[Full-disclosure] [ MDVSA-2009:168 ] apache




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:168
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apache
Date : July 28, 2009
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in apache:

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).

Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891).

This update provides fixes for these vulnerabilities.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
a35f4e42ad811635b008deeab1c86aec mes5/i586/apache-base-2.2.9-12.4mdvmes5.i586.rpm
e80464f36e994ae9bb6c15ff0169eeba mes5/i586/apache-devel-2.2.9-12.4mdvmes5.i586.rpm
28c561e0b2016009381e4f4fa22bce03 mes5/i586/apache-htcacheclean-2.2.9-12.4mdvmes5.i586.rpm
bc4f6c084ed91c71fc775e12523cc411 mes5/i586/apache-mod_authn_dbd-2.2.9-12.4mdvmes5.i586.rpm
06c077d73faf913291546b4dc16d1213 mes5/i586/apache-mod_cache-2.2.9-12.4mdvmes5.i586.rpm
a2ae256b0b1eaa976da0ab253d047b02 mes5/i586/apache-mod_dav-2.2.9-12.4mdvmes5.i586.rpm
4b9770ce8587ec86ab7cffe6bc1cba90 mes5/i586/apache-mod_dbd-2.2.9-12.4mdvmes5.i586.rpm
7641eddea949e2c78648c56e953aecf5 mes5/i586/apache-mod_deflate-2.2.9-12.4mdvmes5.i586.rpm
43b59e5af9d21fb3847d17e0ae122dab mes5/i586/apache-mod_disk_cache-2.2.9-12.4mdvmes5.i586.rpm
d282ac6c56c4f9bdc77825150afa7e1c mes5/i586/apache-mod_file_cache-2.2.9-12.4mdvmes5.i586.rpm
c9ee1dcbcb330a4da275f9e8b4478c70 mes5/i586/apache-mod_ldap-2.2.9-12.4mdvmes5.i586.rpm
422cc7b321578d1de3223fbb76ebe29f mes5/i586/apache-mod_mem_cache-2.2.9-12.4mdvmes5.i586.rpm
89dc38ba7ad0187ed7d3c5694d6cbf22 mes5/i586/apache-mod_proxy-2.2.9-12.4mdvmes5.i586.rpm
27096c4f8dada996969a4cfe0f34715f mes5/i586/apache-mod_proxy_ajp-2.2.9-12.4mdvmes5.i586.rpm
d1194518bdb208cc50a3fab9c39f8152 mes5/i586/apache-mod_ssl-2.2.9-12.4mdvmes5.i586.rpm
5738e54feabed82b1e945fbe09731383 mes5/i586/apache-modules-2.2.9-12.4mdvmes5.i586.rpm
f74ef1df3ab6a3d53549a05e2a4532fe mes5/i586/apache-mod_userdir-2.2.9-12.4mdvmes5.i586.rpm
6192bb53d6a3a96f20016f6409b17dd8 mes5/i586/apache-mpm-event-2.2.9-12.4mdvmes5.i586.rpm
734d101998223302206ff7063c63b3f2 mes5/i586/apache-mpm-itk-2.2.9-12.4mdvmes5.i586.rpm
440c586651e316e6f78369a7ca0488cb mes5/i586/apache-mpm-peruser-2.2.9-12.4mdvmes5.i586.rpm
a2ac9623691bd1e920cbf42c944f91e8 mes5/i586/apache-mpm-prefork-2.2.9-12.4mdvmes5.i586.rpm
d517fcb16974e97fc29976b883c72653 mes5/i586/apache-mpm-worker-2.2.9-12.4mdvmes5.i586.rpm
53b6e7fe71e8e7871e0e648784fe9532 mes5/i586/apache-source-2.2.9-12.4mdvmes5.i586.rpm
5c04f485825d1c861f4fb7a9b75c8c1b mes5/SRPMS/apache-2.2.9-12.4mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
2feb99f4443048861680089e81b3d99b mes5/x86_64/apache-base-2.2.9-12.4mdvmes5.x86_64.rpm
94e17e3194808a758f40a5a4e604584f mes5/x86_64/apache-devel-2.2.9-12.4mdvmes5.x86_64.rpm
b21a88c27e4c890f53f7f086c18661c8 mes5/x86_64/apache-htcacheclean-2.2.9-12.4mdvmes5.x86_64.rpm
868451cf6682c4bd88fdff123e9f586e mes5/x86_64/apache-mod_authn_dbd-2.2.9-12.4mdvmes5.x86_64.rpm
7df675bf863a1c1a8cc7e6f5b0092800 mes5/x86_64/apache-mod_cache-2.2.9-12.4mdvmes5.x86_64.rpm
6ec73ab804db7873157b856015cee5e7 mes5/x86_64/apache-mod_dav-2.2.9-12.4mdvmes5.x86_64.rpm
e7dcfeccfa90c0367a9c908804617f3b mes5/x86_64/apache-mod_dbd-2.2.9-12.4mdvmes5.x86_64.rpm
1f5b27130438287975e8ed05d1e9d6c3 mes5/x86_64/apache-mod_deflate-2.2.9-12.4mdvmes5.x86_64.rpm
2ab40847d45382437e6be2f73693450c mes5/x86_64/apache-mod_disk_cache-2.2.9-12.4mdvmes5.x86_64.rpm
776d0ce3c8bc6034d403fe7820394490 mes5/x86_64/apache-mod_file_cache-2.2.9-12.4mdvmes5.x86_64.rpm
73b71de2b1a192c8ea9356fd4569d629 mes5/x86_64/apache-mod_ldap-2.2.9-12.4mdvmes5.x86_64.rpm
6e3550a6e3937498703f5675998ff634 mes5/x86_64/apache-mod_mem_cache-2.2.9-12.4mdvmes5.x86_64.rpm
418ef56503d3e500fa66ca275020c018 mes5/x86_64/apache-mod_proxy-2.2.9-12.4mdvmes5.x86_64.rpm
80c03337e2686ced47d2d269c21436ab mes5/x86_64/apache-mod_proxy_ajp-2.2.9-12.4mdvmes5.x86_64.rpm
7545572a06aae7a51292d455760d56b4 mes5/x86_64/apache-mod_ssl-2.2.9-12.4mdvmes5.x86_64.rpm
a1e4b7bde251d6fc960a4c40834c9528 mes5/x86_64/apache-modules-2.2.9-12.4mdvmes5.x86_64.rpm
69f3787207a5856b388166ca59459fa4 mes5/x86_64/apache-mod_userdir-2.2.9-12.4mdvmes5.x86_64.rpm
d204be58a3c99219740f76fc7f53adcd mes5/x86_64/apache-mpm-event-2.2.9-12.4mdvmes5.x86_64.rpm
68404cdf1704abb8d560cf34c18e6263 mes5/x86_64/apache-mpm-itk-2.2.9-12.4mdvmes5.x86_64.rpm
2d72aa5ce503cac036b8972fcb4c36e6 mes5/x86_64/apache-mpm-peruser-2.2.9-12.4mdvmes5.x86_64.rpm
d948b73264e6228d89d36fd3af7249bf mes5/x86_64/apache-mpm-prefork-2.2.9-12.4mdvmes5.x86_64.rpm
45f459c24c0bdf0e2f4f196441fee8ce mes5/x86_64/apache-mpm-worker-2.2.9-12.4mdvmes5.x86_64.rpm
b8f6f631798d8383f3b916db35e4d3b0 mes5/x86_64/apache-source-2.2.9-12.4mdvmes5.x86_64.rpm
5c04f485825d1c861f4fb7a9b75c8c1b mes5/SRPMS/apache-2.2.9-12.4mdvmes5.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKb0Y8mqjQ0CJFipgRAsrQAJwK+924Ln64N1SBSndg3bIboARmJwCfXmRy
75KI+UlJfOVBaDb4CJUCzBM=
=MQFn
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [ MDVSA-2013:203 ] phpmyadmin
    ... Package: phpmyadmin ... Business Server 1.0, Enterprise Server 5.0 ... XSS vulnerabilities in setup, chart display, process list, and ... Mandriva Enterprise Server 5/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2013:203 ] phpmyadmin
    ... Package: phpmyadmin ... Business Server 1.0, Enterprise Server 5.0 ... XSS vulnerabilities in setup, chart display, process list, and ... Mandriva Enterprise Server 5/X86_64: ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2009:234-1 ] silc-toolkit
    ... Affected: Enterprise Server 5.0 ... Multiple format string vulnerabilities in lib/silcclient/client_entry.c ... Mandriva Enterprise Server 5/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2009:234-1 ] silc-toolkit
    ... Affected: Enterprise Server 5.0 ... Multiple format string vulnerabilities in lib/silcclient/client_entry.c ... Mandriva Enterprise Server 5/X86_64: ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2009:124-1 ] apache
    ... Multiple vulnerabilities has been found and corrected in apache: ... This update provides fixes for these vulnerabilities. ... The patch for fixing CVE-2009-1195 for Mandriva Linux 2008.1 was ... GPG public key of the Mandriva Security Team by executing: ...
    (Full-Disclosure)