Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3248 uwsgi security update 30 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: uwsgi Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-36160 Reference: ESB-2021.3239 ESB-2021.3148 Original Bulletin: http://www.debian.org/lts/security/2021/dla-2768 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2768-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler September 29, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : uwsgi Version : 2.0.14+20161117-3+deb9u4 CVE ID : CVE-2021-36160 It was discovered that the uwsgi proxy module for Apache2 (mod_proxy_uwsgi) can read above the allocated memory when processing a request with a carefully crafted uri-path. An attacker may cause the server to crash (DoS). For Debian 9 stretch, this problem has been fixed in version 2.0.14+20161117-3+deb9u4. We recommend that you upgrade your uwsgi packages. For the detailed security status of uwsgi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/uwsgi Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmFUv0AACgkQDTl9HeUl XjDOuA//bop1Nq/RmKCzx8VyWB5p9tpFdeLZhiT9V6/UvsvCSOPTptv28o5e+VOs UnWXU6PeQeTBCly8pVf4is00MLaD1bnzmSaT6LNc6mQpqICs23KB8yEFue7yJS21 QCTKGYwCWWjOwVQkVGBqQ+fr8ehEINhsxExxkVyrwTLOfsB4E2QM1XoorfJBT6dG cWtv5bdskb7ne+yRRvZfLbrJulXqXKcOmKtjMNjCJhuQ0fqQ+lbIVFe/OR4qmyRX WgDM1sT6k6fmLZuuLk2rRb3Mp7EB5sqKXrbEfaEOFjcTOoo3V/kU8Lh2ujUcBaJ2 SnYf7BoF8lr43K8831p8R2I33pKxTcQifE+Wvtoubo5RpNALdTLDZLlaE59V2IuR uVXKCoeM68pFSN1xOPOTd0SykVUMMcQqGLptIxGhVarc+qnXVhD3OtefkvD8anSE eXFtkzhoG5Q+n3TLKYDGy2xx7uLr6bVvrhkHQm4NVOMWcTVmhPdEkDkDojMVj5y2 jbHMxuA/NJ0EObHgtjuWX+rPwqBKtieG6t9ismr43zLta328WMSWOnLdc5Pb+R99 D9YxzQaF2vYG47kTL15UMc6EO/GG5wn7Q3zKy8/e9i0Z/Kso2NYa2mFs9jbMkxP1 Zc/uCRcXvXD1nqJ3KKAvjXsGT5MwYxKO/tpebom4yTnnDY+gVxI= =bh9b - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYVUIfONLKJtyKPYoAQjdmw//XepL7tiXeRobfcznDgHNPxEGPDLdOTy2 EPDPQnUSi0+CJ7rkitDny119JMaCy4eFhCZ7BFgDGGHXwX632skD5GXp2dqW1F15 SijWZiK1WexdxjlDvwaFUrK4stGhJg4gsJquH3viCUlFNMmlgxqHpz5hNcpcbA6U WSL+VfNa3B1zwD7mNCTTbhResXwuZDH/WsKyJoLQNM+PeXNiFDfPoMSAzPfv4Wrz XElqv2vN/uLO1ADqHBWjJgc7LaN9kUAbD4tNO9t6F92E8PDwmifRWJk4kVWq4aw5 bvqa2hCMi7Rrke98kaLPC+ISCnkVmG7jyeFoccjujlTIGAARodMx0DSbR4lgcH4u 0uKdiiapwc4pkouvyLC7Qir9PQvqzAVnQBsy817iZMJg205zj1/s0sz52onJ462d t5FwYDckkLWXl++uMvpST8HUytZXRSSWBXFWD1elcpqP45bTS683SEyYKubKIVoQ ikZ1KoZ5qoOeU7pw6m+V+nBo8hy9Oh4PLY10zv065Wf14pH1ieR0axzafY4aF81r OoFnPA3OkRRx58dbwh2wQh0yEtOSid4pNQJ+UjAn8YpVWEftpX9/4b8eL21Tz38a EyYy9bmPuygI74YeCobUAuiLdZMdZoYb/oyYtQZVmHmuHp3Lv5RUPu20b51V/41x g01fINE9cp0= =xwvk -----END PGP SIGNATURE-----