fa99128b4f7e8a mes5/x86_64/apache-mod_proxy-2.2.24-0.1mdvmes5.2.x86_64.rpm fd502968872d2be5c018e0fbb9f97b1a mes5/x86_64/apache-mod_proxy_ajp-2.2.24-0.1mdvmes5.2.x86_64.rpm 7e905ce8177a1746ce3fd1ce40512470 mes5/x86_64/apache-mod_proxy_scgi-2.2.24-0.1mdvmes5.2.x86_64.rpm 9518bdc5a4dbe14b16aa9228f404e33d mes5/x86_64/apache-mod_reqtimeout-2.2.24-0.1mdvmes5.2.x86_64.rpm d1eec3970980c9dfde163fc2039213d9 mes5/x86_64/apache-mod_ssl-2.2.24-0.1mdvmes5.2.x86_64.rpm 5fc3a8b10152d52db0c750d6da821ae7 mes5/x86_64/apache-mod_suexec-2.2.24-0.1mdvmes5.2.x86_64.rpm 96b166e33189eb97b8c0353804e583d6 mes5/x86_64/apache-modules-2.2.24-0.1mdvmes5.2.x86_64.rpm 1022717e5463c61a4200764d53b5f47c mes5/x86_64/apache-mod_userdir-2.2.24-0.1mdvmes5.2.x86_64.rpm 92bd2b1ee635ced3db4257bc53af5266 mes5/x86_64/apache-mpm-event-2.2.24-0.1mdvmes5.2.x86_64.rpm aa97fe2e7063357a1aaed568258b8818 mes5/x86_64/apache-mpm-itk-2.2.24-0.1mdvmes5.2.x86_64.rpm 26197b7255a701aaf2c541b5cd779470 mes5/x86_64/apache-mpm-peruser-2.2.24-0.1mdvmes5.2.x86_64.rpm 7d398eb4c6841172a934a1814c72035f mes5/x86_64/apache-mpm-prefork-2.2.24-0.1mdvmes5.2.x86_64.rpm 51bcd6b3b9bcb46a5ca74a54584499f4 mes5/x86_64/apache-mpm-worker-2.2.24-0.1mdvmes5.2.x86_64.rpm 6aa22fdbc419e7a11a09176cb18dda75 mes5/x86_64/apache-source-2.2.24-0.1mdvmes5.2.x86_64.rpm dbe3d441997f0e06d51c96c8981e834f mes5/SRPMS/apache-2.2.24-0.1mdvmes5.2.src.rpm 6f9c20607fff35b57811e8b566b688fc mes5/SRPMS/apache-conf-2.2.24-0.1mdvmes5.2.src.rpm 4ef70aa09145ec2b8f15ea2c21c5dea0 mes5/SRPMS/apache-mod_suexec-2.2.24-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFRLG44mqjQ0CJFipgRArM1AKDaK2GPDjdBn+c+g+zkvOhoZ51cfwCcCSUg RV3Pp0VO0qOcjczQslRJwtA= =aNmi -----END PGP SIGNATURE-----
