Zwei Probleme in Apache
ID: | USN-1627-1 |
Distribution: | Ubuntu |
Plattformen: | Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 11.10, Ubuntu 12.04 LTS, Ubuntu 12.10 |
Datum: | Fr, 9. November 2012, 07:11 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929 http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression |
Applikationen: | Apache |
Originalnachricht |
|
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0816979127786319650== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig0E86B791F1147C9559341F70" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0E86B791F1147C9559341F70 Content-Type: text/plain; charset=ISO-8859- Content-Transfer-Encoding: quoted-printable ========================================================================== Ubuntu Security Notice USN-1627-1 November 08, 2012 apache2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Several security issues were fixed in the Apache HTTP server. Software Description: - apache2: Apache HTTP server Details: It was discovered that the mod_negotiation module incorrectly handled certain filenames, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2012-2687) It was discovered that the Apache HTTP Server was vulnerable to the "CRIME" SSL data compression attack. Although this issue had been mitigated on the client with newer web browsers, this update also disables SSL data compression on the server. A new SSLCompression directive for Apache has been backported that may be used to re-enable SSL data compression in certain environments. For more information, please refer to: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression (CVE-2012-4929) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: apache2.2-common 2.2.22-6ubuntu2.1 Ubuntu 12.04 LTS: apache2.2-common 2.2.22-1ubuntu1.2 Ubuntu 11.10: apache2.2-common 2.2.20-1ubuntu1.3 Ubuntu 10.04 LTS: apache2.2-common 2.2.14-5ubuntu8.10 Ubuntu 8.04 LTS: apache2.2-common 2.2.8-1ubuntu0.24 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1627-1 CVE-2012-2687, CVE-2012-4929 Package Information: https://launchpad.net/ubuntu/+source/apache2/2.2.22-6ubuntu2.1 https://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.2 https://launchpad.net/ubuntu/+source/apache2/2.2.20-1ubuntu1.3 https://launchpad.net/ubuntu/+source/apache2/2.2.14-5ubuntu8.10 https://launchpad.net/ubuntu/+source/apache2/2.2.8-1ubuntu0.24 --------------enig0E86B791F1147C9559341F70 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBCgAGBQJQnDWaAAoJEGVp2FWnRL6TAZwP/3HHhHtUkD8rLWrJBntwjRZI 74Wek4xwBtuWEMr7NAr7D5LvkNa2/QkvJBsV2I8AYYDaV20IqCu5wxkh8JVv42eM s/yJ/fSQpNyCuae+rwKFbSw0nK+6oiMqaEJ8YBn/1LqrPynBI5m4k0QggvjE0zpX LhtZPHz4v5voWbuFxtv/azuFzuoQFgENXadDtPw0iZ2fAdfVCOeGcgoIZAeLPB94 1pWjRX1Tao+KIw7FRTnCPIWy4B+tlU9TI4+azFSu9ifveiVrQS2LMnuSSDieToKp diZlmHb37eSvuVpPVazFVBW3+1iyQbUPBvdonIILWzqnQbIxgx7H5XdBX455LW5+ 5hYnbVSvSM9V2dJBS685uXXFC4q155cXwBM4YsDcEdKQvTcTyxSDD00zG9hjbzkc NCYwX+xNKXULtvnyJMpXIBEYjDPIMZhzpXCGX2O2t/x7gTV1s5TLoHmBzUiUlem9 KiiWk90KaP+V7yVEUNyBW9Jl/IzzYSJyLJK4h/MQjSLDB5+L/2h264VNrhHHEe2W fo1IsTXyU5u1+0Wsv1qYkfNt8nVdh2AfsfeJHNEwbJrDkVPKhhVP9yv+NCvX12TD ICcFyynN/kCzYN04gKTeXtwfZ7Lc31J6hkd5iVjUqR801DSadcIUD4uyrAvZ89A0 QNU7rHXwHF9J22JMNYsa =RJit -----END PGP SIGNATURE----- --------------enig0E86B791F1147C9559341F70-- --===============0816979127786319650== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce --===============0816979127786319650==-- |