From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1934-1
[email protected] http://www.debian.org/security/ Stefan Fritsch November 16, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : apache2
Vulnerability : multiple issues
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3094 CVE-2009-3095 CVE-2009-3555
A design flaw has been found in the TLS and SSL protocol that allows
an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle
session renegotiations. CVE-2009-3555 has been assigned to this
vulnerability.
As a partial mitigation against this attack, this apache2 update
disables client-initiated renegotiations. This should fix the
vulnerability for the majority of Apache configurations in use.
NOTE: This is not a complete fix for the problem. The attack is
still possible in configurations where the server initiates the
renegotiation. This is the case for the following configurations
(the information in the changelog of the updated packages is
slightly inaccurate):
- - The "SSLVerifyClient" directive is used in a Directory or Location
context.
- - The "SSLCipherSuite" directive is used in a Directory or Location
context.
As a workaround, you may rearrange your configuration in a way that SSLVerifyClient and SSLCipherSuite are only used on the server or
virtual host level.
A complete fix for the problem will require a protocol change. Further information will be included in a separate announcement about this
issue.
In addition, this update fixes the following issues in Apache's
mod_proxy_ftp:
CVE-2009-3094: Insufficient input validation in the mod_proxy_ftp
module allowed remote FTP servers to cause a denial of service (NULL
pointer dereference and child process crash) via a malformed reply to
an EPSV command.
CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp
module allowed remote authenticated attackers to bypass intended access restrictions and send arbitrary FTP commands to an FTP server.
For the stable distribution (lenny), these problems have been fixed in
version 2.2.9-10+lenny6. This version also includes some non-security
bug fixes that were scheduled for inclusion in the next stable point
release (Debian 5.0.4).
The oldstable distribution (etch), these problems have been fixed in
version 2.2.3-4+etch11.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed in version 2.2.14-2.
This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages.
Updated apache2-mpm-itk packages for the armel architecture are not
included yet. They will be released as soon as they become available.
We recommend that you upgrade your apache2 and apache2-mpm-itk packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch (oldstable)
- -------------------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.dsc
Size/MD5 checksum: 1071 dff8f31d88ede35bb87f92743d2db202
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3.orig.tar.gz
Size/MD5 checksum: 6342475 f72ffb176e2dc7b322be16508c09f63c
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.diff.gz
Size/MD5 checksum: 124890 c9b197b2a4bade4e92f3c65b88eea614
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 2247064 357f2daba8360eaf00b0157326c4d258
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 6668542 043a6a14dc48aae5fa8101715f4ddf81
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 41626 27661a99c55641d534a5ffe4ea828c4b
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 275872 8ff0ac120a46e235a9253df6be09e4d5
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 346016 02b337e48ef627e13d79ad3919bc380d
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407682 f01d7e23f206baed1e42c60e15fe240f
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 1017408 1c8dccbed0a309ed0b74b83667f1d587
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 449704 b227ff8c9bceaa81488fec48b81f18f6
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 450266 766ba095925ee31c175716084f41b3cf
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 444898 3b1d9a9531c82872d36ce295d6cba581
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407030 eedabbc4930b3c14012f57ec7956847b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_alpha.deb
Size/MD5 checksum: 184920 2d152290678598aeacd32564c2ec37c2
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_amd64.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)