Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3248
uwsgi security update
30 September 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: uwsgi
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-36160
Reference: ESB-2021.3239
ESB-2021.3148
Original Bulletin:
http://www.debian.org/lts/security/2021/dla-2768
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2768-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
September 29, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : uwsgi
Version : 2.0.14+20161117-3+deb9u4
CVE ID : CVE-2021-36160
It was discovered that the uwsgi proxy module for Apache2
(mod_proxy_uwsgi) can read above the allocated memory when processing
a request with a carefully crafted uri-path. An attacker may cause the
server to crash (DoS).
For Debian 9 stretch, this problem has been fixed in version
2.0.14+20161117-3+deb9u4.
We recommend that you upgrade your uwsgi packages.
For the detailed security status of uwsgi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/uwsgi
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmFUv0AACgkQDTl9HeUl
XjDOuA//bop1Nq/RmKCzx8VyWB5p9tpFdeLZhiT9V6/UvsvCSOPTptv28o5e+VOs
UnWXU6PeQeTBCly8pVf4is00MLaD1bnzmSaT6LNc6mQpqICs23KB8yEFue7yJS21
QCTKGYwCWWjOwVQkVGBqQ+fr8ehEINhsxExxkVyrwTLOfsB4E2QM1XoorfJBT6dG
cWtv5bdskb7ne+yRRvZfLbrJulXqXKcOmKtjMNjCJhuQ0fqQ+lbIVFe/OR4qmyRX
WgDM1sT6k6fmLZuuLk2rRb3Mp7EB5sqKXrbEfaEOFjcTOoo3V/kU8Lh2ujUcBaJ2
SnYf7BoF8lr43K8831p8R2I33pKxTcQifE+Wvtoubo5RpNALdTLDZLlaE59V2IuR
uVXKCoeM68pFSN1xOPOTd0SykVUMMcQqGLptIxGhVarc+qnXVhD3OtefkvD8anSE
eXFtkzhoG5Q+n3TLKYDGy2xx7uLr6bVvrhkHQm4NVOMWcTVmhPdEkDkDojMVj5y2
jbHMxuA/NJ0EObHgtjuWX+rPwqBKtieG6t9ismr43zLta328WMSWOnLdc5Pb+R99
D9YxzQaF2vYG47kTL15UMc6EO/GG5wn7Q3zKy8/e9i0Z/Kso2NYa2mFs9jbMkxP1
Zc/uCRcXvXD1nqJ3KKAvjXsGT5MwYxKO/tpebom4yTnnDY+gVxI=
=bh9b
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYVUIfONLKJtyKPYoAQjdmw//XepL7tiXeRobfcznDgHNPxEGPDLdOTy2
EPDPQnUSi0+CJ7rkitDny119JMaCy4eFhCZ7BFgDGGHXwX632skD5GXp2dqW1F15
SijWZiK1WexdxjlDvwaFUrK4stGhJg4gsJquH3viCUlFNMmlgxqHpz5hNcpcbA6U
WSL+VfNa3B1zwD7mNCTTbhResXwuZDH/WsKyJoLQNM+PeXNiFDfPoMSAzPfv4Wrz
XElqv2vN/uLO1ADqHBWjJgc7LaN9kUAbD4tNO9t6F92E8PDwmifRWJk4kVWq4aw5
bvqa2hCMi7Rrke98kaLPC+ISCnkVmG7jyeFoccjujlTIGAARodMx0DSbR4lgcH4u
0uKdiiapwc4pkouvyLC7Qir9PQvqzAVnQBsy817iZMJg205zj1/s0sz52onJ462d
t5FwYDckkLWXl++uMvpST8HUytZXRSSWBXFWD1elcpqP45bTS683SEyYKubKIVoQ
ikZ1KoZ5qoOeU7pw6m+V+nBo8hy9Oh4PLY10zv065Wf14pH1ieR0axzafY4aF81r
OoFnPA3OkRRx58dbwh2wQh0yEtOSid4pNQJ+UjAn8YpVWEftpX9/4b8eL21Tz38a
EyYy9bmPuygI74YeCobUAuiLdZMdZoYb/oyYtQZVmHmuHp3Lv5RUPu20b51V/41x
g01fINE9cp0=
=xwvk
-----END PGP SIGNATURE-----