|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Robert Buchholz (rbu
gentoo.org)
Date: Wed Jul 09 2008 - 17:00:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200807-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Apache: Denial of Service
Date: July 09, 2008
Bugs: #222643, #227111
ID: 200807-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Apache might lead to a Denial of Service.
Background
==========
The Apache HTTP server is one of the most popular web servers on the
Internet.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/apache < 2.2.9 >= 2.2.9
Description
===========
Multiple vulnerabilities have been discovered in Apache:
* Dustin Kirkland reported that the mod_ssl module can leak memory
when the client reports support for a compression algorithm
(CVE-2008-1678).
* Ryujiro Shibuya reported that the ap_proxy_http_process_response()
function in the mod_proxy module does not limit the number of
forwarded interim responses (CVE-2008-2364).
* sp3x of SecurityReason reported a Cross-Site Request Forgery
vulnerability in the balancer-manager in the mod_proxy_balancer
module (CVE-2007-6420).
Impact
======
A remote attacker could exploit these vulnerabilities by connecting to
an Apache httpd, by causing an Apache proxy server to connect to a
malicious server, or by enticing a balancer administrator to connect to
a specially-crafted URL, resulting in a Denial of Service of the Apache
daemon.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Apache users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.9"
References
==========
[ 1 ] CVE-2007-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420
[ 2 ] CVE-2008-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
[ 3 ] CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200807-06.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJIdTTuAAoJECaaHo/OfoM5EcsP/3XjdhsiU7/1B3oz9NjZtjTu
ek6NV30isymduENSI7umvMnQBG22yszGxMEDS67is1QzUsbMLmoHoJuB/ovJyD9Z
C7OLyQLxs0SVtNEDV4oyoioB/dAYHEc8oiVqTHQqfSLJFNZi/YRGZWIRQRJiirwW
0QhbHEwYVhcB5D2HQRXC2URHKoaGHNXcSNd8guGCr1wBDPxqI22s9VdDMKctl6iE
YjHavgycx6zsI0P1d9p82kCQR4XhIn4K13ewretAIW9Vn+nzO7qxlurO9ZQ4J9FT
zXxeFMlycJxRQTv7laKopLlLfU/nPzpfna1YhM0XvHH7eV06rOUTxpcvJ8hULNGU
1v6rAJUIZ+TWuLm/gTqkPjcf+lK5xHHXyDRMtWvRpac3CaW8S1ZLYKIuBihBNYSq
bMaWUHAqtR+YYRNM8+6F3ixH1ddnNQyYXM2SPjy8WUudXHsOX50YmJeEdQA0ba5s
lv6h2YBKjWjXTahlIYRMBjyDcVGEyG4LTtYtJUbs8pRv2WCnQEEa7IttY1tWmcKe
YK5cJfgjHxCHNYVV0/b3h+qQtMrkQP4hA9sIKwtV4brjAmIEQYAWOdMDCqSZGmt+
oIsb95R5kI9GCSUFiNwfYfvh0HWpJjIn5jMAWgICkKIeXZsOA+WcA8uWZSTm04Ux
OCLou7BCXdrb/qKbQNMh
=9+0p
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]