copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.1126 - [Win][UNIX/Linux][Debian] apache2: M...
 

ESB-2012.1126 - [Win][UNIX/Linux][Debian] apache2: Multiple vulnerabilities
Date: 03 December 2012
References: ESB-2012.1085  ESB-2013.0216  ESB-2013.0217  ESB-2013.0254  ASB-2013.0046  ESB-2013.0533  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.1126
                          apache2 security update
                              3 December 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apache2
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Unauthorised Access            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-4929 CVE-2012-4557 

Reference:         ESB-2012.1085

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2579

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running apache2 check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2579-1                   security@debian.org
http://www.debian.org/security/                            Stefan Fritsch
November 30, 2012                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : apache2
Vulnerability  : Multiple issues
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-4557 CVE-2012-4929
Debian Bug     : 689936

A vulnerability has been found in the Apache HTTPD Server:

CVE-2012-4557

	A flaw was found when mod_proxy_ajp connects to a backend
	server that takes too long to respond. Given a specific
	configuration, a remote attacker could send certain requests,
	putting a backend server into an error state until the retry
	timeout expired. This could lead to a temporary denial of
	service.

In addition, this update also adds a server side mitigation for the
following issue:

CVE-2012-4929

	If using SSL/TLS data compression with HTTPS in an connection
	to a web browser, man-in-the-middle attackers may obtain
	plaintext HTTP headers. This issue is known as the "CRIME"
	attack. This update of apache2 disables SSL compression by
	default. A new SSLCompression directive has been backported
	that may be used to re-enable SSL data compression in
	environments where the "CRIME" attack is not an issue.
	For more information, please refer to:
	http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression

For the stable distribution (squeeze), these problems have been fixed in
version 2.2.16-6+squeeze10.

For the testing distribution (wheezy), these problems have been fixed in
version 2.2.22-12.

For the unstable distribution (sid), these problems have been fixed in
version 2.2.22-12.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQuK+Vbxelr8HyTqQRAqBWAJ9SwDPC+KeOet/cXswJ7dCXHKRMuACfU/s2
2vc47aYjqALiQR/OCZft9/E=
=rzaO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBULv6b+4yVqjM2NGpAQIcnw//WxIKW4wdYqplGOmrZ5p5/eUsWWOKhCWP
sPw4V0yN92DG/1oshapsELIZrbMtd9onADKXeRBU25UrYbcO2xBrdinq3QiNBqJm
rPawgyHmnJa0vKtutfnV1XuJUpqDYJVAvdd3kgr9F3VjG4cu8/pwi5DxcjF8IaZK
BOJfd1nQcOczgc1KknTB4Yu7b3WMqwhYsgmM6WYHeWRGsxY1huz8kD/H55QwLu7m
tB8NloKAhnss+Qo/OZfXi82Pwzcod0/ZyNmjG+RhIF8TYM8xiaS9XrqW8Bp45Zff
HIKt4Od8xTaIUmYwoN/anTAXne4dT0e+M0Y1HOApflFMr+P/B8H2DCpiG8L1+6GC
x7Tiavadad2cBVhAfxNJuW7qp6l38inhp/u/x9LQhlrl04tdVUECy+0yEwRHz6ZT
egvWcN2U3sT5Da7nOUSYPJ0+v4rrdxmMeiqJPYzRIBKyxIF3OymIyOmT37TM/0ip
DRg7BIADGBbdZw8CRWJZC8LeepkUlsOG4imdZBYD5sVBHo74PC/XXiihPFe8avNU
MZYuJ6vpCeOUmz8IXmYiDZdi+C8yCJTicYogP+7ZaoGdXe1oAcrhqdLpNmp2+gqE
NCyx19tbj3zfVtTkDlrvPu3mdYhX1VpWKo/FH1DYVpfMNHDriblKYcKrTh8VQzSx
wgk2K2/PCyo=
=FsKV
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/16642