[gentoo-announce] [ GLSA 200907-04 ] Apache: Multiple vulnerabilities - gentoo-announce

From:	Alex Legler <a3li@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200907-04 ] Apache: Multiple vulnerabilities
Date:	Sun, 12 Jul 2009 15:23:48
Message-Id:	`1247412052.4237.1.camel@localhost`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200907-04

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: Apache: Multiple vulnerabilities

9

      Date: July 12, 2009

10

      Bugs: #268154, #271470, #276426, #276792

11

        ID: 200907-04

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities in the Apache HTTP daemon allow for local

19

privilege escalation, information disclosure or Denial of Service

20

attacks.

21

22

Background

23

==========

24

25

The Apache HTTP server is one of the most popular web servers on the

26

Internet.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package             /   Vulnerable   /                 Unaffected

33

    -------------------------------------------------------------------

34

  1  www-servers/apache      < 2.2.11-r2                  >= 2.2.11-r2

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in the Apache HTTP

40

server:

41

42

* Jonathan Peatfield reported that the "Options=IncludesNoEXEC"

43

  argument to the "AllowOverride" directive is not processed properly

44

  (CVE-2009-1195).

45

46

* Sander de Boer discovered that the AJP proxy module (mod_proxy_ajp)

47

  does not correctly handle POST requests that do not contain a request

48

  body (CVE-2009-1191).

49

50

* The vendor reported that the HTTP proxy module (mod_proxy_http),

51

  when being used as a reverse proxy, does not properly handle requests

52

  containing more data as stated in the "Content-Length" header

53

  (CVE-2009-1890).

54

55

* Francois Guerraz discovered that mod_deflate does not abort the

56

  compression of large files even when the requesting connection is

57

  closed prematurely (CVE-2009-1891).

58

59

Impact

60

======

61

62

A local attacker could circumvent restrictions put up by the server

63

administrator and execute arbitrary commands with the privileges of the

64

user running the Apache server. A remote attacker could send multiple

65

requests to a server with the AJP proxy module, possibly resulting in

66

the disclosure of a request intended for another client, or cause a

67

Denial of Service by sending specially crafted requests to servers

68

running mod_proxy_http or mod_deflate.

69

70

Workaround

71

==========

72

73

Remove "include", "mod_proxy_ajp", "mod_proxy_http" and "deflate" from

74

APACHE2_MODULES in make.conf and rebuild Apache, or disable the

75

aforementioned modules in the Apache configuration.

76

77

Resolution

78

==========

79

80

All Apache users should upgrade to the latest version:

81

82

    # emerge --sync

83

    # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.11-r2"

84

85

References

86

==========

87

88

  [ 1 ] CVE-2009-1195

89

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195

90

  [ 2 ] CVE-2009-1191

91

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191

92

  [ 3 ] CVE-2009-1890

93

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890

94

  [ 4 ] CVE-2009-1891

95

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891

96

97

Availability

98

============

99

100

This GLSA and any updates to it are available for viewing at

101

the Gentoo Security Website:

102

103

  http://security.gentoo.org/glsa/glsa-200907-04.xml

104

105

Concerns?

106

=========

107

108

Security is a primary focus of Gentoo Linux and ensuring the

109

confidentiality and security of our users machines is of utmost

110

importance to us. Any security concerns should be addressed to

111

security@g.o or alternatively, you may file a bug at

112

http://bugs.gentoo.org.

113

114

License

115

=======

116

117

Copyright 2009 Gentoo Foundation, Inc; referenced text

118

belongs to its owner(s).

119

120

The contents of this document are licensed under the

121

Creative Commons - Attribution / Share Alike license.

122

123

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200907-04
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Apache: Multiple vulnerabilities
9	Date: July 12, 2009
10	Bugs: #268154, #271470, #276426, #276792
11	ID: 200907-04
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities in the Apache HTTP daemon allow for local
19	privilege escalation, information disclosure or Denial of Service
20	attacks.
21
22	Background
23	==========
24
25	The Apache HTTP server is one of the most popular web servers on the
26	Internet.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 www-servers/apache < 2.2.11-r2 >= 2.2.11-r2
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in the Apache HTTP
40	server:
41
42	* Jonathan Peatfield reported that the "Options=IncludesNoEXEC"
43	argument to the "AllowOverride" directive is not processed properly
44	(CVE-2009-1195).
45
46	* Sander de Boer discovered that the AJP proxy module (mod_proxy_ajp)
47	does not correctly handle POST requests that do not contain a request
48	body (CVE-2009-1191).
49
50	* The vendor reported that the HTTP proxy module (mod_proxy_http),
51	when being used as a reverse proxy, does not properly handle requests
52	containing more data as stated in the "Content-Length" header
53	(CVE-2009-1890).
54
55	* Francois Guerraz discovered that mod_deflate does not abort the
56	compression of large files even when the requesting connection is
57	closed prematurely (CVE-2009-1891).
58
59	Impact
60	======
61
62	A local attacker could circumvent restrictions put up by the server
63	administrator and execute arbitrary commands with the privileges of the
64	user running the Apache server. A remote attacker could send multiple
65	requests to a server with the AJP proxy module, possibly resulting in
66	the disclosure of a request intended for another client, or cause a
67	Denial of Service by sending specially crafted requests to servers
68	running mod_proxy_http or mod_deflate.
69
70	Workaround
71	==========
72
73	Remove "include", "mod_proxy_ajp", "mod_proxy_http" and "deflate" from
74	APACHE2_MODULES in make.conf and rebuild Apache, or disable the
75	aforementioned modules in the Apache configuration.
76
77	Resolution
78	==========
79
80	All Apache users should upgrade to the latest version:
81
82	# emerge --sync
83	# emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.11-r2"
84
85	References
86	==========
87
88	[ 1 ] CVE-2009-1195
89	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
90	[ 2 ] CVE-2009-1191
91	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
92	[ 3 ] CVE-2009-1890
93	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
94	[ 4 ] CVE-2009-1891
95	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
96
97	Availability
98	============
99
100	This GLSA and any updates to it are available for viewing at
101	the Gentoo Security Website:
102
103	http://security.gentoo.org/glsa/glsa-200907-04.xml
104
105	Concerns?
106	=========
107
108	Security is a primary focus of Gentoo Linux and ensuring the
109	confidentiality and security of our users machines is of utmost
110	importance to us. Any security concerns should be addressed to
111	security@g.o or alternatively, you may file a bug at
112	http://bugs.gentoo.org.
113
114	License
115	=======
116
117	Copyright 2009 Gentoo Foundation, Inc; referenced text
118	belongs to its owner(s).
119
120	The contents of this document are licensed under the
121	Creative Commons - Attribution / Share Alike license.
122
123	http://creativecommons.org/licenses/by-sa/2.5