drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Red Hat Application Stack v2.2
Name: |
Mehrere Probleme in Red Hat Application Stack v2.2 |
|
ID: |
RHSA-2008:0966-02 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Application Stack |
|
Datum: |
Do, 4. Dezember 2008, 23:31 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 |
|
Applikationen: |
Red Hat Application Stack v2.2 |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat Application Stack v2.2 security and enhancement update Advisory ID: RHSA-2008:0966-02 Product: Red Hat Application Stack Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0966.html Issue date: 2008-12-04 CVE Names: CVE-2007-6420 CVE-2008-2364 CVE-2008-2939 =====================================================================
1. Summary:
Red Hat Application Stack v2.2 is now available. This update fixes several security issues and adds various enhancements.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, noarch, x86_64
3. Description:
The Red Hat Application Stack v2.2 is an integrated open source application stack, that includes Red Hat Enterprise Linux 5 and JBoss Enterprise Application Platform (EAP) 4.2.
This erratum updates the Apache HTTP Server package to version 2.0.10 which addresses the following security issues:
A flaw was found in the mod_proxy module. An attacker who has control of a web server to which requests are being proxied could cause a limited denial of service due to CPU consumption and stack exhaustion. (CVE-2008-2364)
A flaw was found in the mod_proxy_ftp module. Where Apache is configured to support ftp-over-httpd proxying, a remote attacker could perform a cross-site scripting attack. (CVE-2008-2939)
A cross-site request forgery issue was found in the mod_proxy_balancer module. A remote attacker could cause a denial of service if mod_proxy_balancer is enabled and an authenticated user is targeted. (CVE-2007-6420)
The JBoss Enterprise Application Platform (EAP) 4.2 has been updated to version 4.2.0.CP05.
The following packages were also updated:
* mysql to 5.0.60sp1 * mysql-connector-odbc to 3.51.26r1127 * perl-DBI to 1.607 * perl-DBD-MySQL to 4.008 * perl-DBD-Pg to 1.49 * php-pear to 1.7.2 * postgresql to 8.2.11 * postgresqlclient81 to 8.1.11
4. Solution:
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
5. Bugs fixed (http://bugzilla.redhat.com/):
451615 - CVE-2008-2364 httpd: mod_proxy_http DoS via excessive interim responses from the origin server 458250 - CVE-2008-2939 httpd: mod_proxy_ftp globbing XSS 471009 - CVE-2007-6420 mod_proxy_balancer CSRF
6. Package List:
Red Hat Application Stack v2 for Enterprise Linux (v.5):
Source: httpd-2.2.10-1.el5s2.src.rpm mysql-5.0.60sp1-1.el5s2.src.rpm mysql-connector-odbc-3.51.26r1127-1.el5s2.src.rpm perl-DBD-MySQL-4.008-2.el5s2.src.rpm perl-DBD-Pg-1.49-4.el5s2.src.rpm perl-DBI-1.607-3.el5s2.src.rpm php-pear-1.7.2-2.el5s2.src.rpm postgresql-8.2.11-1.el5s2.src.rpm postgresqlclient81-8.1.14-1.el5s2.src.rpm
i386: httpd-2.2.10-1.el5s2.i386.rpm httpd-debuginfo-2.2.10-1.el5s2.i386.rpm httpd-devel-2.2.10-1.el5s2.i386.rpm httpd-manual-2.2.10-1.el5s2.i386.rpm mod_ssl-2.2.10-1.el5s2.i386.rpm mysql-5.0.60sp1-1.el5s2.i386.rpm mysql-bench-5.0.60sp1-1.el5s2.i386.rpm mysql-cluster-5.0.60sp1-1.el5s2.i386.rpm mysql-connector-odbc-3.51.26r1127-1.el5s2.i386.rpm mysql-connector-odbc-debuginfo-3.51.26r1127-1.el5s2.i386.rpm mysql-debuginfo-5.0.60sp1-1.el5s2.i386.rpm mysql-devel-5.0.60sp1-1.el5s2.i386.rpm mysql-libs-5.0.60sp1-1.el5s2.i386.rpm mysql-server-5.0.60sp1-1.el5s2.i386.rpm mysql-test-5.0.60sp1-1.el5s2.i386.rpm perl-DBD-MySQL-4.008-2.el5s2.i386.rpm perl-DBD-MySQL-debuginfo-4.008-2.el5s2.i386.rpm perl-DBD-Pg-1.49-4.el5s2.i386.rpm perl-DBD-Pg-debuginfo-1.49-4.el5s2.i386.rpm perl-DBI-1.607-3.el5s2.i386.rpm perl-DBI-debuginfo-1.607-3.el5s2.i386.rpm postgresql-8.2.11-1.el5s2.i386.rpm postgresql-contrib-8.2.11-1.el5s2.i386.rpm postgresql-debuginfo-8.2.11-1.el5s2.i386.rpm postgresql-devel-8.2.11-1.el5s2.i386.rpm postgresql-docs-8.2.11-1.el5s2.i386.rpm postgresql-libs-8.2.11-1.el5s2.i386.rpm postgresql-plperl-8.2.11-1.el5s2.i386.rpm postgresql-plpython-8.2.11-1.el5s2.i386.rpm postgresql-pltcl-8.2.11-1.el5s2.i386.rpm postgresql-python-8.2.11-1.el5s2.i386.rpm postgresql-server-8.2.11-1.el5s2.i386.rpm postgresql-tcl-8.2.11-1.el5s2.i386.rpm postgresql-test-8.2.11-1.el5s2.i386.rpm postgresqlclient81-8.1.14-1.el5s2.i386.rpm postgresqlclient81-debuginfo-8.1.14-1.el5s2.i386.rpm
noarch: php-pear-1.7.2-2.el5s2.noarch.rpm
x86_64: httpd-2.2.10-1.el5s2.x86_64.rpm httpd-debuginfo-2.2.10-1.el5s2.x86_64.rpm httpd-devel-2.2.10-1.el5s2.x86_64.rpm httpd-manual-2.2.10-1.el5s2.x86_64.rpm mod_ssl-2.2.10-1.el5s2.x86_64.rpm mysql-5.0.60sp1-1.el5s2.x86_64.rpm mysql-bench-5.0.60sp1-1.el5s2.x86_64.rpm mysql-cluster-5.0.60sp1-1.el5s2.x86_64.rpm mysql-connector-odbc-3.51.26r1127-1.el5s2.x86_64.rpm mysql-connector-odbc-debuginfo-3.51.26r1127-1.el5s2.x86_64.rpm mysql-debuginfo-5.0.60sp1-1.el5s2.x86_64.rpm mysql-devel-5.0.60sp1-1.el5s2.x86_64.rpm mysql-libs-5.0.60sp1-1.el5s2.x86_64.rpm mysql-server-5.0.60sp1-1.el5s2.x86_64.rpm mysql-test-5.0.60sp1-1.el5s2.x86_64.rpm perl-DBD-MySQL-4.008-2.el5s2.x86_64.rpm perl-DBD-MySQL-debuginfo-4.008-2.el5s2.x86_64.rpm perl-DBD-Pg-1.49-4.el5s2.x86_64.rpm perl-DBD-Pg-debuginfo-1.49-4.el5s2.x86_64.rpm perl-DBI-1.607-3.el5s2.x86_64.rpm perl-DBI-debuginfo-1.607-3.el5s2.x86_64.rpm postgresql-8.2.11-1.el5s2.x86_64.rpm postgresql-contrib-8.2.11-1.el5s2.x86_64.rpm postgresql-debuginfo-8.2.11-1.el5s2.i386.rpm postgresql-debuginfo-8.2.11-1.el5s2.x86_64.rpm postgresql-devel-8.2.11-1.el5s2.i386.rpm postgresql-devel-8.2.11-1.el5s2.x86_64.rpm postgresql-docs-8.2.11-1.el5s2.x86_64.rpm postgresql-libs-8.2.11-1.el5s2.i386.rpm postgresql-libs-8.2.11-1.el5s2.x86_64.rpm postgresql-plperl-8.2.11-1.el5s2.x86_64.rpm postgresql-plpython-8.2.11-1.el5s2.x86_64.rpm postgresql-pltcl-8.2.11-1.el5s2.x86_64.rpm postgresql-python-8.2.11-1.el5s2.x86_64.rpm postgresql-server-8.2.11-1.el5s2.x86_64.rpm postgresql-tcl-8.2.11-1.el5s2.x86_64.rpm postgresql-test-8.2.11-1.el5s2.x86_64.rpm postgresqlclient81-8.1.14-1.el5s2.x86_64.rpm postgresqlclient81-debuginfo-8.1.14-1.el5s2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2008 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFJODYKXlSAg2UNWIIRApeIAJsGiSmuRlKcYOr5NuYcvBXMOx7jDQCfYu9L VPoiG1uvT61EantCD5ihEcE= =widu -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
|
|