Sicherheit: Mangelnde Rechteprüfung in httpd

Lesezeichen hinzufügen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2009-19
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------

Original released date: 18 Jun 2009
Last revised: 18 Jun 2009

Package: httpd

Summary: Apache AllowOverride Options vulnerability

More information:
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the Internet.

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly
handle Options=IncludesNOEXEC in the AllowOverride directive, which allows
local users to gain privileges by configuring (1) Options Includes, (2)
Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file,
and then inserting an exec element in a .shtml file. (CVE-2009-1195)

Affected Products:
- Turbolinux Client 2008
- Turbolinux Appliance Server 3.0 x64 Edition
- Turbolinux Appliance Server 3.0
- Turbolinux 11 Server x64 Edition
- Turbolinux 11 Server

<Turbolinux Client 2008>

Source Packages
Size: MD5

httpd-2.2.6-12.src.rpm
4778682 a71af7baf50503e2149ea50c927f5819

Binary Packages
Size: MD5

httpd-2.2.6-12.i586.rpm
1232309 ef40915bffc6b5b33f6de46f5ad8c908
httpd-devel-2.2.6-12.i586.rpm
148835 095020982d238737fe7647c54f6a7c57

<Turbolinux Appliance Server 3.0 x64 Edition>

Source Packages
Size: MD5

httpd-2.2.6-12.src.rpm
4788001 fb62e5ed3761a26fc5ccca09f6c7a88e

Binary Packages
Size: MD5

httpd-2.2.6-12.x86_64.rpm
1250912 bed00a2f21a64a15852081f6bebb5e20
httpd-manual-2.2.6-12.x86_64.rpm
858395 9430b16e261856dcf8c15ba3f08364c1
httpd-rootsrv-2.2.6-12.x86_64.rpm
230075 e3acbfe5be8c419ce1c484cf3529dd34
mod_ssl-2.2.6-12.x86_64.rpm
89910 67419a062e5cfb03dd8c429a175e651c

<Turbolinux Appliance Server 3.0>

Source Packages
Size: MD5

httpd-2.2.6-12.src.rpm
4788001 fb62e5ed3761a26fc5ccca09f6c7a88e

Binary Packages
Size: MD5

httpd-2.2.6-12.i686.rpm
1177904 7fc53494aca957696aa5c028fd70f587
httpd-manual-2.2.6-12.i686.rpm
859059 9e747e6f6980624867661c8390922f2c
httpd-rootsrv-2.2.6-12.i686.rpm
217505 07482120e02750c254507b87a9affd26
mod_ssl-2.2.6-12.i686.rpm
85514 008eb2994d8aab3584203d0debb08627

<Turbolinux 11 Server x64 Edition>

Source Packages
Size: MD5

httpd-2.2.6-12.src.rpm
4788001 fb62e5ed3761a26fc5ccca09f6c7a88e

Binary Packages
Size: MD5

httpd-2.2.6-12.x86_64.rpm
1250912 bed00a2f21a64a15852081f6bebb5e20
httpd-devel-2.2.6-12.x86_64.rpm
153666 63ef0ce4b7bc36f44022d3bee89766b2
httpd-manual-2.2.6-12.x86_64.rpm
858395 9430b16e261856dcf8c15ba3f08364c1
mod_ssl-2.2.6-12.x86_64.rpm
89910 67419a062e5cfb03dd8c429a175e651c

<Turbolinux 11 Server>

Source Packages
Size: MD5

httpd-2.2.6-12.src.rpm
4788001 fb62e5ed3761a26fc5ccca09f6c7a88e

Binary Packages
Size: MD5

httpd-2.2.6-12.i686.rpm
1177904 7fc53494aca957696aa5c028fd70f587
httpd-devel-2.2.6-12.i686.rpm
153718 caa746043b57ab76451aae8251246369
httpd-manual-2.2.6-12.i686.rpm
859059 9e747e6f6980624867661c8390922f2c
mod_ssl-2.2.6-12.i686.rpm
85514 008eb2994d8aab3584203d0debb08627

References:

CVE
[CVE-2009-1195]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195

--------------------------------------------------------------------------
Revision History
18 Jun 2009 Initial release
--------------------------------------------------------------------------

Copyright(C) 2009 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAko55v0ACgkQK0LzjOqIJMz+HwCgoFK9k6eYRtbMlz29zLEl2KQP
elgAnieFtoj96L9s1Ai3jfPYjme4pGP0
=Tld3
-----END PGP SIGNATURE-----