ID

VAR-201105-0094

CVE

CVE-2011-1928

TITLE

APR Library and Apache HTTP Server of fnmatch Service disruption in implementation ( infinite loop ) Vulnerabilities

DESCRIPTION

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419. This vulnerability CVE-2011-0419 Vulnerability due to incomplete fix.Does not match wildcard pattern type by a third party URI Through service disruption ( infinite loop ) There is a possibility of being put into a state. Apache APR is prone to a denial-of-service vulnerability. Successful exploits may allow the attacker to cause excessive CPU usage, resulting in denial-of-service conditions. Apache APR 1.4.4 is affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Low: apr security update Advisory ID: RHSA-2011:0844-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0844.html Issue date: 2011-05-31 CVE Names: CVE-2011-1928 ===================================================================== 1. Summary: Updated apr packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. It provides a free library of C data structures and routines. The fix for CVE-2011-0419 (released via RHSA-2011:0507) introduced an infinite loop flaw in the apr_fnmatch() function when the APR_FNM_PATHNAME matching flag was used. A remote attacker could possibly use this flaw to cause a denial of service on an application using the apr_fnmatch() function. (CVE-2011-1928) Note: This problem affected httpd configurations using the "Location" directive with wildcard URLs. The denial of service could have been triggered during normal operation; it did not specifically require a malicious HTTP request. This update also addresses additional problems introduced by the rewrite of the apr_fnmatch() function, which was necessary to address the CVE-2011-0419 flaw. All apr users should upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the apr library, such as httpd, must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 706203 - CVE-2011-1928 apr: DoS flaw in apr_fnmatch() due to fix for CVE-2011-0419 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/apr-0.9.4-26.el4.src.rpm i386: apr-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-devel-0.9.4-26.el4.i386.rpm ia64: apr-0.9.4-26.el4.i386.rpm apr-0.9.4-26.el4.ia64.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.ia64.rpm apr-devel-0.9.4-26.el4.ia64.rpm ppc: apr-0.9.4-26.el4.ppc.rpm apr-0.9.4-26.el4.ppc64.rpm apr-debuginfo-0.9.4-26.el4.ppc.rpm apr-debuginfo-0.9.4-26.el4.ppc64.rpm apr-devel-0.9.4-26.el4.ppc.rpm s390: apr-0.9.4-26.el4.s390.rpm apr-debuginfo-0.9.4-26.el4.s390.rpm apr-devel-0.9.4-26.el4.s390.rpm s390x: apr-0.9.4-26.el4.s390.rpm apr-0.9.4-26.el4.s390x.rpm apr-debuginfo-0.9.4-26.el4.s390.rpm apr-debuginfo-0.9.4-26.el4.s390x.rpm apr-devel-0.9.4-26.el4.s390x.rpm x86_64: apr-0.9.4-26.el4.i386.rpm apr-0.9.4-26.el4.x86_64.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.x86_64.rpm apr-devel-0.9.4-26.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/apr-0.9.4-26.el4.src.rpm i386: apr-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-devel-0.9.4-26.el4.i386.rpm x86_64: apr-0.9.4-26.el4.i386.rpm apr-0.9.4-26.el4.x86_64.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.x86_64.rpm apr-devel-0.9.4-26.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/apr-0.9.4-26.el4.src.rpm i386: apr-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-devel-0.9.4-26.el4.i386.rpm ia64: apr-0.9.4-26.el4.i386.rpm apr-0.9.4-26.el4.ia64.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.ia64.rpm apr-devel-0.9.4-26.el4.ia64.rpm x86_64: apr-0.9.4-26.el4.i386.rpm apr-0.9.4-26.el4.x86_64.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.x86_64.rpm apr-devel-0.9.4-26.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/apr-0.9.4-26.el4.src.rpm i386: apr-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-devel-0.9.4-26.el4.i386.rpm ia64: apr-0.9.4-26.el4.i386.rpm apr-0.9.4-26.el4.ia64.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.ia64.rpm apr-devel-0.9.4-26.el4.ia64.rpm x86_64: apr-0.9.4-26.el4.i386.rpm apr-0.9.4-26.el4.x86_64.rpm apr-debuginfo-0.9.4-26.el4.i386.rpm apr-debuginfo-0.9.4-26.el4.x86_64.rpm apr-devel-0.9.4-26.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/apr-1.2.7-11.el5_6.5.src.rpm i386: apr-1.2.7-11.el5_6.5.i386.rpm apr-debuginfo-1.2.7-11.el5_6.5.i386.rpm apr-docs-1.2.7-11.el5_6.5.i386.rpm x86_64: apr-1.2.7-11.el5_6.5.i386.rpm apr-1.2.7-11.el5_6.5.x86_64.rpm apr-debuginfo-1.2.7-11.el5_6.5.i386.rpm apr-debuginfo-1.2.7-11.el5_6.5.x86_64.rpm apr-docs-1.2.7-11.el5_6.5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/apr-1.2.7-11.el5_6.5.src.rpm i386: apr-debuginfo-1.2.7-11.el5_6.5.i386.rpm apr-devel-1.2.7-11.el5_6.5.i386.rpm x86_64: apr-debuginfo-1.2.7-11.el5_6.5.i386.rpm apr-debuginfo-1.2.7-11.el5_6.5.x86_64.rpm apr-devel-1.2.7-11.el5_6.5.i386.rpm apr-devel-1.2.7-11.el5_6.5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/apr-1.2.7-11.el5_6.5.src.rpm i386: apr-1.2.7-11.el5_6.5.i386.rpm apr-debuginfo-1.2.7-11.el5_6.5.i386.rpm apr-devel-1.2.7-11.el5_6.5.i386.rpm apr-docs-1.2.7-11.el5_6.5.i386.rpm ia64: apr-1.2.7-11.el5_6.5.ia64.rpm apr-debuginfo-1.2.7-11.el5_6.5.ia64.rpm apr-devel-1.2.7-11.el5_6.5.ia64.rpm apr-docs-1.2.7-11.el5_6.5.ia64.rpm ppc: apr-1.2.7-11.el5_6.5.ppc.rpm apr-1.2.7-11.el5_6.5.ppc64.rpm apr-debuginfo-1.2.7-11.el5_6.5.ppc.rpm apr-debuginfo-1.2.7-11.el5_6.5.ppc64.rpm apr-devel-1.2.7-11.el5_6.5.ppc.rpm apr-devel-1.2.7-11.el5_6.5.ppc64.rpm apr-docs-1.2.7-11.el5_6.5.ppc.rpm s390x: apr-1.2.7-11.el5_6.5.s390.rpm apr-1.2.7-11.el5_6.5.s390x.rpm apr-debuginfo-1.2.7-11.el5_6.5.s390.rpm apr-debuginfo-1.2.7-11.el5_6.5.s390x.rpm apr-devel-1.2.7-11.el5_6.5.s390.rpm apr-devel-1.2.7-11.el5_6.5.s390x.rpm apr-docs-1.2.7-11.el5_6.5.s390x.rpm x86_64: apr-1.2.7-11.el5_6.5.i386.rpm apr-1.2.7-11.el5_6.5.x86_64.rpm apr-debuginfo-1.2.7-11.el5_6.5.i386.rpm apr-debuginfo-1.2.7-11.el5_6.5.x86_64.rpm apr-devel-1.2.7-11.el5_6.5.i386.rpm apr-devel-1.2.7-11.el5_6.5.x86_64.rpm apr-docs-1.2.7-11.el5_6.5.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/apr-1.3.9-3.el6_1.2.src.rpm i386: apr-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm x86_64: apr-1.3.9-3.el6_1.2.i686.rpm apr-1.3.9-3.el6_1.2.x86_64.rpm apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/apr-1.3.9-3.el6_1.2.src.rpm i386: apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-devel-1.3.9-3.el6_1.2.i686.rpm x86_64: apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.x86_64.rpm apr-devel-1.3.9-3.el6_1.2.i686.rpm apr-devel-1.3.9-3.el6_1.2.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/apr-1.3.9-3.el6_1.2.src.rpm x86_64: apr-1.3.9-3.el6_1.2.i686.rpm apr-1.3.9-3.el6_1.2.x86_64.rpm apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/apr-1.3.9-3.el6_1.2.src.rpm x86_64: apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.x86_64.rpm apr-devel-1.3.9-3.el6_1.2.i686.rpm apr-devel-1.3.9-3.el6_1.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/apr-1.3.9-3.el6_1.2.src.rpm i386: apr-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-devel-1.3.9-3.el6_1.2.i686.rpm ppc64: apr-1.3.9-3.el6_1.2.ppc.rpm apr-1.3.9-3.el6_1.2.ppc64.rpm apr-debuginfo-1.3.9-3.el6_1.2.ppc.rpm apr-debuginfo-1.3.9-3.el6_1.2.ppc64.rpm apr-devel-1.3.9-3.el6_1.2.ppc.rpm apr-devel-1.3.9-3.el6_1.2.ppc64.rpm s390x: apr-1.3.9-3.el6_1.2.s390.rpm apr-1.3.9-3.el6_1.2.s390x.rpm apr-debuginfo-1.3.9-3.el6_1.2.s390.rpm apr-debuginfo-1.3.9-3.el6_1.2.s390x.rpm apr-devel-1.3.9-3.el6_1.2.s390.rpm apr-devel-1.3.9-3.el6_1.2.s390x.rpm x86_64: apr-1.3.9-3.el6_1.2.i686.rpm apr-1.3.9-3.el6_1.2.x86_64.rpm apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.x86_64.rpm apr-devel-1.3.9-3.el6_1.2.i686.rpm apr-devel-1.3.9-3.el6_1.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/apr-1.3.9-3.el6_1.2.src.rpm i386: apr-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-devel-1.3.9-3.el6_1.2.i686.rpm x86_64: apr-1.3.9-3.el6_1.2.i686.rpm apr-1.3.9-3.el6_1.2.x86_64.rpm apr-debuginfo-1.3.9-3.el6_1.2.i686.rpm apr-debuginfo-1.3.9-3.el6_1.2.x86_64.rpm apr-devel-1.3.9-3.el6_1.2.i686.rpm apr-devel-1.3.9-3.el6_1.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-1928.html https://access.redhat.com/security/updates/classification/#low https://rhn.redhat.com/errata/RHSA-2011-0507.html 8. Contact: The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFN5RAiXlSAg2UNWIIRAuwdAJ9vddMlxPWoOqzsNz37JmvVmqSKfgCfchI5 R4u+hsr+KDZ1nnC2K8wCJ9c= =e0/T -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . The Apache Portable Runtime Utility Library (aka APR-Util) provides an interface to functionality such as XML parsing, string matching and database connections. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache Portable Runtime users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/apr-1.4.8-r1" All users of the APR Utility Library should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.10" Packages which depend on these libraries may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages. References ========== [ 1 ] CVE-2010-1623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1623 [ 2 ] CVE-2011-0419 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0419 [ 3 ] CVE-2011-1928 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1928 [ 4 ] CVE-2012-0840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0840 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201405-24.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03280632 Version: 2 HPSBMU02764 SSRT100827 rev.2 - HP System Management Homepage (SMH) Running on Linux and Windows, Remote Cross Site Request Forgery (CSRF), Denial of Service (DoS), Execution of Arbitrary Code, Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2012-04-16 Last Updated: 2012-04-19 Potential Security Impact: Remote cross site request forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) running on Linux and Windows. The vulnerabilities could be exploited remotely and locally resulting in cross site request forgery (CSRF), Denial of Service (DoS), execution of arbitrary code, and other vulnerabilities. References: CVE-2009-0037, CVE-2010-0734, CVE-2010-1452, CVE-2010-1623, CVE-2010-2068, CVE-2010-2791, CVE-2010-3436, CVE-2010-4409, CVE-2010-4645, CVE-2011-0014, CVE-2011-0195, CVE-2011-0419, CVE-2011-1148, CVE-2011-1153, CVE-2011-1464, CVE-2011-1467, CVE-2011-1468, CVE-2011-1470, CVE-2011-1471, CVE-2011-1928, CVE-2011-1938, CVE-2011-1945, CVE-2011-2192, CVE-2011-2202, CVE-2011-2483, CVE-2011-3182, CVE-2011-3189, CVE-2011-3192, CVE-2011-3267, CVE-2011-3268, CVE-2011-3207, CVE-2011-3210, CVE-2011-3348, CVE-2011-3368, CVE-2011-3639, CVE-2011-3846, SSRT100376, CVE-2012-0135, SSRT100609, CVE-2012-1993, SSRT10043 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP System Management Homepage (SMH) before v7.0 running on Linux and Windows. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2009-0037 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2010-0734 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2010-1452 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2010-1623 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2010-2068 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2010-2791 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2010-3436 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2010-4409 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2010-4645 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-0014 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-0195 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1148 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-1153 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-1464 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1467 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-1468 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1470 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1471 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1928 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-1938 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-1945 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 CVE-2011-2192 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-2202 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4 CVE-2011-2483 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-3182 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-3189 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2011-3267 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-3268 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3207 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2011-3210 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-3348 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2011-3368 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-3639 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2011-3846 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2012-0135 (AV:N/AC:M/Au:S/C:N/I:N/A:P) 3.5 CVE-2012-1993 (AV:L/AC:L/Au:S/C:P/I:P/A:N) 3.2 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Sow Ching Shiong coordinating with Secunia for reporting CVE-2011-3846 to security-alert@hp.com. The Hewlett-Packard Company thanks Silent Dream for reporting CVE-2012-0135 to security-alert@hp.com RESOLUTION HP has provided HP System Management Homepage v7.0 or subsequent to resolve the vulnerabilities. SMH v7.0 is available here: http://h18000.www1.hp.com/products/servers/management/agents/index.html HISTORY Version:1 (rev.1) 16 April 2012 Initial release Version:2 (rev.2) 19 April 2012 Remove CVE-2011-4317 Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. HP Secure Web Server (SWS) for OpenVMS V2.2 and earlier. ========================================================================== Ubuntu Security Notice USN-1134-1 May 24, 2011 apache2, apr vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS - Ubuntu 6.06 LTS Summary: A denial of service issue exists that affects the Apache web server. (CVE-2011-1928) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: libapr1 1.4.2-7ubuntu2.1 Ubuntu 10.10: libapr1 1.4.2-3ubuntu1.1 Ubuntu 10.04 LTS: libapr1 1.3.8-1ubuntu0.3 Ubuntu 8.04 LTS: libapr1 1.2.11-1ubuntu0.2 Ubuntu 6.06 LTS: libapr0 2.0.55-4ubuntu2.13 After a standard system update you need to restart the Apache web server or any other service that depends on the APR library to make all the necessary changes. Packages for 2010.0 are provided as of the Extended Maintenance Program. Update: Packages for Mandriva Linux 2010.0 were missing with the MDVSA-2011:095 advisory. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD4DBQFN2iiWmqjQ0CJFipgRAtwkAKCAjiWeDSCpeBz8IzxMtpi8XrxLcwCY33lA S7AiWmam6ERQZeIA3TBbYw== =b6Io -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

resource management error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Apache Software Foundation

SOURCES

LAST UPDATE DATE

2024-11-07T21:37:27.184000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE