Sicherheit: Zwei Probleme in httpd (Aktualisierung)

Lesezeichen hinzufügen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2009-21
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date: 14 Jul 2009
Last revised: 24 Jul 2009

Package: httpd

Summary: Two vulnerabilities exist in Apache

More information:
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the Internet.

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module
in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured,
does not properly handle an amount of streamed data that exceeds the
Content-Length value, which allows remote attackers to cause a denial
of service (CPU consumption) via crafted requests. (CVE-2009-1890)

The mod_deflate module in Apache httpd 2.2.11 and earlier compresses
large files until completion even after the associated network connection
is closed, which allows remote attackers to cause a denial of service (CPU
consumption). (CVE-2009-1891)

Affected Products:
- Turbolinux Client 2008
- Turbolinux Appliance Server 3.0 x64 Edition
- Turbolinux Appliance Server 3.0
- Turbolinux 11 Server x64 Edition
- Turbolinux 11 Server

<Turbolinux Client 2008>

Source Packages
Size: MD5

httpd-2.2.6-13.src.rpm
4780085 4c1b58f85493c04a58fa59acbdea36b5

Binary Packages
Size: MD5

httpd-2.2.6-13.i586.rpm
1233333 5047806fa3ef4e435de8f9d3335d10e1
httpd-devel-2.2.6-13.i586.rpm
148954 8183c2644bf132e768aed5be8b4598c3

<Turbolinux Appliance Server 3.0 x64 Edition>

Source Packages
Size: MD5

httpd-2.2.6-13.src.rpm
4789364 66de8dd0c4188d445fe939f39dbf9ad5

Binary Packages
Size: MD5

httpd-2.2.6-13.x86_64.rpm
1250671 d3cdd4a77a577f618af67e48aca71325
httpd-devel-2.2.6-13.x86_64.rpm
153912 3538ff11c0bb049c388d7824b033c899
httpd-manual-2.2.6-13.x86_64.rpm
859120 e9c7a5c39beaa9e8fd4d0a67085b4710
httpd-rootsrv-2.2.6-13.x86_64.rpm
229036 6a9394729487a1300f0220ec87fc9ba9
mod_ssl-2.2.6-13.x86_64.rpm
90024 53ae30f66575c251f8933af45aa2b051

<Turbolinux Appliance Server 3.0>

Source Packages
Size: MD5

httpd-2.2.6-13.src.rpm
4789364 66de8dd0c4188d445fe939f39dbf9ad5

Binary Packages
Size: MD5

httpd-2.2.6-13.i686.rpm
1176319 6a61f78a5a13e2e76f0e3b891c207e9b
httpd-devel-2.2.6-13.i686.rpm
153384 86b3458ff793c1cb0c479e3f90e86b62
httpd-manual-2.2.6-13.i686.rpm
859874 239d6246e7e10965ced00d0fc60790c6
httpd-rootsrv-2.2.6-13.i686.rpm
216631 67bfa5cfe5562ce838456ef88580c415
mod_ssl-2.2.6-13.i686.rpm
85628 ab3c1de4132ac089c5f1a3fa22fabd32

<Turbolinux 11 Server x64 Edition>

Source Packages
Size: MD5

httpd-2.2.6-13.src.rpm
4789364 66de8dd0c4188d445fe939f39dbf9ad5

Binary Packages
Size: MD5

httpd-2.2.6-13.x86_64.rpm
1250671 d3cdd4a77a577f618af67e48aca71325
httpd-devel-2.2.6-13.x86_64.rpm
153912 3538ff11c0bb049c388d7824b033c899
httpd-manual-2.2.6-13.x86_64.rpm
859120 e9c7a5c39beaa9e8fd4d0a67085b4710
mod_ssl-2.2.6-13.x86_64.rpm
90024 53ae30f66575c251f8933af45aa2b051

<Turbolinux 11 Server>

Source Packages
Size: MD5

httpd-2.2.6-13.src.rpm
4789364 66de8dd0c4188d445fe939f39dbf9ad5

Binary Packages
Size: MD5

httpd-2.2.6-13.i686.rpm
1176319 6a61f78a5a13e2e76f0e3b891c207e9b
httpd-devel-2.2.6-13.i686.rpm
153384 86b3458ff793c1cb0c479e3f90e86b62
httpd-manual-2.2.6-13.i686.rpm
859874 239d6246e7e10965ced00d0fc60790c6
mod_ssl-2.2.6-13.i686.rpm
85628 ab3c1de4132ac089c5f1a3fa22fabd32

References:

CVE
[CVE-2009-1890]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
[CVE-2009-1891]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891

--------------------------------------------------------------------------
Revision History
14 Jul 2009 Initial release
24 Jul 2009 Added httpd-devel-2.2.6-13 for Turbolinux Appliance Server 3.0
--------------------------------------------------------------------------

Copyright(C) 2009 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAkppVl4ACgkQK0LzjOqIJMxkcACfXvE+KP8chs748boPbsWT8oMM
NJcAoIcu74F2VMDtWpiYfB86Z9eFR4fk
=nNvN
-----END PGP SIGNATURE-----