From Mageia wiki
Jump to: navigation, search

MGASA-2013-0073

Date: February 27nd, 2013
Affected releases: 2
Media: Core


Description:
Updated apache packages fix security vulnerabilities:

Various XSS (cross-site scripting vulnerability) flaws due to unescaped
hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap,
mod_ldap, and mod_proxy_ftp (CVE-2012-3499).

XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager
interface (CVE-2012-4558).

Additionally the ASF bug 53219 was resolved which provides a way
to mitigate the CRIME attack vulnerability by disabling TLS-level
compression. Use the new directive SSLCompression on|off to enable or
disable TLS-level compression, by default SSLCompression is turned on.


Updated Packages:
i586:
apache-2.2.24-1.mga2.i586.rpm
apache-devel-2.2.24-1.mga2.i586.rpm
apache-doc-2.2.24-1.mga2.noarch.rpm
apache-htcacheclean-2.2.24-1.mga2.i586.rpm
apache-mod_authn_dbd-2.2.24-1.mga2.i586.rpm
apache-mod_cache-2.2.24-1.mga2.i586.rpm
apache-mod_dav-2.2.24-1.mga2.i586.rpm
apache-mod_dbd-2.2.24-1.mga2.i586.rpm
apache-mod_deflate-2.2.24-1.mga2.i586.rpm
apache-mod_disk_cache-2.2.24-1.mga2.i586.rpm
apache-mod_file_cache-2.2.24-1.mga2.i586.rpm
apache-mod_ldap-2.2.24-1.mga2.i586.rpm
apache-mod_mem_cache-2.2.24-1.mga2.i586.rpm
apache-mod_proxy-2.2.24-1.mga2.i586.rpm
apache-mod_proxy_ajp-2.2.24-1.mga2.i586.rpm
apache-mod_proxy_scgi-2.2.24-1.mga2.i586.rpm
apache-mod_reqtimeout-2.2.24-1.mga2.i586.rpm
apache-mod_ssl-2.2.24-1.mga2.i586.rpm
apache-mod_suexec-2.2.24-1.mga2.i586.rpm
apache-mod_userdir-2.2.24-1.mga2.i586.rpm
apache-mpm-event-2.2.24-1.mga2.i586.rpm
apache-mpm-itk-2.2.24-1.mga2.i586.rpm
apache-mpm-peruser-2.2.24-1.mga2.i586.rpm
apache-mpm-prefork-2.2.24-1.mga2.i586.rpm
apache-mpm-worker-2.2.24-1.mga2.i586.rpm
apache-source-2.2.24-1.mga2.noarch.rpm
apache-debug-2.2.24-1.mga2.i586.rpm

x86_64:
apache-2.2.24-1.mga2.x86_64.rpm
apache-devel-2.2.24-1.mga2.x86_64.rpm
apache-doc-2.2.24-1.mga2.noarch.rpm
apache-htcacheclean-2.2.24-1.mga2.x86_64.rpm
apache-mod_authn_dbd-2.2.24-1.mga2.x86_64.rpm
apache-mod_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_dav-2.2.24-1.mga2.x86_64.rpm
apache-mod_dbd-2.2.24-1.mga2.x86_64.rpm
apache-mod_deflate-2.2.24-1.mga2.x86_64.rpm
apache-mod_disk_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_file_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_ldap-2.2.24-1.mga2.x86_64.rpm
apache-mod_mem_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_proxy-2.2.24-1.mga2.x86_64.rpm
apache-mod_proxy_ajp-2.2.24-1.mga2.x86_64.rpm
apache-mod_proxy_scgi-2.2.24-1.mga2.x86_64.rpm
apache-mod_reqtimeout-2.2.24-1.mga2.x86_64.rpm
apache-mod_ssl-2.2.24-1.mga2.x86_64.rpm
apache-mod_suexec-2.2.24-1.mga2.x86_64.rpm
apache-mod_userdir-2.2.24-1.mga2.x86_64.rpm
apache-mpm-event-2.2.24-1.mga2.x86_64.rpm
apache-mpm-itk-2.2.24-1.mga2.x86_64.rpm
apache-mpm-peruser-2.2.24-1.mga2.x86_64.rpm
apache-mpm-prefork-2.2.24-1.mga2.x86_64.rpm
apache-mpm-worker-2.2.24-1.mga2.x86_64.rpm
apache-source-2.2.24-1.mga2.noarch.rpm
apache-debug-2.2.24-1.mga2.x86_64.rpm

SRPMS:
apache-2.2.24-1.mga2.src.rpm


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:015/
https://bugs.mageia.org/show_bug.cgi?id=9168