ID

VAR-200808-0470

CVE

CVE-2008-2939

TITLE

Apache mod_proxy_ftp XSS vulnerability

DESCRIPTION

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. BUGTRAQ ID: CVE ID: CVE-2008-2939 CNCVE ID: CNCVE-20082939 IBM HTTP Server is an HTTP service program. There is an input validation issue in IBM HTTP Server "mod_proxy_ftp", remote attackers can use the vulnerability to conduct cross-site scripting attacks and obtain sensitive information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01650939 Version: 1 HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-02-02 Last Updated: 2009-02-02 Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following upgrades to resolve these vulnerabilities. The upgrades are available from the following location: URL: http://software.hp.com Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01 HP-UX Release - B.11.23 and B.11.31 PA-32 Apache Depot name - HPUXWSATW-B302-32.depot HP-UX Release - B.11.23 and B.11.31 IA-64 Apache Depot name - HPUXWSATW-B302-64.depot HP-UX Release - B.11.11 PA-32 Apache Depot name - HPUXWSATW-B222-1111.depot MANUAL ACTIONS: Yes - Update Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY hpuxwsTOMCAT.TOMCAT hpuxwsWEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.23 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.31 ================== hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 2 February 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSYhX8+AfOvwtKn1ZEQJxcACeJa8lt5TkhV5qnaGRTaBh4kqHutgAoJbH XCe08aGCzEZj/q4n91JQnhq6 =XImF -----END PGP SIGNATURE----- . The updated packages have been patched to prevent these issues. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . The HP Business Availability Center v8.02 kit is available on the HP Software Support Online portal at: http://support.openview.hp.com/support.jsp . Rapid7 Advisory R7-0033 Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting Discovered: July 25, 2008 Published: August 5, 2008 Revision: 1.1 http://www.rapid7.com/advisories/R7-0033 CVE: CVE-2008-2939 1. Affected system(s): KNOWN VULNERABLE: o Apache HTTP Server 2.2.9 (and earlier 2.2.x versions) o Apache HTTP Server 2.0.63 (and earlier 2.0.x versions) NOT VULNERABLE: o Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support wildcard characters) 2. 3. Vendor status and information Apache HTTP Server Project http://httpd.apache.org The developers were notified of this vulnerability on July 28, 2008 via the private security mailing list security@apache.org. They acknowledged it within 12 hours. On July 29, they assigned it a CVE ID. On August 5, the vulnerability was fixed in all SVN branches: o Commit to main trunk: http://svn.apache.org/viewvc?view=rev&revision=682868 o Commit to 2.2 branch: http://svn.apache.org/viewvc?view=rev&revision=682870 o Commit to 2.0 branch: http://svn.apache.org/viewvc?view=rev&revision=682871 4. Solution Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these have not been released yet), or apply the patch from SVN commit r682868. 5. Detailed analysis When Apache HTTP Server is configured with proxy support ("ProxyRequests On" in the configuration file), and when mod_proxy_ftp is enabled to support FTP-over-HTTP, requests containing wildcard characters (asterisk, tilde, opening square bracket, etc) such as: GET ftp://host/*<foo> HTTP/1.0 lead to cross-site scripting in the response returned by mod_proxy_ftp: [...] <h2>Directory of <a href="/">ftp://host</a>/*<foo></h2> [...] To exploit this vulnerability, 'host' must be running an FTP server, and the last directory component of the path (the XSS payload) must be composed of at least 1 wildcard character and must not contain any forward slashes. In practice, this last requirement is not an obstacle at all to develop working exploits, example: ftp://host/*<img%20src=""%20onerror="alert(42)"> 6. Credit Discovered by Marc Bevand of Rapid7. 7. Contact Information Rapid7, LLC Email: advisory@rapid7.com Web: http://www.rapid7.com Phone: +1 (617) 247-1717 8. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This advisory Copyright (C) 2008 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:124 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apache Date : May 31, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in apache: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). This update provides fixes for these vulnerabilities. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 7ec559d730fe009bdf1e4a78acd0d826 2008.1/i586/apache-base-2.2.8-6.2mdv2008.1.i586.rpm 52e9047dd9922fb706e1ae661ffec647 2008.1/i586/apache-devel-2.2.8-6.2mdv2008.1.i586.rpm 057298a3f2fd895fc341925ef1f68851 2008.1/i586/apache-htcacheclean-2.2.8-6.2mdv2008.1.i586.rpm 171068e2dfc51397c07a9d3fd548f1b6 2008.1/i586/apache-mod_authn_dbd-2.2.8-6.2mdv2008.1.i586.rpm 822918ddb258642c9213d338b98c14fb 2008.1/i586/apache-mod_cache-2.2.8-6.2mdv2008.1.i586.rpm 8a2b046526ebe44fd849a9e9858e0494 2008.1/i586/apache-mod_dav-2.2.8-6.2mdv2008.1.i586.rpm 23bbfb62795eff6c23ef689a2193fb8f 2008.1/i586/apache-mod_dbd-2.2.8-6.2mdv2008.1.i586.rpm 2189ba0bfee1364eb4416418db4258e1 2008.1/i586/apache-mod_deflate-2.2.8-6.2mdv2008.1.i586.rpm 2c5506127b9b3caa25910bcf6d5953cc 2008.1/i586/apache-mod_disk_cache-2.2.8-6.2mdv2008.1.i586.rpm 63492ccf2e9a89ff791f491f99bfc23c 2008.1/i586/apache-mod_file_cache-2.2.8-6.2mdv2008.1.i586.rpm 38e9f510daf9bf904f1f9b8471030650 2008.1/i586/apache-mod_ldap-2.2.8-6.2mdv2008.1.i586.rpm 37ed8ed4614e45e2188b6d714c8530ed 2008.1/i586/apache-mod_mem_cache-2.2.8-6.2mdv2008.1.i586.rpm f083445d93d7e8f0035b10777234ef38 2008.1/i586/apache-mod_proxy-2.2.8-6.2mdv2008.1.i586.rpm 7ecc1ff5e58835c0323626116c93725d 2008.1/i586/apache-mod_proxy_ajp-2.2.8-6.2mdv2008.1.i586.rpm 9cf62f5b52508dedb470f9b980d6d4d5 2008.1/i586/apache-mod_ssl-2.2.8-6.2mdv2008.1.i586.rpm b378b2b4103f5876ce746233173278e5 2008.1/i586/apache-modules-2.2.8-6.2mdv2008.1.i586.rpm c78663fdace7ec31eeae3e9a0c01619a 2008.1/i586/apache-mod_userdir-2.2.8-6.2mdv2008.1.i586.rpm cc2281cf44d7271cf507071c65d46309 2008.1/i586/apache-mpm-event-2.2.8-6.2mdv2008.1.i586.rpm 8161574d6883d29318276b974a3bd95d 2008.1/i586/apache-mpm-itk-2.2.8-6.2mdv2008.1.i586.rpm 59a4bfb20f243d274f6d3267dd8621cb 2008.1/i586/apache-mpm-prefork-2.2.8-6.2mdv2008.1.i586.rpm cc2f58f832848ace53b18fbfb272fb83 2008.1/i586/apache-mpm-worker-2.2.8-6.2mdv2008.1.i586.rpm 86b2fe589d35fd6821d5994b0efa0aa2 2008.1/i586/apache-source-2.2.8-6.2mdv2008.1.i586.rpm 390895e36f7c0863501a429d6583ee02 2008.1/SRPMS/apache-2.2.8-6.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 520bd0c278ebae63de0f4479da178124 2008.1/x86_64/apache-base-2.2.8-6.2mdv2008.1.x86_64.rpm e254c98a6796b826f09eea2fab69170f 2008.1/x86_64/apache-devel-2.2.8-6.2mdv2008.1.x86_64.rpm 26d424de3c58a585a266533ee9fe3718 2008.1/x86_64/apache-htcacheclean-2.2.8-6.2mdv2008.1.x86_64.rpm d95d814fc660560124428cd0c8093611 2008.1/x86_64/apache-mod_authn_dbd-2.2.8-6.2mdv2008.1.x86_64.rpm d73f35d2faa2ad4d3236f990f52f510b 2008.1/x86_64/apache-mod_cache-2.2.8-6.2mdv2008.1.x86_64.rpm 95990c1b5cc780a4ad7b497c49ee708e 2008.1/x86_64/apache-mod_dav-2.2.8-6.2mdv2008.1.x86_64.rpm 7624f412618c4692531b67ea2bd97345 2008.1/x86_64/apache-mod_dbd-2.2.8-6.2mdv2008.1.x86_64.rpm 01a71299acaba43d0d7dd22e8d2196f6 2008.1/x86_64/apache-mod_deflate-2.2.8-6.2mdv2008.1.x86_64.rpm dfdb0b4c04bf1a766b3f5129ed1a4613 2008.1/x86_64/apache-mod_disk_cache-2.2.8-6.2mdv2008.1.x86_64.rpm 842d0d8fa91f73b27ea5663e7e5e1831 2008.1/x86_64/apache-mod_file_cache-2.2.8-6.2mdv2008.1.x86_64.rpm 8b7181d1f0050c8d2f5b4c54c5418de1 2008.1/x86_64/apache-mod_ldap-2.2.8-6.2mdv2008.1.x86_64.rpm 6046a28897a88793d25706eb67d12bf0 2008.1/x86_64/apache-mod_mem_cache-2.2.8-6.2mdv2008.1.x86_64.rpm 4b86aa1c01d88018e38d0ab10bcf5e45 2008.1/x86_64/apache-mod_proxy-2.2.8-6.2mdv2008.1.x86_64.rpm 96059fae095361a4a809c1d0551f7f33 2008.1/x86_64/apache-mod_proxy_ajp-2.2.8-6.2mdv2008.1.x86_64.rpm 472550b619cfe450b0213a89f425e569 2008.1/x86_64/apache-mod_ssl-2.2.8-6.2mdv2008.1.x86_64.rpm 04f968606fb858836fe545c73da22f90 2008.1/x86_64/apache-modules-2.2.8-6.2mdv2008.1.x86_64.rpm 6698aad880b496fde0ee007ff6fd772b 2008.1/x86_64/apache-mod_userdir-2.2.8-6.2mdv2008.1.x86_64.rpm 8ecd7aabda9a445a72d7f77dfa8c27d3 2008.1/x86_64/apache-mpm-event-2.2.8-6.2mdv2008.1.x86_64.rpm 8405771cf7fb0d42979ef0e415e70051 2008.1/x86_64/apache-mpm-itk-2.2.8-6.2mdv2008.1.x86_64.rpm 6cd9e46cc4a7fb4d37711284f4d30544 2008.1/x86_64/apache-mpm-prefork-2.2.8-6.2mdv2008.1.x86_64.rpm 1876ffd0ddff17464f1a38214e636b90 2008.1/x86_64/apache-mpm-worker-2.2.8-6.2mdv2008.1.x86_64.rpm 9aa3f3e2c104ebd767449441b95c710e 2008.1/x86_64/apache-source-2.2.8-6.2mdv2008.1.x86_64.rpm 390895e36f7c0863501a429d6583ee02 2008.1/SRPMS/apache-2.2.8-6.2mdv2008.1.src.rpm Mandriva Linux 2009.0: f5f58a0c89c2a1412d7e6f7ae3eeb21e 2009.0/i586/apache-base-2.2.9-12.1mdv2009.0.i586.rpm c21f80e88b520483235280eb9b321c21 2009.0/i586/apache-devel-2.2.9-12.1mdv2009.0.i586.rpm 3fb1d9e2a8a44372c962cc377ce48c32 2009.0/i586/apache-htcacheclean-2.2.9-12.1mdv2009.0.i586.rpm f978b32b6bfd0a72b854ce65d98d0e62 2009.0/i586/apache-mod_authn_dbd-2.2.9-12.1mdv2009.0.i586.rpm 07c1790fcfb37074793bf42be9b9f7b4 2009.0/i586/apache-mod_cache-2.2.9-12.1mdv2009.0.i586.rpm 6cd562921fa4dc5a7148938450f94edc 2009.0/i586/apache-mod_dav-2.2.9-12.1mdv2009.0.i586.rpm 951b5303c7222cd2220681c57e551bee 2009.0/i586/apache-mod_dbd-2.2.9-12.1mdv2009.0.i586.rpm 04033f9a77174767d7da8c2fc1185670 2009.0/i586/apache-mod_deflate-2.2.9-12.1mdv2009.0.i586.rpm 9e68de64ce8124dbd9230b2082baab8e 2009.0/i586/apache-mod_disk_cache-2.2.9-12.1mdv2009.0.i586.rpm 219673a9b2fe289a2c02ee3fab6cf474 2009.0/i586/apache-mod_file_cache-2.2.9-12.1mdv2009.0.i586.rpm f2109fa2dcf31277d7b11b8d8da224f4 2009.0/i586/apache-mod_ldap-2.2.9-12.1mdv2009.0.i586.rpm b547d59b389480a4ab28579ed241a25a 2009.0/i586/apache-mod_mem_cache-2.2.9-12.1mdv2009.0.i586.rpm c98737abbd68d9adace4e532961f8f87 2009.0/i586/apache-mod_proxy-2.2.9-12.1mdv2009.0.i586.rpm d2d42c01f279e25f1c23c1d70c51debd 2009.0/i586/apache-mod_proxy_ajp-2.2.9-12.1mdv2009.0.i586.rpm 696d76fe412434431686a127a81f7f46 2009.0/i586/apache-mod_ssl-2.2.9-12.1mdv2009.0.i586.rpm 3739e623b63725edb40c7aa46f6b86f3 2009.0/i586/apache-modules-2.2.9-12.1mdv2009.0.i586.rpm 4d01d05b85aa027c71ce0936fe99a1e2 2009.0/i586/apache-mod_userdir-2.2.9-12.1mdv2009.0.i586.rpm 9c3ff5431cb4358e1dc71573d0face2a 2009.0/i586/apache-mpm-event-2.2.9-12.1mdv2009.0.i586.rpm b10c0a8e41ea0e305391bd245d795882 2009.0/i586/apache-mpm-itk-2.2.9-12.1mdv2009.0.i586.rpm d6369e0e088217200fa00bd9ef1999c9 2009.0/i586/apache-mpm-peruser-2.2.9-12.1mdv2009.0.i586.rpm 18770581a55e3f9db77a1a9b40d47b49 2009.0/i586/apache-mpm-prefork-2.2.9-12.1mdv2009.0.i586.rpm 985bd691c78dcb27fe693e7e49810b7e 2009.0/i586/apache-mpm-worker-2.2.9-12.1mdv2009.0.i586.rpm eb1ddfbf93a42dcabc23da7f912f5f20 2009.0/i586/apache-source-2.2.9-12.1mdv2009.0.i586.rpm 75a1b10600fb395314915bb8c020e334 2009.0/SRPMS/apache-2.2.9-12.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 08dc3465f4c5fbe26ed8231de4f33be3 2009.0/x86_64/apache-base-2.2.9-12.1mdv2009.0.x86_64.rpm efa80b6a00548eec03442fe322467743 2009.0/x86_64/apache-devel-2.2.9-12.1mdv2009.0.x86_64.rpm 943f0598d5f01c70a570cf79eedc8680 2009.0/x86_64/apache-htcacheclean-2.2.9-12.1mdv2009.0.x86_64.rpm 5d4276bb798302b9779d92c883e24de6 2009.0/x86_64/apache-mod_authn_dbd-2.2.9-12.1mdv2009.0.x86_64.rpm 52d4fb5e56dabf29f4ad58cd21c0bd8d 2009.0/x86_64/apache-mod_cache-2.2.9-12.1mdv2009.0.x86_64.rpm 8c6c991fd5b6cbd09135950b9a4e2460 2009.0/x86_64/apache-mod_dav-2.2.9-12.1mdv2009.0.x86_64.rpm f9d64aa9cbb125379c6fa9913f87ca11 2009.0/x86_64/apache-mod_dbd-2.2.9-12.1mdv2009.0.x86_64.rpm e847248eea864cb7d451db598c2783a3 2009.0/x86_64/apache-mod_deflate-2.2.9-12.1mdv2009.0.x86_64.rpm 8988af1f9201397115a0d00e60ca4efc 2009.0/x86_64/apache-mod_disk_cache-2.2.9-12.1mdv2009.0.x86_64.rpm 8befcb2c633391d8fd20221b0e265f36 2009.0/x86_64/apache-mod_file_cache-2.2.9-12.1mdv2009.0.x86_64.rpm 36f30755b2e3a5bd1ec697be6296fba9 2009.0/x86_64/apache-mod_ldap-2.2.9-12.1mdv2009.0.x86_64.rpm 8b62e969ba61a5e2de0ec7dc12ca1c24 2009.0/x86_64/apache-mod_mem_cache-2.2.9-12.1mdv2009.0.x86_64.rpm 0a3979df5f6f3e76a173cf2a8a8638fa 2009.0/x86_64/apache-mod_proxy-2.2.9-12.1mdv2009.0.x86_64.rpm 7d1aee50357f5be36e11abdca18fe785 2009.0/x86_64/apache-mod_proxy_ajp-2.2.9-12.1mdv2009.0.x86_64.rpm c131cf2c09ca22921a5b15d2c2ab3566 2009.0/x86_64/apache-mod_ssl-2.2.9-12.1mdv2009.0.x86_64.rpm 2c94cd0123f989c36c993520d2ea1b71 2009.0/x86_64/apache-modules-2.2.9-12.1mdv2009.0.x86_64.rpm e513983425ea5859a890d6b0dfcee23c 2009.0/x86_64/apache-mod_userdir-2.2.9-12.1mdv2009.0.x86_64.rpm 168e3429a4e1032de044b75f4ac64cb5 2009.0/x86_64/apache-mpm-event-2.2.9-12.1mdv2009.0.x86_64.rpm f7c8e0390ba1f1c91768ac28e7bed4c5 2009.0/x86_64/apache-mpm-itk-2.2.9-12.1mdv2009.0.x86_64.rpm 98d5baa352557ba331e5dce98917589c 2009.0/x86_64/apache-mpm-peruser-2.2.9-12.1mdv2009.0.x86_64.rpm aeb4f9427f6a3058b9aabd8193d6f35c 2009.0/x86_64/apache-mpm-prefork-2.2.9-12.1mdv2009.0.x86_64.rpm 5ecd5bd6c25ec96260a0d502384cad9b 2009.0/x86_64/apache-mpm-worker-2.2.9-12.1mdv2009.0.x86_64.rpm 1547f8d49cd2cd2f284c7869b796a3cb 2009.0/x86_64/apache-source-2.2.9-12.1mdv2009.0.x86_64.rpm 75a1b10600fb395314915bb8c020e334 2009.0/SRPMS/apache-2.2.9-12.1mdv2009.0.src.rpm Mandriva Linux 2009.1: b03292fc7a97fed1725cc71396d46da9 2009.1/i586/apache-base-2.2.11-10.2mdv2009.1.i586.rpm d2445125ab5e6fd24d6dbf42f618cd0f 2009.1/i586/apache-devel-2.2.11-10.2mdv2009.1.i586.rpm 83c229753cd671e19b04d30e49582d10 2009.1/i586/apache-htcacheclean-2.2.11-10.2mdv2009.1.i586.rpm f661d7d25eca541c5269c12bc9972405 2009.1/i586/apache-mod_authn_dbd-2.2.11-10.2mdv2009.1.i586.rpm e529a3690c12f739f3c7d503951549f9 2009.1/i586/apache-mod_cache-2.2.11-10.2mdv2009.1.i586.rpm f9b593ce36f34777254aa818bdded51c 2009.1/i586/apache-mod_dav-2.2.11-10.2mdv2009.1.i586.rpm 91256fc2c428554069ba5be9789d8616 2009.1/i586/apache-mod_dbd-2.2.11-10.2mdv2009.1.i586.rpm e305e87a01451eca1adb54779edd2d60 2009.1/i586/apache-mod_deflate-2.2.11-10.2mdv2009.1.i586.rpm 9a3391fe2a635906603a9da61a368d53 2009.1/i586/apache-mod_disk_cache-2.2.11-10.2mdv2009.1.i586.rpm 9b42da05e60c496e36b44f71dae38aac 2009.1/i586/apache-mod_file_cache-2.2.11-10.2mdv2009.1.i586.rpm 7e118876f481051a36c30dc88b7dbe2d 2009.1/i586/apache-mod_ldap-2.2.11-10.2mdv2009.1.i586.rpm a8c05b2927e1608bebde726807e6b7c6 2009.1/i586/apache-mod_mem_cache-2.2.11-10.2mdv2009.1.i586.rpm 4764061ab2d68d966f5e387884bb6b01 2009.1/i586/apache-mod_proxy-2.2.11-10.2mdv2009.1.i586.rpm f72c88fee226a8f80193c6c0a4655089 2009.1/i586/apache-mod_proxy_ajp-2.2.11-10.2mdv2009.1.i586.rpm ec20204ca3bd7f1d68ff1720b165fd48 2009.1/i586/apache-mod_ssl-2.2.11-10.2mdv2009.1.i586.rpm 286af9667a351958df0c96d0bbc235db 2009.1/i586/apache-modules-2.2.11-10.2mdv2009.1.i586.rpm 41433325d0fc4a57179a1d4c594d13ee 2009.1/i586/apache-mod_userdir-2.2.11-10.2mdv2009.1.i586.rpm f6a50a95fcb5cc97d50e72da4a1a37a6 2009.1/i586/apache-mpm-event-2.2.11-10.2mdv2009.1.i586.rpm 0ccc4ff43eb9ea1ecf2e7dd325f90970 2009.1/i586/apache-mpm-itk-2.2.11-10.2mdv2009.1.i586.rpm 2e781914e9081ae8c98b3e83498cb073 2009.1/i586/apache-mpm-peruser-2.2.11-10.2mdv2009.1.i586.rpm e1d15c81cb6838bd0948ce6e6f962298 2009.1/i586/apache-mpm-prefork-2.2.11-10.2mdv2009.1.i586.rpm d1b67faf893bde192828d4dba42ce708 2009.1/i586/apache-mpm-worker-2.2.11-10.2mdv2009.1.i586.rpm 6f9eea7dd9f37afc7f3978fda31efc45 2009.1/i586/apache-source-2.2.11-10.2mdv2009.1.i586.rpm d66bcfe03cbe2b1b4028a30db40b0856 2009.1/SRPMS/apache-2.2.11-10.2mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 200b79495f600ff2ffff4eb72e1faa66 2009.1/x86_64/apache-base-2.2.11-10.2mdv2009.1.x86_64.rpm 59f0cec9b2926c01feebb6d27cae2eb1 2009.1/x86_64/apache-devel-2.2.11-10.2mdv2009.1.x86_64.rpm 64dd88dd6ec6ce945defc17eeb5f7711 2009.1/x86_64/apache-htcacheclean-2.2.11-10.2mdv2009.1.x86_64.rpm bd552f00fb03a86e11b80f59571164b4 2009.1/x86_64/apache-mod_authn_dbd-2.2.11-10.2mdv2009.1.x86_64.rpm f79046ee7124b2d2baa24e1491484f7d 2009.1/x86_64/apache-mod_cache-2.2.11-10.2mdv2009.1.x86_64.rpm 9e24860e0e2a72f095bd6e1e4c73c71b 2009.1/x86_64/apache-mod_dav-2.2.11-10.2mdv2009.1.x86_64.rpm 03c82ac06e89f2136223d090b2448431 2009.1/x86_64/apache-mod_dbd-2.2.11-10.2mdv2009.1.x86_64.rpm bc09dfcf9b2dae0d5893f1b40ed24771 2009.1/x86_64/apache-mod_deflate-2.2.11-10.2mdv2009.1.x86_64.rpm d41837a8f5f53cabe07e3d1e16f3cc1b 2009.1/x86_64/apache-mod_disk_cache-2.2.11-10.2mdv2009.1.x86_64.rpm 428e88e11c1464e68fef8538153250fb 2009.1/x86_64/apache-mod_file_cache-2.2.11-10.2mdv2009.1.x86_64.rpm c686ffff5e902280128d86adc90d3624 2009.1/x86_64/apache-mod_ldap-2.2.11-10.2mdv2009.1.x86_64.rpm a9424d1658644bc11d3ae840aee47a4b 2009.1/x86_64/apache-mod_mem_cache-2.2.11-10.2mdv2009.1.x86_64.rpm f60c6c13975279d23678284044c52fbd 2009.1/x86_64/apache-mod_proxy-2.2.11-10.2mdv2009.1.x86_64.rpm caa679c2dd8c4d94e197538a01d6591c 2009.1/x86_64/apache-mod_proxy_ajp-2.2.11-10.2mdv2009.1.x86_64.rpm 4f17daca4b01e4008382a6991330ef89 2009.1/x86_64/apache-mod_ssl-2.2.11-10.2mdv2009.1.x86_64.rpm a73f1b71c7b95d7da5f3f980396aad2e 2009.1/x86_64/apache-modules-2.2.11-10.2mdv2009.1.x86_64.rpm cf158c4090055ee5a82afd10f66966aa 2009.1/x86_64/apache-mod_userdir-2.2.11-10.2mdv2009.1.x86_64.rpm a2438fe5b9919feec1090067f762014c 2009.1/x86_64/apache-mpm-event-2.2.11-10.2mdv2009.1.x86_64.rpm 9960c48ccb4efe92ceef0adf9b04ad1e 2009.1/x86_64/apache-mpm-itk-2.2.11-10.2mdv2009.1.x86_64.rpm cb676a8da3cfb16ed7412c42360c1d75 2009.1/x86_64/apache-mpm-peruser-2.2.11-10.2mdv2009.1.x86_64.rpm 01117b72e3049e83b3265f86ab4beeed 2009.1/x86_64/apache-mpm-prefork-2.2.11-10.2mdv2009.1.x86_64.rpm 0e0d1550b43745a376d39d0de418eca1 2009.1/x86_64/apache-mpm-worker-2.2.11-10.2mdv2009.1.x86_64.rpm 31985746bd9b404319b08744de30df26 2009.1/x86_64/apache-source-2.2.11-10.2mdv2009.1.x86_64.rpm d66bcfe03cbe2b1b4028a30db40b0856 2009.1/SRPMS/apache-2.2.11-10.2mdv2009.1.src.rpm Corporate 4.0: 83787e8fd0a3e591bd96e24a3ba44252 corporate/4.0/i586/apache-base-2.2.3-1.5.20060mlcs4.i586.rpm c6a35702c12b245845efdeeb1eadf297 corporate/4.0/i586/apache-devel-2.2.3-1.5.20060mlcs4.i586.rpm 8a302c5ff39f7519dd6e76c24acac973 corporate/4.0/i586/apache-htcacheclean-2.2.3-1.5.20060mlcs4.i586.rpm 25335fbd038b6c5d2458b2a44f7adb52 corporate/4.0/i586/apache-mod_authn_dbd-2.2.3-1.5.20060mlcs4.i586.rpm beb57eedf22de94061daa257f621cda4 corporate/4.0/i586/apache-mod_cache-2.2.3-1.5.20060mlcs4.i586.rpm 91a0281df8a6b8fb3b9409b301588872 corporate/4.0/i586/apache-mod_dav-2.2.3-1.5.20060mlcs4.i586.rpm 0625359657ced4b086c098c587697389 corporate/4.0/i586/apache-mod_dbd-2.2.3-1.5.20060mlcs4.i586.rpm d3387e48e380b83befc8320ca4b2c9b2 corporate/4.0/i586/apache-mod_deflate-2.2.3-1.5.20060mlcs4.i586.rpm 0b4623defe0ba2492e746ddca53ac59f corporate/4.0/i586/apache-mod_disk_cache-2.2.3-1.5.20060mlcs4.i586.rpm 9d171b740263d6a1df5e9a9fe2d31dc7 corporate/4.0/i586/apache-mod_file_cache-2.2.3-1.5.20060mlcs4.i586.rpm ddc9247659e001ec3cd12854ff56f5d6 corporate/4.0/i586/apache-mod_ldap-2.2.3-1.5.20060mlcs4.i586.rpm 8b5e3ff50b900d727144725923a024a2 corporate/4.0/i586/apache-mod_mem_cache-2.2.3-1.5.20060mlcs4.i586.rpm d9babff59dd5a69361e144439286ebf4 corporate/4.0/i586/apache-mod_proxy-2.2.3-1.5.20060mlcs4.i586.rpm f99d85b533cf75e81d68198ab4ed5a3e corporate/4.0/i586/apache-mod_proxy_ajp-2.2.3-1.5.20060mlcs4.i586.rpm 2d3b17cfdeb079416a7e9887bbb251fe corporate/4.0/i586/apache-mod_ssl-2.2.3-1.5.20060mlcs4.i586.rpm 1e3c582432d7310f9ff323c007df1274 corporate/4.0/i586/apache-modules-2.2.3-1.5.20060mlcs4.i586.rpm 5f6e2f073c580b283375e529d10d81ea corporate/4.0/i586/apache-mod_userdir-2.2.3-1.5.20060mlcs4.i586.rpm 839f9f21d1f645b31b80429702fc40d6 corporate/4.0/i586/apache-mpm-prefork-2.2.3-1.5.20060mlcs4.i586.rpm b7e3f701a42dcf688f5ac71178b17218 corporate/4.0/i586/apache-mpm-worker-2.2.3-1.5.20060mlcs4.i586.rpm 855b162cf05323a205da9c76aac41048 corporate/4.0/i586/apache-source-2.2.3-1.5.20060mlcs4.i586.rpm 8efd638ceb477065ff7939814ae5b554 corporate/4.0/SRPMS/apache-2.2.3-1.5.20060mlcs4.src.rpm Corporate 4.0/X86_64: 0792970f3903b9bb99fe3b0c0493331d corporate/4.0/x86_64/apache-base-2.2.3-1.5.20060mlcs4.x86_64.rpm 30b2a4f22c5f5bf38dfa3da25088e4be corporate/4.0/x86_64/apache-devel-2.2.3-1.5.20060mlcs4.x86_64.rpm 70a56d47c9368b051a7df856518c03b9 corporate/4.0/x86_64/apache-htcacheclean-2.2.3-1.5.20060mlcs4.x86_64.rpm 461617cef0d8bddcbcbf90d8be092efa corporate/4.0/x86_64/apache-mod_authn_dbd-2.2.3-1.5.20060mlcs4.x86_64.rpm 205ced66093e850c988cb18b5e10f292 corporate/4.0/x86_64/apache-mod_cache-2.2.3-1.5.20060mlcs4.x86_64.rpm 90dd6f748a9be26d78c237a28d78fff5 corporate/4.0/x86_64/apache-mod_dav-2.2.3-1.5.20060mlcs4.x86_64.rpm 708fec9fac2b9edc328b68dce4c3ead7 corporate/4.0/x86_64/apache-mod_dbd-2.2.3-1.5.20060mlcs4.x86_64.rpm d278b8c3967a606a6986a89ca368bfa6 corporate/4.0/x86_64/apache-mod_deflate-2.2.3-1.5.20060mlcs4.x86_64.rpm ba432100c21eaf75b1a3f2350eed1cab corporate/4.0/x86_64/apache-mod_disk_cache-2.2.3-1.5.20060mlcs4.x86_64.rpm 6df31c2766be5b73d4d8686ded4f29fb corporate/4.0/x86_64/apache-mod_file_cache-2.2.3-1.5.20060mlcs4.x86_64.rpm 28d68550f28f144528b3838a635c5f8b corporate/4.0/x86_64/apache-mod_ldap-2.2.3-1.5.20060mlcs4.x86_64.rpm 547e05295688b8cc0278e87c58676d16 corporate/4.0/x86_64/apache-mod_mem_cache-2.2.3-1.5.20060mlcs4.x86_64.rpm 19a68b39a499f3434889762ec4cb2924 corporate/4.0/x86_64/apache-mod_proxy-2.2.3-1.5.20060mlcs4.x86_64.rpm c29ff215573e022563923c6f690c95a8 corporate/4.0/x86_64/apache-mod_proxy_ajp-2.2.3-1.5.20060mlcs4.x86_64.rpm 7f1ce8cd65deb334881bc71160f2b32d corporate/4.0/x86_64/apache-mod_ssl-2.2.3-1.5.20060mlcs4.x86_64.rpm 2a0791cbae315f13ef55722b375b26c9 corporate/4.0/x86_64/apache-modules-2.2.3-1.5.20060mlcs4.x86_64.rpm 5baa0d5c9eb378d85e59d378dafcbe07 corporate/4.0/x86_64/apache-mod_userdir-2.2.3-1.5.20060mlcs4.x86_64.rpm 48f3aa129a03a3480b5239323b36e279 corporate/4.0/x86_64/apache-mpm-prefork-2.2.3-1.5.20060mlcs4.x86_64.rpm a0bd0281bfbac34ccf990d4069d8d6d6 corporate/4.0/x86_64/apache-mpm-worker-2.2.3-1.5.20060mlcs4.x86_64.rpm f150990e55649daa323f01b77e8673d2 corporate/4.0/x86_64/apache-source-2.2.3-1.5.20060mlcs4.x86_64.rpm 8efd638ceb477065ff7939814ae5b554 corporate/4.0/SRPMS/apache-2.2.3-1.5.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKInL8mqjQ0CJFipgRAmPGAKDfXfWbwHGcBD6v7fbvg92PBONtIwCdHplA xwyn072r7C79A0nJ352M9ls= =8RdS -----END PGP SIGNATURE----- . References: CVE-2006-3918, CVE-2007-4465, CVE-2007-6203, CVE-2008-0005, CVE-2008-0599, CVE-2008-2168, CVE-2008-2364, CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-2939, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5498, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

xss

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Marc Bevand※ bevand_m@epita.fr

SOURCES

LAST UPDATE DATE

2024-12-21T21:45:05.624000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE