MGASA-2013-0129
| Date: | May 2nd, 2013 |
| Affected releases: | 2 |
| Media: | Core |
Description:
Updated apache-mod_security packages fix security vulnerability:
Timur Yunusov and Alexey Osipov from Positive Technologies discovered
that the XML files parser of ModSecurity, an Apache module whose purpose
is to tighten the Web application security, is vulnerable to XML external
entities attacks.
A specially-crafted XML file provided by a remote attacker, could lead
to local file disclosure or excessive resources (CPU, memory) consumption
when processed (CVE-2013-1915).
This update introduces a SecXmlExternalEntity option which is "Off" by
default. This will disable the ability of libxml2 to load external
entities.
Updated Packages:
i586:
apache-mod_security-2.6.3-3.4.mga2.i586.rpm
mlogc-2.6.3-3.4.mga2.i586.rpm
apache-mod_security-debug-2.6.3-3.4.mga2.i586.rpm
x86_64:
apache-mod_security-2.6.3-3.4.mga2.x86_64.rpm
mlogc-2.6.3-3.4.mga2.x86_64.rpm
apache-mod_security-debug-2.6.3-3.4.mga2.x86_64.rpm
SRPMS:
apache-mod_security-2.6.3-3.4.mga2.src.rpm
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1915
http://www.debian.org/security/2013/dsa-2659
https://bugs.mageia.org/show_bug.cgi?id=9704
