[gentoo-announce] [ GLSA 201206-25 ] Apache HTTP Server: Multiple vulnerabilities - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201206-25 ] Apache HTTP Server: Multiple vulnerabilities
Date:	Sun, 24 Jun 2012 14:48:48
Message-Id:	`4FE7272D.2060808@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201206-25

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: Apache HTTP Server: Multiple vulnerabilities

9

     Date: June 24, 2012

10

     Bugs: #308049, #330195, #380475, #382971, #385859, #389353,

11

           #392189, #398761, #401081, #412481

12

       ID: 201206-25

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Multiple vulnerabilities were found in Apache HTTP Server.

20

21

Background

22

==========

23

24

Apache HTTP Server is one of the most popular web servers on the

25

Internet.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  www-servers/apache         < 2.2.22-r1              >= 2.2.22-r1

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Apache HTTP Server.

39

Please review the CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

A remote attacker might obtain sensitive information, gain privileges,

45

send requests to unintended servers behind proxies, bypass certain

46

security restrictions, obtain the values of HTTPOnly cookies, or cause

47

a Denial of Service in various ways.

48

49

A local attacker could gain escalated privileges.

50

51

Workaround

52

==========

53

54

There is no known workaround at this time.

55

56

Resolution

57

==========

58

59

All Apache HTTP Server users should upgrade to the latest version:

60

61

  # emerge --sync

62

  # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.22-r1"

63

64

References

65

==========

66

67

[  1 ] CVE-2010-0408

68

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408

69

[  2 ] CVE-2010-0434

70

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434

71

[  3 ] CVE-2010-1452

72

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452

73

[  4 ] CVE-2010-2791

74

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791

75

[  5 ] CVE-2011-3192

76

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192

77

[  6 ] CVE-2011-3348

78

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348

79

[  7 ] CVE-2011-3368

80

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368

81

[  8 ] CVE-2011-3607

82

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607

83

[  9 ] CVE-2011-4317

84

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4317

85

[ 10 ] CVE-2012-0021

86

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021

87

[ 11 ] CVE-2012-0031

88

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031

89

[ 12 ] CVE-2012-0053

90

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053

91

[ 13 ] CVE-2012-0883

92

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883

93

94

Availability

95

============

96

97

This GLSA and any updates to it are available for viewing at

98

the Gentoo Security Website:

99

100

 http://security.gentoo.org/glsa/glsa-201206-25.xml

101

102

Concerns?

103

=========

104

105

Security is a primary focus of Gentoo Linux and ensuring the

106

confidentiality and security of our users' machines is of utmost

107

importance to us. Any security concerns should be addressed to

108

security@g.o or alternatively, you may file a bug at

109

https://bugs.gentoo.org.

110

111

License

112

=======

113

114

Copyright 2012 Gentoo Foundation, Inc; referenced text

115

belongs to its owner(s).

116

117

The contents of this document are licensed under the

118

Creative Commons - Attribution / Share Alike license.

119

120

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201206-25
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Apache HTTP Server: Multiple vulnerabilities
9	Date: June 24, 2012
10	Bugs: #308049, #330195, #380475, #382971, #385859, #389353,
11	#392189, #398761, #401081, #412481
12	ID: 201206-25
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Multiple vulnerabilities were found in Apache HTTP Server.
20
21	Background
22	==========
23
24	Apache HTTP Server is one of the most popular web servers on the
25	Internet.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 www-servers/apache < 2.2.22-r1 >= 2.2.22-r1
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Apache HTTP Server.
39	Please review the CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	A remote attacker might obtain sensitive information, gain privileges,
45	send requests to unintended servers behind proxies, bypass certain
46	security restrictions, obtain the values of HTTPOnly cookies, or cause
47	a Denial of Service in various ways.
48
49	A local attacker could gain escalated privileges.
50
51	Workaround
52	==========
53
54	There is no known workaround at this time.
55
56	Resolution
57	==========
58
59	All Apache HTTP Server users should upgrade to the latest version:
60
61	# emerge --sync
62	# emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.22-r1"
63
64	References
65	==========
66
67	[ 1 ] CVE-2010-0408
68	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408
69	[ 2 ] CVE-2010-0434
70	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434
71	[ 3 ] CVE-2010-1452
72	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452
73	[ 4 ] CVE-2010-2791
74	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791
75	[ 5 ] CVE-2011-3192
76	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192
77	[ 6 ] CVE-2011-3348
78	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348
79	[ 7 ] CVE-2011-3368
80	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368
81	[ 8 ] CVE-2011-3607
82	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607
83	[ 9 ] CVE-2011-4317
84	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4317
85	[ 10 ] CVE-2012-0021
86	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021
87	[ 11 ] CVE-2012-0031
88	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031
89	[ 12 ] CVE-2012-0053
90	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053
91	[ 13 ] CVE-2012-0883
92	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883
93
94	Availability
95	============
96
97	This GLSA and any updates to it are available for viewing at
98	the Gentoo Security Website:
99
100	http://security.gentoo.org/glsa/glsa-201206-25.xml
101
102	Concerns?
103	=========
104
105	Security is a primary focus of Gentoo Linux and ensuring the
106	confidentiality and security of our users' machines is of utmost
107	importance to us. Any security concerns should be addressed to
108	security@g.o or alternatively, you may file a bug at
109	https://bugs.gentoo.org.
110
111	License
112	=======
113
114	Copyright 2012 Gentoo Foundation, Inc; referenced text
115	belongs to its owner(s).
116
117	The contents of this document are licensed under the
118	Creative Commons - Attribution / Share Alike license.
119
120	http://creativecommons.org/licenses/by-sa/2.5