Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1237 apache2 security update 25 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: apache2 Publisher: Debian Operating System: UNIX variants (UNIX, Linux, OSX) Debian GNU/Linux 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0231 CVE-2014-0226 CVE-2014-0118 Reference: ESB-2014.1218 ESB-2014.1204 Original Bulletin: http://www.debian.org/security/2014/dsa-2989 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2989-1 security@debian.org http://www.debian.org/security/ Stefan Fritsch July 24, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : apache2 CVE ID : CVE-2014-0118 CVE-2014-0226 CVE-2014-0231 Several security issues were found in the Apache HTTP server. CVE-2014-0118 The DEFLATE input filter (inflates request bodies) in mod_deflate allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. CVE-2014-0226 A race condition was found in mod_status. An attacker able to access a public server status page on a server could send carefully crafted requests which could lead to a heap buffer overflow, causing denial of service, disclosure of sensitive information, or potentially the execution of arbitrary code. CVE-2014-0231 A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service. For the stable distribution (wheezy), these problems have been fixed in version 2.2.22-13+deb7u3. For the testing distribution (jessie), these problems will be fixed in version 2.4.10-1. For the unstable distribution (sid), these problems have been fixed in version 2.4.10-1. We recommend that you upgrade your apache2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBU9GEBcaHXzVBzv3gAQh3dA//TrK9AdiqhSnDuB/qzzw8No8Iy4UoRhTu R73id/C1YBFpnKdPr55Jpo3WGNT2y2sggaWOhgjyq9VFeL3Hf73B18S27IVQsE+K LAqfwc/JsfJowrmNn9cywFjl/PMtGA25isorehNSZPK1iSnDXNFj9DUNpjq57oxl UhT+Usf6h2Mw4l7v4XDJCrAorckdFtC1/e+9UuLkIhr/SfqVUDyov/9v43dh/DWW ll7d3g0IzvgE/KPoTRwE0eZFbfem6pkHN+EwdW+tTiG4l8mZIqw9RjFE0q6ETCUa rU1BxhcZge+0Bh372cQbZi3PzYSY7tnQD992y5a78c/MzPnQ8/CCBmGMa2yQ15hA //xKBXrihNYt5HkTj9JP443CnlBhaoJGs1bUx2gSDMtnnGtYFaQOMa5kr19f8buU NopTYDqh47bf+LPCmyB9hfitc3xTxcHMyS5Jqd7Z2DpvKC/O2Y3FOvk/g+AHMsk+ O1sTMNv7lXvvqd0iVzd/OKiqiKnUc3gspGOffCeTLjNRTQZ1PnsOdJbIm4QSnvup LQsRf1quXbDKYi5K0qKYBHf/7qOYB380ytvOXcEqKKkiiNcsXIY00LEb76ao37By Rc4Umddwdv9ZYL6sUtTbVHVVLPT5riv5Lj4ywkWq8HaUvJmmGiKG01sNLpu8v1HI 3uLRA87AK54= =9+0q - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU9GqaBLndAQH1ShLAQJDNQ/7BckwoFnHBaxYaKUQJ1wq6yuFJ0RRKi7T DYEfetGJA47quuSdT6ftEXr/Ry6NmZZkElUPCDGMElkh9Op3JXwwqM4gEdfbnHN2 CnQkrjbfNTD4cSdRwriIcF27LaFyEB8X8yutXUJB4OOKt6JobWbVgp2VLDcEAj5t MhEZWvOJDKMWyLi2PXqPp7m6LEk80k3YcNKaeR55+SMw006xk6vsWNu/0shzSnyY j1kwumSaNBygU1QP2VqJy4ehOZyLnoInnAfUfJXUOsQnYrKuEgVnZHKq7gtKCQDi bcm/0h63/wySd87IuwB9SWuvzgai85y3V+E+32l49O4Z9ykF/7rMqizt0hg7kXoL I1X6lS7QEA3VS6hSZmsmHNPhxAQy+gzRj5EYX9slinBHEbtVQM9wxxwtpGq4gJ6+ DjwvZdkALsqZdO2qxxy3l7Zp8JiTyKSacMfyhSzz0rfgPAB/k2SXTCJKOMVSYk8y yoItDNSbve1pF5jcna9TLqr4zf9IuQgQxe/ly7by56d9hGYAPvSe6beO7IeI0nn+ O1JnOAGdR0hd5javdtsi3AhDw63OCq63ahSTIL/Wt/HmDfMP6t9PcXeOk3GYUt3H 14q+C6Bw1MhTc+4SQucwcNmJ7Xpwu+CUemxNYt/Hu3IEyP+ZUVqSBKpEIytQZNTV mRrv/ueg0JQ= =tFwA -----END PGP SIGNATURE-----