Mandriva Linux Security Advisory 2012-154 - Multiple vulnerabilities has been found and corrected in apache. Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory. Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled. The updated packages have been upgraded to the latest 2.2.23 version which is not vulnerable to these issues.
5a1742252a9584a52acf4fe80af2e67a76d0ef2a0f171b83cfe17bd5855503b2-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:154-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apache
Date : October 1, 2012
Affected: 2011.
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in apache
(ASF HTTPD):
Insecure handling of LD_LIBRARY_PATH was found that could lead to
the current working directory to be searched for DSOs. This could
allow a local user to execute code as root if an administrator runs
apachectl from an untrusted directory (CVE-2012-0883).
Possible XSS for sites which use mod_negotiation and allow untrusted
uploads to locations which have MultiViews enabled (CVE-2012-2687).
The updated packages have been upgraded to the latest 2.2.23 version
which is not vulnerable to these issues.
Update:
Packages for Mandriva Linux 2011 is also being provided.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.apache.org/dist/httpd/CHANGES_2.2.23
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2011:
304de24601ba6d0511bb81b874a0f233 2011/i586/apache-base-2.2.23-0.1-mdv2011.0.i586.rpm
2cb8260077a6397789fbd5d4a4d085eb 2011/i586/apache-conf-2.2.23-0.1-mdv2011.0.i586.rpm
30b35a2b7e38d194a2616aabf282fc8e 2011/i586/apache-devel-2.2.23-0.1-mdv2011.0.i586.rpm
808b441d5f6a4dfe677027f052be5b2e 2011/i586/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm
48e1b89096e022e2370846ee6be23cb0 2011/i586/apache-htcacheclean-2.2.23-0.1-mdv2011.0.i586.rpm
69e8ff977665c5ffcaa56a633a9c075d 2011/i586/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.i586.rpm
cef83ce377d853787f157372d174e43a 2011/i586/apache-mod_cache-2.2.23-0.1-mdv2011.0.i586.rpm
e727d7356474d2899d971ded9ead528a 2011/i586/apache-mod_dav-2.2.23-0.1-mdv2011.0.i586.rpm
a6d4a2d3bde1c22f9885e45674acb859 2011/i586/apache-mod_dbd-2.2.23-0.1-mdv2011.0.i586.rpm
e95a0e806ed2714f58c4931f923dd9ff 2011/i586/apache-mod_deflate-2.2.23-0.1-mdv2011.0.i586.rpm
eea3f9df618d84f4d7718fa7f7ed7fc2 2011/i586/apache-mod_disk_cache-2.2.23-0.1-mdv2011.0.i586.rpm
f4e5b517609491cff78e787478701c2d 2011/i586/apache-mod_file_cache-2.2.23-0.1-mdv2011.0.i586.rpm
e6b6bf3657df8d57f714b376f0a46c17 2011/i586/apache-mod_ldap-2.2.23-0.1-mdv2011.0.i586.rpm
f08c6df85eee5fb376495a1962fe3b70 2011/i586/apache-mod_mem_cache-2.2.23-0.1-mdv2011.0.i586.rpm
8e0e8200b769acf3c5e4bbe7726fd915 2011/i586/apache-mod_proxy-2.2.23-0.1-mdv2011.0.i586.rpm
6c999383b58c6ee96282386b4fb7d9ea 2011/i586/apache-mod_proxy_ajp-2.2.23-0.1-mdv2011.0.i586.rpm
20b0d2479343f49409b5e31e9338f4dc 2011/i586/apache-mod_proxy_scgi-2.2.23-0.1-mdv2011.0.i586.rpm
1e51299c37aa0cbd03a65a260d12ddeb 2011/i586/apache-mod_reqtimeout-2.2.23-0.1-mdv2011.0.i586.rpm
0ddbed217d6677478b0a2a01732ff491 2011/i586/apache-mod_ssl-2.2.23-0.1-mdv2011.0.i586.rpm
0a14fbf39eab16eb6f306545149d1d08 2011/i586/apache-mod_suexec-2.2.23-0.1-mdv2011.0.i586.rpm
58a903513f5debd76f3af90df3cb81f2 2011/i586/apache-modules-2.2.23-0.1-mdv2011.0.i586.rpm
92dc4453fc1412585be0a2d6910ad1bb 2011/i586/apache-mod_userdir-2.2.23-0.1-mdv2011.0.i586.rpm
a6fcd50c146c04c53adfd63cdeff0886 2011/i586/apache-mpm-event-2.2.23-0.1-mdv2011.0.i586.rpm
2789b0dff916fbc432705402ccaf48b0 2011/i586/apache-mpm-itk-2.2.23-0.1-mdv2011.0.i586.rpm
1373ec52e55560feab9bbc4841d121c7 2011/i586/apache-mpm-peruser-2.2.23-0.1-mdv2011.0.i586.rpm
02b03a8c84896f04ce7c4ee098db88f1 2011/i586/apache-mpm-prefork-2.2.23-0.1-mdv2011.0.i586.rpm
9fff7197d3b44a8dc4c328ae42b0c78d 2011/i586/apache-mpm-worker-2.2.23-0.1-mdv2011.0.i586.rpm
b377ef4867bb4bb4740b6c454c673ae9 2011/i586/apache-source-2.2.23-0.1-mdv2011.0.i586.rpm
ff8b62d886256d35b4b48b599dde8b42 2011/SRPMS/apache-2.2.23-0.1.src.rpm
b293c41bc67cd64e55d4f76cbc01e5fa 2011/SRPMS/apache-conf-2.2.23-0.1.src.rpm
7b26aff710ef4cf8761ee0f2d56335de 2011/SRPMS/apache-mod_suexec-2.2.23-0.1.src.rpm
Mandriva Linux 2011/X86_64:
c4985b28e7ec9150a212a50b83acf971 2011/x86_64/apache-base-2.2.23-0.1-mdv2011.0.x86_64.rpm
1a47380b5c2408302ae45e53c57e3dd7 2011/x86_64/apache-conf-2.2.23-0.1-mdv2011.0.x86_64.rpm
1ddc2098bd25562f20fb5dc13f15bbb4 2011/x86_64/apache-devel-2.2.23-0.1-mdv2011.0.x86_64.rpm
98ebe1c72a3f4393089f4dff74478aef 2011/x86_64/apache-doc-2.2.23-0.1-mdv2011.0.noarch.rpm
cdd1a070b46dae87bcc56c9ffdf787e1 2011/x86_64/apache-htcacheclean-2.2.23-0.1-mdv2011.0.x86_64.rpm
b63b8c6c86a1d12c0d7d975965c68520 2011/x86_64/apache-mod_authn_dbd-2.2.23-0.1-mdv2011.0.x86_64.rpm
f32eda71a0d502ed40c57160781a4ae7 2011/x86_64/apache-mod_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
83e739d64bbb194125a94ebd0f48e3dd 2011/x86_64/apache-mod_dav-2.2.23-0.1-mdv2011.0.x86_64.rpm
480f7d2b5871cf135c94693e51e0304f 2011/x86_64/apache-mod_dbd-2.2.23-0.1-mdv2011.0.x86_64.rpm
0bb1ce70ccc8faf9446ce4fb876463ac 2011/x86_64/apache-mod_deflate-2.2.23-0.1-mdv2011.0.x86_64.rpm
b5a054dd23f63b2853e3aedf0feeb0be 2011/x86_64/apache-mod_disk_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
17d3e7b2f6706d732d141f32a28b0bcc 2011/x86_64/apache-mod_file_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
afbd5756292b77c910191208530f11f9 2011/x86_64/apache-mod_ldap-2.2.23-0.1-mdv2011.0.x86_64.rpm
554905b1d3d606fa6d4d27a7fb24f5ab 2011/x86_64/apache-mod_mem_cache-2.2.23-0.1-mdv2011.0.x86_64.rpm
a8052b80204773827087adf071276075 2011/x86_64/apache-mod_proxy-2.2.23-0.1-mdv2011.0.x86_64.rpm
f5cdac9841f48f9de11cb70477924fd9 2011/x86_64/apache-mod_proxy_ajp-2.2.23-0.1-mdv2011.0.x86_64.rpm
54f266ab995d16892c9da04e2fe7be7d 2011/x86_64/apache-mod_proxy_scgi-2.2.23-0.1-mdv2011.0.x86_64.rpm
0cbfba26f9b4afdb27bb47f09d4544d1 2011/x86_64/apache-mod_reqtimeout-2.2.23-0.1-mdv2011.0.x86_64.rpm
1cada2498b31e1e218b11bce3f971033 2011/x86_64/apache-mod_ssl-2.2.23-0.1-mdv2011.0.x86_64.rpm
dbb6bbac5f46b0e38b45aa38cd5c264b 2011/x86_64/apache-mod_suexec-2.2.23-0.1-mdv2011.0.x86_64.rpm
2217d6023cedd9002c9882cc6d420ab9 2011/x86_64/apache-modules-2.2.23-0.1-mdv2011.0.x86_64.rpm
6e808ea12619204f2df8e1a2f9297652 2011/x86_64/apache-mod_userdir-2.2.23-0.1-mdv2011.0.x86_64.rpm
ef4f018d2c2d366ae4fefd105a9dc281 2011/x86_64/apache-mpm-event-2.2.23-0.1-mdv2011.0.x86_64.rpm
4f9347c3375eb9f36207731d11687d15 2011/x86_64/apache-mpm-itk-2.2.23-0.1-mdv2011.0.x86_64.rpm
55e80fe4664781176c1a10b18c948cc9 2011/x86_64/apache-mpm-peruser-2.2.23-0.1-mdv2011.0.x86_64.rpm
d1eb3c2f9348686c2dd461389dd28b9e 2011/x86_64/apache-mpm-prefork-2.2.23-0.1-mdv2011.0.x86_64.rpm
f95c3d4b86d7014b8df2ea025551eadf 2011/x86_64/apache-mpm-worker-2.2.23-0.1-mdv2011.0.x86_64.rpm
304e6bcde281da5142f612886f9ef182 2011/x86_64/apache-source-2.2.23-0.1-mdv2011.0.x86_64.rpm
ff8b62d886256d35b4b48b599dde8b42 2011/SRPMS/apache-2.2.23-0.1.src.rpm
b293c41bc67cd64e55d4f76cbc01e5fa 2011/SRPMS/apache-conf-2.2.23-0.1.src.rpm
7b26aff710ef4cf8761ee0f2d56335de 2011/SRPMS/apache-mod_suexec-2.2.23-0.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFQaa9/mqjQ0CJFipgRAhruAJ9EC4FWiuzvbIXRyxeJEa6ifXWfngCfdzew
7eKtlYj6mMOMjJJ0oekKwnQ=
=t10D
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed