Mageia alert MGASA-2013-0073 (apache) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2013-0073: apache-2.2.24-1.mga2 (2/core) 
Date:
    	       Wed, 27 Feb 2013 22:10:30 +0100
Message-ID:
    	       <20130227211030.GA28072@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2013-0073
Date: 	February 27nd, 2013
Affected releases: 	2
Media: 	Core


Description:
Updated apache packages fix security vulnerabilities:

Various XSS (cross-site scripting vulnerability) flaws due to unescaped
hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap,
mod_ldap, and mod_proxy_ftp (CVE-2012-3499).

XSS (cross-site scripting vulnerability) in mod_proxy_balancer manager
interface (CVE-2012-4558).

Additionally the ASF bug 53219 was resolved which provides a way
to mitigate the CRIME attack vulnerability by disabling TLS-level
compression. Use the new directive SSLCompression on|off to enable or
disable TLS-level compression, by default SSLCompression is turned on.


Updated Packages:
i586:
apache-2.2.24-1.mga2.i586.rpm
apache-devel-2.2.24-1.mga2.i586.rpm
apache-doc-2.2.24-1.mga2.noarch.rpm
apache-htcacheclean-2.2.24-1.mga2.i586.rpm
apache-mod_authn_dbd-2.2.24-1.mga2.i586.rpm
apache-mod_cache-2.2.24-1.mga2.i586.rpm
apache-mod_dav-2.2.24-1.mga2.i586.rpm
apache-mod_dbd-2.2.24-1.mga2.i586.rpm
apache-mod_deflate-2.2.24-1.mga2.i586.rpm
apache-mod_disk_cache-2.2.24-1.mga2.i586.rpm
apache-mod_file_cache-2.2.24-1.mga2.i586.rpm
apache-mod_ldap-2.2.24-1.mga2.i586.rpm
apache-mod_mem_cache-2.2.24-1.mga2.i586.rpm
apache-mod_proxy-2.2.24-1.mga2.i586.rpm
apache-mod_proxy_ajp-2.2.24-1.mga2.i586.rpm
apache-mod_proxy_scgi-2.2.24-1.mga2.i586.rpm
apache-mod_reqtimeout-2.2.24-1.mga2.i586.rpm
apache-mod_ssl-2.2.24-1.mga2.i586.rpm
apache-mod_suexec-2.2.24-1.mga2.i586.rpm
apache-mod_userdir-2.2.24-1.mga2.i586.rpm
apache-mpm-event-2.2.24-1.mga2.i586.rpm
apache-mpm-itk-2.2.24-1.mga2.i586.rpm
apache-mpm-peruser-2.2.24-1.mga2.i586.rpm
apache-mpm-prefork-2.2.24-1.mga2.i586.rpm
apache-mpm-worker-2.2.24-1.mga2.i586.rpm
apache-source-2.2.24-1.mga2.noarch.rpm
apache-debug-2.2.24-1.mga2.i586.rpm

x86_64:
apache-2.2.24-1.mga2.x86_64.rpm
apache-devel-2.2.24-1.mga2.x86_64.rpm
apache-doc-2.2.24-1.mga2.noarch.rpm
apache-htcacheclean-2.2.24-1.mga2.x86_64.rpm
apache-mod_authn_dbd-2.2.24-1.mga2.x86_64.rpm
apache-mod_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_dav-2.2.24-1.mga2.x86_64.rpm
apache-mod_dbd-2.2.24-1.mga2.x86_64.rpm
apache-mod_deflate-2.2.24-1.mga2.x86_64.rpm
apache-mod_disk_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_file_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_ldap-2.2.24-1.mga2.x86_64.rpm
apache-mod_mem_cache-2.2.24-1.mga2.x86_64.rpm
apache-mod_proxy-2.2.24-1.mga2.x86_64.rpm
apache-mod_proxy_ajp-2.2.24-1.mga2.x86_64.rpm
apache-mod_proxy_scgi-2.2.24-1.mga2.x86_64.rpm
apache-mod_reqtimeout-2.2.24-1.mga2.x86_64.rpm
apache-mod_ssl-2.2.24-1.mga2.x86_64.rpm
apache-mod_suexec-2.2.24-1.mga2.x86_64.rpm
apache-mod_userdir-2.2.24-1.mga2.x86_64.rpm
apache-mpm-event-2.2.24-1.mga2.x86_64.rpm
apache-mpm-itk-2.2.24-1.mga2.x86_64.rpm
apache-mpm-peruser-2.2.24-1.mga2.x86_64.rpm
apache-mpm-prefork-2.2.24-1.mga2.x86_64.rpm
apache-mpm-worker-2.2.24-1.mga2.x86_64.rpm
apache-source-2.2.24-1.mga2.noarch.rpm
apache-debug-2.2.24-1.mga2.x86_64.rpm

SRPMS:
apache-2.2.24-1.mga2.src.rpm


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
http://www.mandriva.com/en/support/security/advisories/me...
https://bugs.mageia.org/show_bug.cgi?id=9168
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-...
(Log in to post comments)