ID

VAR-200705-0688

CVE

CVE-2008-2364

TITLE

Hitachi Web Server Reverse Proxy Denial of Service (DoS) Vulnerability

DESCRIPTION

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. Hitachi Web Server contains a vulnerability that could lead to a denial of service (DoS) condition when using it as a reverse proxy due to excessive memory usage.The server could fall into a denial of service (DoS) state when continuously receiving fraudulent responses from backend Web servers. The Apache 'mod_proxy_http' module is prone to a denial-of-service vulnerability that affects the processing of interim responses. Attackers may exploit this issue to cause denial-of-service conditions. Reportedly, the issue affects Apache 2.2.8 and 2.0.63; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01650939 Version: 1 HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-02-02 Last Updated: 2009-02-02 Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite. References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following upgrades to resolve these vulnerabilities. The upgrades are available from the following location: URL: http://software.hp.com Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01 HP-UX Release - B.11.23 and B.11.31 PA-32 Apache Depot name - HPUXWSATW-B302-32.depot HP-UX Release - B.11.23 and B.11.31 IA-64 Apache Depot name - HPUXWSATW-B302-64.depot HP-UX Release - B.11.11 PA-32 Apache Depot name - HPUXWSATW-B222-1111.depot MANUAL ACTIONS: Yes - Update Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY hpuxwsTOMCAT.TOMCAT hpuxwsWEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.23 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.31 ================== hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 2 February 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSYhX8+AfOvwtKn1ZEQJxcACeJa8lt5TkhV5qnaGRTaBh4kqHutgAoJbH XCe08aGCzEZj/q4n91JQnhq6 =XImF -----END PGP SIGNATURE----- . A cross-site scripting vulnerability was found in the mod_proxy_ftp module in Apache that allowed remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). The updated packages have been patched to prevent these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 7ba0fa98b5e5f34f2c3bb5798f300736 2007.1/i586/apache-base-2.2.4-6.5mdv2007.1.i586.rpm 82dccbbcca45d5aba2c7a9afb615ffb7 2007.1/i586/apache-devel-2.2.4-6.5mdv2007.1.i586.rpm 43c50d9ad73f39e88acf35a48915f472 2007.1/i586/apache-htcacheclean-2.2.4-6.5mdv2007.1.i586.rpm 7e7821b41de94eba4e413c4218e72f05 2007.1/i586/apache-mod_authn_dbd-2.2.4-6.5mdv2007.1.i586.rpm 82b527ca5b90f4857ece74972c34bd2b 2007.1/i586/apache-mod_cache-2.2.4-6.5mdv2007.1.i586.rpm 4bc7f0488a4c8ea05446ea04611fa671 2007.1/i586/apache-mod_dav-2.2.4-6.5mdv2007.1.i586.rpm fa53bb715a9733fc5f4ef8a18e8a1577 2007.1/i586/apache-mod_dbd-2.2.4-6.5mdv2007.1.i586.rpm d9759e97fb29783b69ee4bebba96e9d8 2007.1/i586/apache-mod_deflate-2.2.4-6.5mdv2007.1.i586.rpm 9934937a1a7fb3ab277daac03a04fd6e 2007.1/i586/apache-mod_disk_cache-2.2.4-6.5mdv2007.1.i586.rpm 4f16a0af444be1610749287944264d1b 2007.1/i586/apache-mod_file_cache-2.2.4-6.5mdv2007.1.i586.rpm 9b1fc5ab5579bde1fbfb9ae08b18d1ec 2007.1/i586/apache-mod_ldap-2.2.4-6.5mdv2007.1.i586.rpm 9a9029063f10dd3fa81ee4eed3fe5d51 2007.1/i586/apache-mod_mem_cache-2.2.4-6.5mdv2007.1.i586.rpm 6930a06576c337ca7ecaab2a8cf4ca59 2007.1/i586/apache-mod_proxy-2.2.4-6.5mdv2007.1.i586.rpm c7834d18c0999590abb42d3efad7a035 2007.1/i586/apache-mod_proxy_ajp-2.2.4-6.5mdv2007.1.i586.rpm 641b5bc3988af4ee0f5600e2d34c1230 2007.1/i586/apache-mod_ssl-2.2.4-6.5mdv2007.1.i586.rpm af9bada6d30145bfaa58be10eec6798b 2007.1/i586/apache-modules-2.2.4-6.5mdv2007.1.i586.rpm 796296888cfb7978fbca22764de10753 2007.1/i586/apache-mod_userdir-2.2.4-6.5mdv2007.1.i586.rpm 110acb3a28bf8e911309afd7d5381950 2007.1/i586/apache-mpm-event-2.2.4-6.5mdv2007.1.i586.rpm 065949244c838c9ec8baf47e66227803 2007.1/i586/apache-mpm-itk-2.2.4-6.5mdv2007.1.i586.rpm ad0e0e109fbed8fc7be0d6b8b36c7503 2007.1/i586/apache-mpm-prefork-2.2.4-6.5mdv2007.1.i586.rpm 31ce817bb36ec93214fdb177f86096cf 2007.1/i586/apache-mpm-worker-2.2.4-6.5mdv2007.1.i586.rpm 5eba2d9af248c7107279f21cd4bde2b3 2007.1/i586/apache-source-2.2.4-6.5mdv2007.1.i586.rpm 012cdfd939633fa3feae44c7d7bec736 2007.1/SRPMS/apache-2.2.4-6.5mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 5997be8532eccc8f20f5c121895df248 2007.1/x86_64/apache-base-2.2.4-6.5mdv2007.1.x86_64.rpm 096a4e2f17838c847099f2dc41e4ca5a 2007.1/x86_64/apache-devel-2.2.4-6.5mdv2007.1.x86_64.rpm b4f3cd71a3683bcc4e9b1dcdabcbfdaa 2007.1/x86_64/apache-htcacheclean-2.2.4-6.5mdv2007.1.x86_64.rpm f03a92759c1159477f04890092636f27 2007.1/x86_64/apache-mod_authn_dbd-2.2.4-6.5mdv2007.1.x86_64.rpm 1bc914605bd0c3b05d455eeb053068e2 2007.1/x86_64/apache-mod_cache-2.2.4-6.5mdv2007.1.x86_64.rpm 3e8aaa6e0d70bdc5f439928f102a5f61 2007.1/x86_64/apache-mod_dav-2.2.4-6.5mdv2007.1.x86_64.rpm a51dabbb6220c17ecdb001cf1444e99f 2007.1/x86_64/apache-mod_dbd-2.2.4-6.5mdv2007.1.x86_64.rpm 1252150d2fc936309c6cb9794627cc8f 2007.1/x86_64/apache-mod_deflate-2.2.4-6.5mdv2007.1.x86_64.rpm bc4878995bfe34a46419a3a6aa090d91 2007.1/x86_64/apache-mod_disk_cache-2.2.4-6.5mdv2007.1.x86_64.rpm cd8b213c41d3dce5070483cf2e9d71e2 2007.1/x86_64/apache-mod_file_cache-2.2.4-6.5mdv2007.1.x86_64.rpm ec1a79f3d6defecb3ed2dbf8d85ba98c 2007.1/x86_64/apache-mod_ldap-2.2.4-6.5mdv2007.1.x86_64.rpm 6158e3825e4b7e631f6c6eab65660aab 2007.1/x86_64/apache-mod_mem_cache-2.2.4-6.5mdv2007.1.x86_64.rpm 4b01be50b5531dfd3a92189388165c7b 2007.1/x86_64/apache-mod_proxy-2.2.4-6.5mdv2007.1.x86_64.rpm 32735f0b995664e2983c3768473db144 2007.1/x86_64/apache-mod_proxy_ajp-2.2.4-6.5mdv2007.1.x86_64.rpm a1709d589420b97e255a7f5db47e859c 2007.1/x86_64/apache-mod_ssl-2.2.4-6.5mdv2007.1.x86_64.rpm 936c34490fcc180777a3248d9970da5a 2007.1/x86_64/apache-modules-2.2.4-6.5mdv2007.1.x86_64.rpm 0364549013611e3e748a917a6269a61d 2007.1/x86_64/apache-mod_userdir-2.2.4-6.5mdv2007.1.x86_64.rpm 2640fd4b78d98e1aa7a8d994d7610b16 2007.1/x86_64/apache-mpm-event-2.2.4-6.5mdv2007.1.x86_64.rpm 4edad0e4f3119f88d4360d5a11dd3fd4 2007.1/x86_64/apache-mpm-itk-2.2.4-6.5mdv2007.1.x86_64.rpm 6ed107f6f60a88008aa0a21d1133c78e 2007.1/x86_64/apache-mpm-prefork-2.2.4-6.5mdv2007.1.x86_64.rpm c39136dbd1fe0d53b80ed5fb232c775b 2007.1/x86_64/apache-mpm-worker-2.2.4-6.5mdv2007.1.x86_64.rpm 46b245caca2ae8afa49d9e13122cae58 2007.1/x86_64/apache-source-2.2.4-6.5mdv2007.1.x86_64.rpm 012cdfd939633fa3feae44c7d7bec736 2007.1/SRPMS/apache-2.2.4-6.5mdv2007.1.src.rpm Mandriva Linux 2008.0: 9fba06d7b75a7400faf855f0947f0ead 2008.0/i586/apache-base-2.2.6-8.2mdv2008.0.i586.rpm c560ededd59c4f2556074326363991fe 2008.0/i586/apache-devel-2.2.6-8.2mdv2008.0.i586.rpm 80cb61aff0fc88d4e88074bfaf789e0a 2008.0/i586/apache-htcacheclean-2.2.6-8.2mdv2008.0.i586.rpm 69d3778cb2452189e9586c2f517c67ff 2008.0/i586/apache-mod_authn_dbd-2.2.6-8.2mdv2008.0.i586.rpm 3b965dacd1d53c70b21bcbb45b62b4e4 2008.0/i586/apache-mod_cache-2.2.6-8.2mdv2008.0.i586.rpm 6b780e4611adb7d56bd562334f98c6ef 2008.0/i586/apache-mod_dav-2.2.6-8.2mdv2008.0.i586.rpm 148aad51fd72443d47f8afbf07943fc0 2008.0/i586/apache-mod_dbd-2.2.6-8.2mdv2008.0.i586.rpm e908b7d6220cb636d53a9989ed84337b 2008.0/i586/apache-mod_deflate-2.2.6-8.2mdv2008.0.i586.rpm 3ecc6c18d5ee2e34b6e3c770ce28199a 2008.0/i586/apache-mod_disk_cache-2.2.6-8.2mdv2008.0.i586.rpm 7557a733237c84de3477113a80119656 2008.0/i586/apache-mod_file_cache-2.2.6-8.2mdv2008.0.i586.rpm 586a9e027e6ec327c24f231d1c2705e3 2008.0/i586/apache-mod_ldap-2.2.6-8.2mdv2008.0.i586.rpm de055c23ec9eac3ac78f6a31146db8a9 2008.0/i586/apache-mod_mem_cache-2.2.6-8.2mdv2008.0.i586.rpm 4a32c704527fd42c97ffb8be87531363 2008.0/i586/apache-mod_proxy-2.2.6-8.2mdv2008.0.i586.rpm ad7bdc0861c42629366b0c4f0552eb0a 2008.0/i586/apache-mod_proxy_ajp-2.2.6-8.2mdv2008.0.i586.rpm 0ae1b7ba57162f8ae870e08e48f0d964 2008.0/i586/apache-mod_ssl-2.2.6-8.2mdv2008.0.i586.rpm 2d848e1ee979d12c66ef10b638ebce6e 2008.0/i586/apache-modules-2.2.6-8.2mdv2008.0.i586.rpm 085e672acacd0642f2baa8bce631b26b 2008.0/i586/apache-mod_userdir-2.2.6-8.2mdv2008.0.i586.rpm 3564507283ffddfaa528991d514ce3c4 2008.0/i586/apache-mpm-event-2.2.6-8.2mdv2008.0.i586.rpm 360033e8459d52a323753246d977eb2b 2008.0/i586/apache-mpm-itk-2.2.6-8.2mdv2008.0.i586.rpm ca4c9127740d3a433087031c706878ab 2008.0/i586/apache-mpm-prefork-2.2.6-8.2mdv2008.0.i586.rpm b892724c9776743f777ebf9da44159a8 2008.0/i586/apache-mpm-worker-2.2.6-8.2mdv2008.0.i586.rpm 15cc53561ac91ba3f89af6c2057726a7 2008.0/i586/apache-source-2.2.6-8.2mdv2008.0.i586.rpm fb2e547dc2b02b0d55384751729d8c2a 2008.0/SRPMS/apache-2.2.6-8.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: f5c28f5db00c8d87e77bbe8b387c29e1 2008.0/x86_64/apache-base-2.2.6-8.2mdv2008.0.x86_64.rpm 2ea378183715ca15ead2b60c0ba6d1f3 2008.0/x86_64/apache-devel-2.2.6-8.2mdv2008.0.x86_64.rpm d15052d92f5918f47be634f052f5c8f8 2008.0/x86_64/apache-htcacheclean-2.2.6-8.2mdv2008.0.x86_64.rpm e00bae3dea071434ee63a0708f9cb2c9 2008.0/x86_64/apache-mod_authn_dbd-2.2.6-8.2mdv2008.0.x86_64.rpm e16ceda13087b1e924b1233fa4c58568 2008.0/x86_64/apache-mod_cache-2.2.6-8.2mdv2008.0.x86_64.rpm 86ddeb3f207a928c537a1bac4a3b59f1 2008.0/x86_64/apache-mod_dav-2.2.6-8.2mdv2008.0.x86_64.rpm 2a239f7bd6a3e74a29b69f29f217fd98 2008.0/x86_64/apache-mod_dbd-2.2.6-8.2mdv2008.0.x86_64.rpm 6c3faec4fd23ed64ecbf508097fa948c 2008.0/x86_64/apache-mod_deflate-2.2.6-8.2mdv2008.0.x86_64.rpm 286c89f9021f2e766324f52196b6e03f 2008.0/x86_64/apache-mod_disk_cache-2.2.6-8.2mdv2008.0.x86_64.rpm 480c9861c06f5b535bcd0bd87e225023 2008.0/x86_64/apache-mod_file_cache-2.2.6-8.2mdv2008.0.x86_64.rpm 61ed284bda26162a1da185a2aedca12e 2008.0/x86_64/apache-mod_ldap-2.2.6-8.2mdv2008.0.x86_64.rpm 2c8670da45ffbff476a189f4af7eecb3 2008.0/x86_64/apache-mod_mem_cache-2.2.6-8.2mdv2008.0.x86_64.rpm bee8fdde4536e497abfc7e48dd659689 2008.0/x86_64/apache-mod_proxy-2.2.6-8.2mdv2008.0.x86_64.rpm d45fe91cccf27cd403cfb2fd2f5bb5ba 2008.0/x86_64/apache-mod_proxy_ajp-2.2.6-8.2mdv2008.0.x86_64.rpm d9becf61089cb4dc0b224e4fccb11fb4 2008.0/x86_64/apache-mod_ssl-2.2.6-8.2mdv2008.0.x86_64.rpm 62ac5f1ec4c984dce76176203f5eeb6e 2008.0/x86_64/apache-modules-2.2.6-8.2mdv2008.0.x86_64.rpm 7042049d1d0b99c1e7f46142d6993761 2008.0/x86_64/apache-mod_userdir-2.2.6-8.2mdv2008.0.x86_64.rpm bd06a8f2c4074d5722556c38c5e0dc03 2008.0/x86_64/apache-mpm-event-2.2.6-8.2mdv2008.0.x86_64.rpm 6848d1ad52463fbf9de4631b22a4dd81 2008.0/x86_64/apache-mpm-itk-2.2.6-8.2mdv2008.0.x86_64.rpm 6bc3fee77b90a73d54dba755a96f4e11 2008.0/x86_64/apache-mpm-prefork-2.2.6-8.2mdv2008.0.x86_64.rpm e9b20462aef79d790d604da2e59cc503 2008.0/x86_64/apache-mpm-worker-2.2.6-8.2mdv2008.0.x86_64.rpm a378e191f066f819419106a65e472535 2008.0/x86_64/apache-source-2.2.6-8.2mdv2008.0.x86_64.rpm fb2e547dc2b02b0d55384751729d8c2a 2008.0/SRPMS/apache-2.2.6-8.2mdv2008.0.src.rpm Mandriva Linux 2008.1: 19bd0997c144cfd6c0792227f97c840a 2008.1/i586/apache-base-2.2.8-6.1mdv2008.1.i586.rpm c0bc6f89d51f7aeb0a907155ce424e63 2008.1/i586/apache-devel-2.2.8-6.1mdv2008.1.i586.rpm 38019754e020560317f9e4143c31120b 2008.1/i586/apache-htcacheclean-2.2.8-6.1mdv2008.1.i586.rpm 9d4d3b487b9e4a930e0dfad6f9a86b11 2008.1/i586/apache-mod_authn_dbd-2.2.8-6.1mdv2008.1.i586.rpm dcd9a987da631e20f0af5825c7a0f4cf 2008.1/i586/apache-mod_cache-2.2.8-6.1mdv2008.1.i586.rpm 9d77821dcb46af8c01e7dd30a74fd3f5 2008.1/i586/apache-mod_dav-2.2.8-6.1mdv2008.1.i586.rpm 7ec8c8bec08a8c7812e93ae6f630d721 2008.1/i586/apache-mod_dbd-2.2.8-6.1mdv2008.1.i586.rpm 4b3f7f658ca523658fcff97884404569 2008.1/i586/apache-mod_deflate-2.2.8-6.1mdv2008.1.i586.rpm 838d9649e9f9850ff7f50a9686783958 2008.1/i586/apache-mod_disk_cache-2.2.8-6.1mdv2008.1.i586.rpm 114c083f976c1c59f9ed2fc7865f47b9 2008.1/i586/apache-mod_file_cache-2.2.8-6.1mdv2008.1.i586.rpm efc293cd668271a0131d84a9776e7cb4 2008.1/i586/apache-mod_ldap-2.2.8-6.1mdv2008.1.i586.rpm e1e2413f175fa207ffb8d5ce2903439f 2008.1/i586/apache-mod_mem_cache-2.2.8-6.1mdv2008.1.i586.rpm 80e42fb54b7c926bd4ae6c8869bfe2b4 2008.1/i586/apache-mod_proxy-2.2.8-6.1mdv2008.1.i586.rpm b14cb1c38ff72f65af3dc26f419248b2 2008.1/i586/apache-mod_proxy_ajp-2.2.8-6.1mdv2008.1.i586.rpm 222d326db8d3d9c7ff49a5edf54ad460 2008.1/i586/apache-mod_ssl-2.2.8-6.1mdv2008.1.i586.rpm 8d4d65f206604150103a767559ce4ac0 2008.1/i586/apache-modules-2.2.8-6.1mdv2008.1.i586.rpm a02bf7d7cd6cb86b24728055f31e00e8 2008.1/i586/apache-mod_userdir-2.2.8-6.1mdv2008.1.i586.rpm 762b5a44d6ab770663e7802db5880c5c 2008.1/i586/apache-mpm-event-2.2.8-6.1mdv2008.1.i586.rpm 1ad89877cf9e1d19c9c0ae31da79cc4b 2008.1/i586/apache-mpm-itk-2.2.8-6.1mdv2008.1.i586.rpm 9e88d760212153696531a36e44e599da 2008.1/i586/apache-mpm-prefork-2.2.8-6.1mdv2008.1.i586.rpm f50d7edde588f2439aa4e831a63c35d7 2008.1/i586/apache-mpm-worker-2.2.8-6.1mdv2008.1.i586.rpm a9f60a580681ac55bc61ae250326dc6a 2008.1/i586/apache-source-2.2.8-6.1mdv2008.1.i586.rpm ffe7ace0a88205f764b21be6cf4ed2e1 2008.1/SRPMS/apache-2.2.8-6.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 7aafb608166a15e6373c11011e72117d 2008.1/x86_64/apache-base-2.2.8-6.1mdv2008.1.x86_64.rpm 9c39fe151fc9261c77fc5484f793358d 2008.1/x86_64/apache-devel-2.2.8-6.1mdv2008.1.x86_64.rpm d5dd9482dbfed961af363261f769a136 2008.1/x86_64/apache-htcacheclean-2.2.8-6.1mdv2008.1.x86_64.rpm a839a342ce15d6076907fa85b652ac45 2008.1/x86_64/apache-mod_authn_dbd-2.2.8-6.1mdv2008.1.x86_64.rpm c1cdf8ea93464f350cd5a97282a963a8 2008.1/x86_64/apache-mod_cache-2.2.8-6.1mdv2008.1.x86_64.rpm 0ebe3595df3974b090e1e41653a61ac8 2008.1/x86_64/apache-mod_dav-2.2.8-6.1mdv2008.1.x86_64.rpm 50d80ef4989cecf6d9b4d3a36e91c3f8 2008.1/x86_64/apache-mod_dbd-2.2.8-6.1mdv2008.1.x86_64.rpm 89badb88265d34c6b4dafcbd7240618d 2008.1/x86_64/apache-mod_deflate-2.2.8-6.1mdv2008.1.x86_64.rpm 6814c312ec71fa619e1533f08ed3d1fa 2008.1/x86_64/apache-mod_disk_cache-2.2.8-6.1mdv2008.1.x86_64.rpm ea7900772a2a78ba4913c41762c39069 2008.1/x86_64/apache-mod_file_cache-2.2.8-6.1mdv2008.1.x86_64.rpm b146eaeb311a6107d51413bc29d70315 2008.1/x86_64/apache-mod_ldap-2.2.8-6.1mdv2008.1.x86_64.rpm 7198b641d46ea2f24664c4a9d02b9063 2008.1/x86_64/apache-mod_mem_cache-2.2.8-6.1mdv2008.1.x86_64.rpm e04cdfbbad417123adae10cf13a2b626 2008.1/x86_64/apache-mod_proxy-2.2.8-6.1mdv2008.1.x86_64.rpm 8f9a04efe7760b08220b27f1cabd8a49 2008.1/x86_64/apache-mod_proxy_ajp-2.2.8-6.1mdv2008.1.x86_64.rpm 8ed701d6c742a5e60196653f79989a8a 2008.1/x86_64/apache-mod_ssl-2.2.8-6.1mdv2008.1.x86_64.rpm 3beb942d20bf63c2bc8cef202ef0e0aa 2008.1/x86_64/apache-modules-2.2.8-6.1mdv2008.1.x86_64.rpm fd40ed97d50b583c7f21a686d8146c7d 2008.1/x86_64/apache-mod_userdir-2.2.8-6.1mdv2008.1.x86_64.rpm f7451170b9c2c7f3f55a0d44567bebfe 2008.1/x86_64/apache-mpm-event-2.2.8-6.1mdv2008.1.x86_64.rpm 6e1b59583a15313f8dbf347170ec581d 2008.1/x86_64/apache-mpm-itk-2.2.8-6.1mdv2008.1.x86_64.rpm b60967808f886fc4444054fe4ba685fd 2008.1/x86_64/apache-mpm-prefork-2.2.8-6.1mdv2008.1.x86_64.rpm 0ab90ebae3fcfd1fa809e62e546222db 2008.1/x86_64/apache-mpm-worker-2.2.8-6.1mdv2008.1.x86_64.rpm 7726d40130eb5a14d8cf272cd08f7485 2008.1/x86_64/apache-source-2.2.8-6.1mdv2008.1.x86_64.rpm ffe7ace0a88205f764b21be6cf4ed2e1 2008.1/SRPMS/apache-2.2.8-6.1mdv2008.1.src.rpm Corporate 4.0: b59bbaecc0f3c6301bee564c2862430a corporate/4.0/i586/apache-base-2.2.3-1.4.20060mlcs4.i586.rpm b3141af91788ac68afd1cfb34426cec3 corporate/4.0/i586/apache-devel-2.2.3-1.4.20060mlcs4.i586.rpm 309db27fc902b7eb77e0fd2b5e03359f corporate/4.0/i586/apache-htcacheclean-2.2.3-1.4.20060mlcs4.i586.rpm 8e7d56d01a51b7239b080765fd858088 corporate/4.0/i586/apache-mod_authn_dbd-2.2.3-1.4.20060mlcs4.i586.rpm 8e6bd8c3a89f5f277fb56e60b37bb6a9 corporate/4.0/i586/apache-mod_cache-2.2.3-1.4.20060mlcs4.i586.rpm fd99c7e58d56eb14a0e94c27edb2daf2 corporate/4.0/i586/apache-mod_dav-2.2.3-1.4.20060mlcs4.i586.rpm 75968093eca9011dd115d948c44f29ba corporate/4.0/i586/apache-mod_dbd-2.2.3-1.4.20060mlcs4.i586.rpm ba5118b4c1caa7e4b75229b5643b06b9 corporate/4.0/i586/apache-mod_deflate-2.2.3-1.4.20060mlcs4.i586.rpm abb27116fae7ff7d319516c0f9a0a5e4 corporate/4.0/i586/apache-mod_disk_cache-2.2.3-1.4.20060mlcs4.i586.rpm e1bb6ed7fb0fbb39f762a932f34dc67b corporate/4.0/i586/apache-mod_file_cache-2.2.3-1.4.20060mlcs4.i586.rpm a3d85c92d66a0ca0ed6dc6a6c6df23b4 corporate/4.0/i586/apache-mod_ldap-2.2.3-1.4.20060mlcs4.i586.rpm eca828a6bd374d98af6fd785aa6970af corporate/4.0/i586/apache-mod_mem_cache-2.2.3-1.4.20060mlcs4.i586.rpm 8e28a95bd7f655c5b98c7405ca74de18 corporate/4.0/i586/apache-mod_proxy-2.2.3-1.4.20060mlcs4.i586.rpm 23a2687957dae00dadc44b864032a838 corporate/4.0/i586/apache-mod_proxy_ajp-2.2.3-1.4.20060mlcs4.i586.rpm a4a143aa2f9f8b1d3cedf68429a90fa4 corporate/4.0/i586/apache-mod_ssl-2.2.3-1.4.20060mlcs4.i586.rpm 779cf371acd7012ac1acfaac0062a38a corporate/4.0/i586/apache-modules-2.2.3-1.4.20060mlcs4.i586.rpm e1a8927f0cfd3a08ca2af42ebc64932e corporate/4.0/i586/apache-mod_userdir-2.2.3-1.4.20060mlcs4.i586.rpm 3415eea7176bb392b87540c2bfcfed2b corporate/4.0/i586/apache-mpm-prefork-2.2.3-1.4.20060mlcs4.i586.rpm 9b79811544ad30fd91608d5839b521eb corporate/4.0/i586/apache-mpm-worker-2.2.3-1.4.20060mlcs4.i586.rpm 1403616f0ba1cbcc552f7e33a32b303f corporate/4.0/i586/apache-source-2.2.3-1.4.20060mlcs4.i586.rpm fdda31ac2d27f5fe856746719b3ae87a corporate/4.0/SRPMS/apache-2.2.3-1.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: e46ce6fe84b67d3d6caf6782d9352555 corporate/4.0/x86_64/apache-base-2.2.3-1.4.20060mlcs4.x86_64.rpm 5b1993dca50465213ca285d3fc38bc07 corporate/4.0/x86_64/apache-devel-2.2.3-1.4.20060mlcs4.x86_64.rpm 7076dbe94461207aa2399b887e6b669f corporate/4.0/x86_64/apache-htcacheclean-2.2.3-1.4.20060mlcs4.x86_64.rpm e51acf392e315892cfc60ef342b3e9f0 corporate/4.0/x86_64/apache-mod_authn_dbd-2.2.3-1.4.20060mlcs4.x86_64.rpm 270e619d353fa9348b2d5713e660bb69 corporate/4.0/x86_64/apache-mod_cache-2.2.3-1.4.20060mlcs4.x86_64.rpm 8e8ae8e260b69d7150c6d7f8162eb261 corporate/4.0/x86_64/apache-mod_dav-2.2.3-1.4.20060mlcs4.x86_64.rpm 11fc6ca48580398733c9c26c6097aeb8 corporate/4.0/x86_64/apache-mod_dbd-2.2.3-1.4.20060mlcs4.x86_64.rpm 6750c2039c64dd866146d240f06b302f corporate/4.0/x86_64/apache-mod_deflate-2.2.3-1.4.20060mlcs4.x86_64.rpm 0c7db97343700984a02d6365069bfbd5 corporate/4.0/x86_64/apache-mod_disk_cache-2.2.3-1.4.20060mlcs4.x86_64.rpm d60aa90ac7a459f237a6c0ed190b0ea1 corporate/4.0/x86_64/apache-mod_file_cache-2.2.3-1.4.20060mlcs4.x86_64.rpm 873b63a672417971078076a5e3e4f363 corporate/4.0/x86_64/apache-mod_ldap-2.2.3-1.4.20060mlcs4.x86_64.rpm d964415079d86d6c6ff78381e3dfe8ef corporate/4.0/x86_64/apache-mod_mem_cache-2.2.3-1.4.20060mlcs4.x86_64.rpm c014bede921593c1035d8a1488909ab9 corporate/4.0/x86_64/apache-mod_proxy-2.2.3-1.4.20060mlcs4.x86_64.rpm d4469077e683ea2a034bfb35be9ca8f6 corporate/4.0/x86_64/apache-mod_proxy_ajp-2.2.3-1.4.20060mlcs4.x86_64.rpm 35638d36e7c4832f70460294ef496d33 corporate/4.0/x86_64/apache-mod_ssl-2.2.3-1.4.20060mlcs4.x86_64.rpm de62531cfcf279b966c08940df7dc298 corporate/4.0/x86_64/apache-modules-2.2.3-1.4.20060mlcs4.x86_64.rpm a44db8a0824aa8ec654338640e30e14c corporate/4.0/x86_64/apache-mod_userdir-2.2.3-1.4.20060mlcs4.x86_64.rpm be326111f9e8dd9fb0a9a7699f7f99dd corporate/4.0/x86_64/apache-mpm-prefork-2.2.3-1.4.20060mlcs4.x86_64.rpm 3b29042dd082e4f0f8e04fbff2f14c23 corporate/4.0/x86_64/apache-mpm-worker-2.2.3-1.4.20060mlcs4.x86_64.rpm 576aed8c357f707db0e488e13b68834c corporate/4.0/x86_64/apache-source-2.2.3-1.4.20060mlcs4.x86_64.rpm fdda31ac2d27f5fe856746719b3ae87a corporate/4.0/SRPMS/apache-2.2.3-1.4.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIzBUvmqjQ0CJFipgRApHOAKCvASwDjqj110UnAsle/Jtgw9VwhwCg7zVf 0jg30niEBGmySzuHETORyts= =wMau -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . This update also provides HTTP/1.1 compliance fixes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache: Denial of Service Date: July 09, 2008 Bugs: #222643, #227111 ID: 200807-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Apache might lead to a Denial of Service. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/apache < 2.2.9 >= 2.2.9 Description =========== Multiple vulnerabilities have been discovered in Apache: * Dustin Kirkland reported that the mod_ssl module can leak memory when the client reports support for a compression algorithm (CVE-2008-1678). * sp3x of SecurityReason reported a Cross-Site Request Forgery vulnerability in the balancer-manager in the mod_proxy_balancer module (CVE-2007-6420). Impact ====== A remote attacker could exploit these vulnerabilities by connecting to an Apache httpd, by causing an Apache proxy server to connect to a malicious server, or by enticing a balancer administrator to connect to a specially-crafted URL, resulting in a Denial of Service of the Apache daemon. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.9" References ========== [ 1 ] CVE-2007-6420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420 [ 2 ] CVE-2008-1678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678 [ 3 ] CVE-2008-2364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . The HP Business Availability Center v8.02 kit is available on the HP Software Support Online portal at: http://support.openview.hp.com/support.jsp . References: CVE-2006-3918, CVE-2007-4465, CVE-2007-6203, CVE-2008-0005, CVE-2008-0599, CVE-2008-2168, CVE-2008-2364, CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-2939, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5498, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Unknown

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ryujiro Shibuya

SOURCES

LAST UPDATE DATE

2024-11-20T21:54:11.087000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE