Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in httpd
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in httpd
ID: TLSA-2008-24
Distribution: TurboLinux
Plattformen: Turbolinux FUJI, Turbolinux 10 Server, Turbolinux 10 Server x64 Edition, Turbolinux Appliance Server 2.0, Turbolinux 11 Server x64 Edition, Turbolinux 11 Server, Turbolinux Multimedia, Turbolinux Personal
Datum: Fr, 27. Juni 2008, 03:50
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
Applikationen: Apache

Originalnachricht

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 --------------------------------------------------------------------------
   Turbolinux Security Advisory TLSA-2008-24
   http://www.turbolinux.co.jp/security/
                                             security-team@turbolinux.co.jp
 --------------------------------------------------------------------------

 Original released date: 26 Jun 2008
 Last revised: 26 Jun 2008

 Package: httpd

 Summary: Three vulnerabilities discovered in httpd

 More information:
    Apache is a powerful, full-featured, efficient, and freely-available
    Web server. Apache is also the most popular Web server on the Internet.

    Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method
    specifier header from an HTTP request when it is reflected back in a
    "413 Request Entity Too Large" error message, which might allow
 cross-site
    scripting (XSS) style attacks using web client components that can send
    arbitrary headers in requests, as demonstrated via an HTTP request
    containing an invalid Content-length value, a similar issue to
 CVE-2006-3918. (CVE-2007-6203)

    Cross-site request forgery (CSRF) vulnerability in the balancer-manager
    in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers
    to gain privileges via unpsecified vectors. (CVE-2007-6420)

    The ap_proxy_http_process_response function in mod_proxy_http.c in
    the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does
    not limit the number of forwarded interim responses, which allows 
    remote HTTP servers to cause a denial of service (memory consumption)
    via a large number of interim responses. (CVE-2008-2364)

 Affected Products:
    - Turbolinux 11 Server x64 Edition
    - Turbolinux 11 Server
    - Turbolinux Appliance Server 2.0
    - Turbolinux FUJI
    - Turbolinux 10 Server x64 Edition
    - Turbolinux 10 Server
    - Turbolinux Multimedia
    - Turbolinux Personal


 <Turbolinux Appliance Server 3.0 x64 Edition>

   Source Packages
   Size: MD5

   httpd-2.2.6-9.src.rpm
      4776004 584ac38135b3f578bef176b417711964

   Binary Packages
   Size: MD5

   httpd-2.2.6-9.x86_64.rpm
      1249436 21ba76f58de3398b4fbd9f8294449c95
   httpd-manual-2.2.6-9.x86_64.rpm
       857741 b6c197af9e08e9c2357558ebbe22cd77
   httpd-rootsrv-2.2.6-9.x86_64.rpm
       229916 1aaee979dd2031b86a3e7eced2fbce8b
   mod_ssl-2.2.6-9.x86_64.rpm
        89766 c7005c4a783c8b6ff310bc14ffcd3109

 <Turbolinux Appliance Server 3.0>

   Source Packages
   Size: MD5

   httpd-2.2.6-9.src.rpm
      4776004 584ac38135b3f578bef176b417711964

   Binary Packages
   Size: MD5

   httpd-2.2.6-9.i686.rpm
      1177364 6ca62bf7bb1fbd9a293bb700def872e1
   httpd-manual-2.2.6-9.i686.rpm
       857993 88cba7e1583462b2ae52fb59da065a57
   httpd-rootsrv-2.2.6-9.i686.rpm
       216557 a06747f7b5bce1db598db955e85a9a1a
   mod_ssl-2.2.6-9.i686.rpm
        85465 4cecf1b2c9651b081a853caaec9cf3b3

 <Turbolinux 11 Server x64 Edition>

   Source Packages
   Size: MD5

   httpd-2.2.6-9.src.rpm
      4776004 289a571639ef5e014d823bdae017a623

   Binary Packages
   Size: MD5

   httpd-2.2.6-9.x86_64.rpm
      1249436 21ba76f58de3398b4fbd9f8294449c95
   httpd-devel-2.2.6-9.x86_64.rpm
       153421 7ae494165bfafbafb99be0f1b2fa682e
   httpd-manual-2.2.6-9.x86_64.rpm
       857741 b6c197af9e08e9c2357558ebbe22cd77
   mod_ssl-2.2.6-9.x86_64.rpm
        89766 c7005c4a783c8b6ff310bc14ffcd3109

 <Turbolinux 11 Server>

   Source Packages
   Size: MD5

   httpd-2.2.6-9.src.rpm
      4776004 584ac38135b3f578bef176b417711964

   Binary Packages
   Size: MD5

   httpd-2.2.6-9.i686.rpm
      1177364 6ca62bf7bb1fbd9a293bb700def872e1
   httpd-devel-2.2.6-9.i686.rpm
       153234 56f6d4a25e897beadf37b1f8a4446c8d
   httpd-manual-2.2.6-9.i686.rpm
       857993 88cba7e1583462b2ae52fb59da065a57
   mod_ssl-2.2.6-9.i686.rpm
        85465 4cecf1b2c9651b081a853caaec9cf3b3

 <Turbolinux Appliance Server 2.0>

   Source Packages
   Size: MD5

   httpd-2.0.51-36.src.rpm
      6859400 1327a3e5ed656d01a43dbeb5d809cace

   Binary Packages
   Size: MD5

   httpd-2.0.51-36.i586.rpm
      1033720 7faee60429dc5e5969ebae5e71a2553f
   httpd-devel-2.0.51-36.i586.rpm
       225617 9b2c83beec43c658e7ec12995a2b62fa
   httpd-manual-2.0.51-36.i586.rpm
      1133748 72eceeb85cfac27e0819a7e041b82439
   mod_bwshare-2.0.51-36.i586.rpm
        41737 bcbf5e712abb509c7525ba4c708f4ce9
   mod_ssl-2.0.51-36.i586.rpm
        89718 f5a1792fa8a4747b11ccebb19d2b3a7d

 <Turbolinux FUJI>

   Source Packages
   Size: MD5

   httpd-2.0.54-22.src.rpm
      7625404 a1ad6906d0a48bacf5e087adc22dd9f4

   Binary Packages
   Size: MD5

   httpd-2.0.54-22.i686.rpm
      1266332 5f1a626eadb2e3ff87cdd868b747d08e
   httpd-devel-2.0.54-22.i686.rpm
       277405 07cc9383ccc06f67d76df7532f1f1030

 <Turbolinux 10 Server x64 Edition>

   Source Packages
   Size: MD5

   httpd-2.0.51-36.src.rpm
      6859400 e42a95fcebc5b5d95dfca9391ca550df

   Binary Packages
   Size: MD5

   httpd-2.0.51-36.x86_64.rpm
      1144122 7bc2e773074df289ca2c952536416599
   httpd-debug-2.0.51-36.x86_64.rpm
      3535652 98c4ac88f18ce7c4d18cfe63d5bf6e7f
   httpd-devel-2.0.51-36.x86_64.rpm
       225573 384a1a2afdc9792ed1ec2e30fda96c65
   httpd-manual-2.0.51-36.x86_64.rpm
      1133207 807db1eacf903654dae4090fd121f9aa
   mod_bwshare-2.0.51-36.x86_64.rpm
        42491 8607afe04c4554d7ffb302e0b23e2a4a
   mod_ssl-2.0.51-36.x86_64.rpm
        97321 3dda6c1ebdf3a98649ccd92b97000892

 <Turbolinux 10 Server>

   Source Packages
   Size: MD5

   httpd-2.0.51-36.src.rpm
      6859400 1327a3e5ed656d01a43dbeb5d809cace

   Binary Packages
   Size: MD5

   httpd-2.0.51-36.i586.rpm
      1033720 7faee60429dc5e5969ebae5e71a2553f
   httpd-debug-2.0.51-36.i586.rpm
      3542192 af25e22a05516cd8987c777c5691ed4a
   httpd-devel-2.0.51-36.i586.rpm
       225617 9b2c83beec43c658e7ec12995a2b62fa
   httpd-manual-2.0.51-36.i586.rpm
      1133748 72eceeb85cfac27e0819a7e041b82439
   mod_bwshare-2.0.51-36.i586.rpm
        41737 bcbf5e712abb509c7525ba4c708f4ce9
   mod_ssl-2.0.51-36.i586.rpm
        89718 f5a1792fa8a4747b11ccebb19d2b3a7d

 <Turbolinux Multimedia, Turbolinux Personal>

   Source Packages
   Size: MD5

   httpd-2.0.48-24.src.rpm
      6327664 eeab3dea6afed3521f4618bbfaa33f1a

   Binary Packages
   Size: MD5

   httpd-2.0.48-24.i586.rpm
       893140 814c5a293746a9bcfdb391fdf5da8263


 References:

 CVE
   [CVE-2007-6203]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203
   [CVE-2007-6420]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420
   [CVE-2008-2364]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364

 --------------------------------------------------------------------------
 Revision History
    26 Jun 2008 Initial release
 --------------------------------------------------------------------------

 Copyright(C) 2008 Turbolinux, Inc. All rights reserved. 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhjYKsACgkQK0LzjOqIJMyBaQCfYIKWFiSRr1FAcNVfz/mZnaXr
k1EAoJXtjiNvhkJtvCHJ/uz5fN6QzrRq
=QWRx
-----END PGP SIGNATURE-----
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung