Ispravljeni višestruki nedostaci paketa apache2

U radu programskog paketa Apache 2 otkriveni su višestruki sigurnosni propusti. Udaljenim napadačima omogućuju otkrivanje osjetljivih podataka i izvođenje napada uskraćivanjem usluge ( DoS).

Paket:	Apache 2.x
Operacijski sustavi:	openSUSE 11.4
Kritičnost:	5
Problem:	neodgovarajuće rukovanje memorijom, pogreška u programskoj komponenti
Iskorištavanje:	lokalno/udaljeno
Posljedica:	otkrivanje osjetljivih informacija, uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2007-6750, CVE-2012-0031, CVE-2012-0053
Izvorni ID preporuke:	openSUSE-SU-2012:0314-1
Izvor:	SUSE

Problem:
Propusti se javljaju kod datoteka "scoreboard.c", "protocol.c" te unutar "mod_reqtimeout" modula.
Posljedica:
Zlonamjerni korisnik bi mogao iskoristiti navedene propuste pomoću posebno oblikovanih HTTP zahtjeva za izazivanje stanja uskraćivanja usluge (eng. Denial of Service) i pristupanje osjetljivim informacijama.
Rješenje:
Korisnicima ranjivog programskog paketa se savjetuje instalacija nadogradnji.

Izvorni tekst preporuke

   openSUSE Security Update: apache2: fixed various security bugs
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2012:0314-1
Rating:             important
References:         #728876 #738855 #741243 #743743 
Cross-References:   CVE-2007-6750 CVE-2012-0031 CVE-2012-0053
                   
Affected Products:
                    openSUSE 11.4
______________________________________________________________________________

   An update that solves three vulnerabilities and has one
   errata is now available.

Description:

   This update of apache2 fixes regressions and several
   security problems:

   bnc#728876, fix graceful reload

   bnc#741243, CVE-2012-0031: Fixed a scoreboard corruption
   (shared mem segment) by child causes crash of privileged
   parent (invalid free()) during shutdown.

   bnc#743743, CVE-2012-0053: Fixed an issue in error
   responses that could expose "httpOnly" cookies when no
   custom ErrorDocument is specified for status code 400".

   bnc#738855, CVE-2007-6750: The "mod_reqtimeout" module was
   backported from Apache 2.2.21 to help mitigate the
   "Slowloris" Denial of Service attack.

   You need to enable the "mod_reqtimeout" module in your
   existing apache configuration to make it effective, e.g. in
   the APACHE_MODULES line in /etc/sysconfig/apache2.


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 11.4:

      zypper in -t patch apache2-201202-5821

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 11.4 (i586 x86_64):

      apache2-2.2.17-4.13.1
      apache2-devel-2.2.17-4.13.1
      apache2-example-certificates-2.2.17-4.13.1
      apache2-example-pages-2.2.17-4.13.1
      apache2-itk-2.2.17-4.13.1
      apache2-prefork-2.2.17-4.13.1
      apache2-utils-2.2.17-4.13.1
      apache2-worker-2.2.17-4.13.1

   - openSUSE 11.4 (noarch):

      apache2-doc-2.2.17-4.13.1


References:

   http://support.novell.com/security/cve/CVE-2007-6750.html
   http://support.novell.com/security/cve/CVE-2012-0031.html
   http://support.novell.com/security/cve/CVE-2012-0053.html
   https://bugzilla.novell.com/728876
   https://bugzilla.novell.com/738855
   https://bugzilla.novell.com/741243
   https://bugzilla.novell.com/743743

-- 
To unsubscribe, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
For additional commands, e-mail: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

Ispravljeni višestruki nedostaci paketa apache2

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Ispravljeni višestruki nedostaci paketa apache2

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti