From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1834-2
[email protected] http://www.debian.org/security/ Stefan Fritsch
July 31, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : apache2
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-1890 CVE-2009-1891
The previous update caused a regression for apache2 in Debian 4.0
"etch". Using mod_deflate together with mod_php could cause segfaults
when a client aborts a connection. This update corrects this flaw.
For reference the original advisory text is below.
A denial of service flaw was found in the Apache mod_proxy module when
it was used as a reverse proxy. A remote attacker could use this flaw
to force a proxy process to consume large amounts of CPU time. This
issue did not affect Debian 4.0 "etch". (CVE-2009-1890)
A denial of service flaw was found in the Apache mod_deflate module.
This module continued to compress large files until compression was
complete, even if the network connection that requested the content
was closed before compression completed. This would cause mod_deflate
to consume large amounts of CPU if mod_deflate was enabled for a large
file. A similar flaw related to HEAD requests for compressed content
was also fixed. (CVE-2009-1891)
The oldstable distribution (etch), this problem has been fixed in
version 2.2.3-4+etch10.
The other distributions stable (lenny), testing (squeeze) and
unstable (sid) were not affected by the regression.
This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages.
Updated packages for apache2-mpm-itk for the s390 architecture are
not included yet. They will be released as soon as they become
available.
We recommend that you upgrade your apache2 (2.2.3-4+etch10), apache2-mpm-itk (2.2.3-01-2+etch4) package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch10.diff.gz
Size/MD5 checksum: 127383 f93c44605a130b89c93b967c6e6bb32f
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01.orig.tar.gz
Size/MD5 checksum: 29071 63daaf8812777aacfd5a31ead4ff0061
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4.diff.gz
Size/MD5 checksum: 12732 f46b409815f523fb15fc2b013bece3b2
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch10.dsc
Size/MD5 checksum: 1070 4baefcb4c6ec1f2d146f1387a5240026
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4.dsc
Size/MD5 checksum: 676 b385d6a3a328371323c79c7906deb5bf
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3.orig.tar.gz
Size/MD5 checksum: 6342475 f72ffb176e2dc7b322be16508c09f63c
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.3-4+etch10_all.deb
Size/MD5 checksum: 6673900 95cf69a8148a93569f183e417753226d
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch10_all.deb
Size/MD5 checksum: 41480 dc99f23beb96a0a743d3d61d6c8d941d
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.3-4+etch10_all.deb
Size/MD5 checksum: 2243464 1239e372d92afb5551cfa6018e509797
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch10_all.deb
Size/MD5 checksum: 274332 5ac8887f0d4b5e46a2d6461a1c75234d
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch10_alpha.deb
Size/MD5 checksum: 345878 09b90c946e6bfab4df70096345b73753
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch10_alpha.deb
Size/MD5 checksum: 445144 c578da017ebba196a95e148b22f45e0f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch10_alpha.deb
Size/MD5 checksum: 409542 7a2897d2effa66ce0e8125e81c12d98e
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch10_alpha.deb
Size/MD5 checksum: 410448 f6b3abb4d3f7e58f5439969bacdcd693
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4_alpha.deb
Size/MD5 checksum: 185014 699e45fb31514a058a69fb6c6e7bc7ae
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch10_alpha.deb
Size/MD5 checksum: 1043540 f438e482259956a7e0f110dc28ac868a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch10_alpha.deb
Size/MD5 checksum: 449444 f0b040f783a19ea83aa7fc195dfd5b95
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch10_alpha.deb
Size/MD5 checksum: 450050 9fe6f4b3f9006c9932161272a78c6fdf
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch10_amd64.deb
Size/MD5 checksum: 999344 76762c4b207fc51a41ba2352a830de5b
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)