Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0315 apache2 security update 5 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: apache2 Publisher: Debian Operating System: Debian GNU/Linux 6 Impact/Access: Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-1048 CVE-2012-4558 CVE-2012-3499 Reference: ESB-2013.0281 ESB-2013.0280 Original Bulletin: http://www.debian.org/security/2013/dsa-2637 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2637-1 security@debian.org http://www.debian.org/security/ Stefan Fritsch March 04, 2013 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : apache2 Vulnerability : several issues Problem type : remote Debian-specific: no CVE ID : CVE-2012-3499 CVE-2012-4558 CVE-2013-1048 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2012-3499 The modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp did not properly escape hostnames and URIs in HTML output, causing cross site scripting vulnerabilities. CVE-2012-4558 Mod_proxy_balancer did not properly escape hostnames and URIs in its balancer-manager interface, causing a cross site scripting vulnerability. CVE-2013-1048 Hayawardh Vijayakumar noticed that the apache2ctl script created the lock directory in an unsafe manner, allowing a local attacker to gain elevated privileges via a symlink attack. This is a Debian specific issue. For the stable distribution (squeeze), these problems have been fixed in version 2.2.16-6+squeeze11. For the testing distribution (wheezy), these problems will be fixed in version 2.2.22-13. For the unstable distribution (sid), these problems will be fixed in version 2.2.22-13. We recommend that you upgrade your apache2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRNRDIbxelr8HyTqQRAmNvAKCr23t51aUn7xFsJLSVnfaZSs4cpACgxwk2 v9qS4DatnCKCMTpcb1PtLFE= =uufq - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUTVzqe4yVqjM2NGpAQK3SxAArh3EdvCoBQLPv3aPfuuIh133mrfLjGkQ J4YQ7ckgonBXSv+ZBvzGj3w4CJlaBgQ3K7fKwLDKamPKAXC0KfW7t40jQ0gd5uBv Ysahf6PzY4oAydtSzhNEKzcrHMOicV/0h/tdowEzMFEhAWWMSjY4eiRgdjjbWY5J +M7qB3kG5rlMhgFtQNgbJHpCxv5FVXOS0zZe5FJCcPdoPWzlPUZRaJNABwNN+vMA cHPPUdbLm+IRnY7AqA6tiZ40KsHAVC/tr8DukyTrUxq48lKev/5jxsZgz0cmqYLx rxs2B4zeyw1ryRmW6MQfuYyhYaBtj/V92aQPB8XgXPMK4ucpg6eLAn0acDbyj1nA mKKoRg3J21lLRhSF2BELHPoJEtgANtSYWbIVUOrSFpBTR+P/cK0tY/w1crjyDZPk OQUIJKBre9AsC69puEAO6HuRMxVwJ692d2jE91mN0WRGeAgT+9e7Vp8lJfEaEf0d IQdKSidfsI5f+HhostjmEeQMdOBxOLP+BmgI/qTmMEsilzO39MsdWjHFX9UhBOpR Fkd5RspS7bSjTYcBT0u98R/ulK8H1rx+pr7qSTrtDO2khhvuzKn6o1eXzYNKAxbw rhYvpZcgRZB3xnWdGcoGUwnzV265BuDfNGlBTfwKpdJOQXvzDKHsQAVGQKRcRixU o1Oq/kjURM4= =Wnzl -----END PGP SIGNATURE-----