1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2298-1] apache2 security update

    From Stefan Fritsch@1:229/2 to All on Mon Aug 29 23:40:02 2011
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2298-1 [email protected] http://www.debian.org/security/ Stefan Fritsch August 29, 2011 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : apache2
    Vulnerability : denial of service
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-1452 CVE-2011-3192

    Two issues have been found in the Apache HTTPD web server:

    CVE-2011-3192

    A vulnerability has been found in the way the multiple overlapping
    ranges are handled by the Apache HTTPD server. This vulnerability
    allows an attacker to cause Apache HTTPD to use an excessive amount of
    memory, causing a denial of service.

    CVE-2010-1452

    A vulnerability has been found in mod_dav that allows an attacker to
    cause a daemon crash, causing a denial of service. This issue only
    affects the Debian 5.0 oldstable/lenny distribution.


    For the oldstable distribution (lenny), these problems have been fixed
    in version 2.2.9-10+lenny10.

    For the stable distribution (squeeze), this problem has been fixed in
    version 2.2.16-6+squeeze2.

    For the testing distribution (wheezy), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 2.2.19-2.

    We recommend that you upgrade your apache2 packages.

    This update also contains updated apache2-mpm-itk packages which have
    been recompiled against the updated apache2 packages. The new version
    number for the oldstable distribution is 2.2.6-02-1+lenny5. In the
    stable distribution, apache2-mpm-itk has the same version number as
    apache2.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.11 (GNU/Linux)

    iD8DBQFOW/+Mbxelr8HyTqQRAn+CAJ9s4JT+blC4eMB2rKEB1dLjtiA1+wCgvJDp /oid/eRrQ5zmnSp+KQ0R+Cs=
    =Svdo
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Rev Tom Ulrick@1:229/2 to Stefan Fritsch on Tue Aug 30 01:40:01 2011
    XPost: linux.debian.security
    From: [email protected]

    I copied the configs directly over.

    Stefan Fritsch <[email protected]> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    -
    ------------------------------------------------------------------------- >Debian Security Advisory DSA-2298-1
    [email protected]
    http://www.debian.org/security/ Stefan
    Fritsch
    August 29, 2011
    http://www.debian.org/security/faq
    -
    -------------------------------------------------------------------------

    Package : apache2
    Vulnerability : denial of service
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2010-1452 CVE-2011-3192

    Two issues have been found in the Apache HTTPD web server:

    CVE-2011-3192

    A vulnerability has been found in the way the multiple overlapping
    ranges are handled by the Apache HTTPD server. This vulnerability
    allows an attacker to cause Apache HTTPD to use an excessive amount of >memory, causing a denial of service.

    CVE-2010-1452

    A vulnerability has been found in mod_dav that allows an attacker to
    cause a daemon crash, causing a denial of service. This issue only
    affects the Debian 5.0 oldstable/lenny distribution.


    For the oldstable distribution (lenny), these problems have been fixed
    in version 2.2.9-10+lenny10.

    For the stable distribution (squeeze), this problem has been fixed in
    version 2.2.16-6+squeeze2.

    For the testing distribution (wheezy), this problem will be fixed soon.

    For the unstable distribution (sid), this problem has been fixed in
    version 2.2.19-2.

    We recommend that you upgrade your apache2 packages.

    This update also contains updated apache2-mpm-itk packages which have
    been recompiled against the updated apache2 packages. The new version
    number for the oldstable distribution is 2.2.6-02-1+lenny5. In the
    stable distribution, apache2-mpm-itk has the same version number as
    apache2.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.11 (GNU/Linux)

    iD8DBQFOW/+Mbxelr8HyTqQRAn+CAJ9s4JT+blC4eMB2rKEB1dLjtiA1+wCgvJDp >/oid/eRrQ5zmnSp+KQ0R+Cs=
    =Svdo
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to
    [email protected]
    with a subject of "unsubscribe". Trouble? Contact
    [email protected]
    Archive: http://lists.debian.org/[email protected]

    --
    Sent from my Android phone with K-9 Mail. Please excuse my brevity.


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)