-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1237
                          apache2 security update
                               25 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apache2
Publisher:         Debian
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Debian GNU/Linux 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0231 CVE-2014-0226 CVE-2014-0118

Reference:         ESB-2014.1218
                   ESB-2014.1204

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2989

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2989-1                   security@debian.org
http://www.debian.org/security/                            Stefan Fritsch
July 24, 2014                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2014-0118 CVE-2014-0226 CVE-2014-0231

Several security issues were found in the Apache HTTP server.

CVE-2014-0118

    The DEFLATE input filter (inflates request bodies) in mod_deflate
    allows remote attackers to cause a denial of service (resource
    consumption) via crafted request data that decompresses to a much
    larger size.

CVE-2014-0226

    A race condition was found in mod_status. An attacker able to
    access a public server status page on a server could send carefully
    crafted requests which could lead to a heap buffer overflow,
    causing denial of service, disclosure of sensitive information, or
    potentially the execution of arbitrary code.

CVE-2014-0231

    A flaw was found in mod_cgid. If a server using mod_cgid hosted
    CGI scripts which did not consume standard input, a remote attacker
    could cause child processes to hang indefinitely, leading to denial
    of service.


For the stable distribution (wheezy), these problems have been fixed in
version 2.2.22-13+deb7u3.

For the testing distribution (jessie), these problems will be fixed in
version 2.4.10-1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4.10-1.

We recommend that you upgrade your apache2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBU9GEBcaHXzVBzv3gAQh3dA//TrK9AdiqhSnDuB/qzzw8No8Iy4UoRhTu
R73id/C1YBFpnKdPr55Jpo3WGNT2y2sggaWOhgjyq9VFeL3Hf73B18S27IVQsE+K
LAqfwc/JsfJowrmNn9cywFjl/PMtGA25isorehNSZPK1iSnDXNFj9DUNpjq57oxl
UhT+Usf6h2Mw4l7v4XDJCrAorckdFtC1/e+9UuLkIhr/SfqVUDyov/9v43dh/DWW
ll7d3g0IzvgE/KPoTRwE0eZFbfem6pkHN+EwdW+tTiG4l8mZIqw9RjFE0q6ETCUa
rU1BxhcZge+0Bh372cQbZi3PzYSY7tnQD992y5a78c/MzPnQ8/CCBmGMa2yQ15hA
//xKBXrihNYt5HkTj9JP443CnlBhaoJGs1bUx2gSDMtnnGtYFaQOMa5kr19f8buU
NopTYDqh47bf+LPCmyB9hfitc3xTxcHMyS5Jqd7Z2DpvKC/O2Y3FOvk/g+AHMsk+
O1sTMNv7lXvvqd0iVzd/OKiqiKnUc3gspGOffCeTLjNRTQZ1PnsOdJbIm4QSnvup
LQsRf1quXbDKYi5K0qKYBHf/7qOYB380ytvOXcEqKKkiiNcsXIY00LEb76ao37By
Rc4Umddwdv9ZYL6sUtTbVHVVLPT5riv5Lj4ywkWq8HaUvJmmGiKG01sNLpu8v1HI
3uLRA87AK54=
=9+0q
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU9GqaBLndAQH1ShLAQJDNQ/7BckwoFnHBaxYaKUQJ1wq6yuFJ0RRKi7T
DYEfetGJA47quuSdT6ftEXr/Ry6NmZZkElUPCDGMElkh9Op3JXwwqM4gEdfbnHN2
CnQkrjbfNTD4cSdRwriIcF27LaFyEB8X8yutXUJB4OOKt6JobWbVgp2VLDcEAj5t
MhEZWvOJDKMWyLi2PXqPp7m6LEk80k3YcNKaeR55+SMw006xk6vsWNu/0shzSnyY
j1kwumSaNBygU1QP2VqJy4ehOZyLnoInnAfUfJXUOsQnYrKuEgVnZHKq7gtKCQDi
bcm/0h63/wySd87IuwB9SWuvzgai85y3V+E+32l49O4Z9ykF/7rMqizt0hg7kXoL
I1X6lS7QEA3VS6hSZmsmHNPhxAQy+gzRj5EYX9slinBHEbtVQM9wxxwtpGq4gJ6+
DjwvZdkALsqZdO2qxxy3l7Zp8JiTyKSacMfyhSzz0rfgPAB/k2SXTCJKOMVSYk8y
yoItDNSbve1pF5jcna9TLqr4zf9IuQgQxe/ly7by56d9hGYAPvSe6beO7IeI0nn+
O1JnOAGdR0hd5javdtsi3AhDw63OCq63ahSTIL/Wt/HmDfMP6t9PcXeOk3GYUt3H
14q+C6Bw1MhTc+4SQucwcNmJ7Xpwu+CUemxNYt/Hu3IEyP+ZUVqSBKpEIytQZNTV
mRrv/ueg0JQ=
=tFwA
-----END PGP SIGNATURE-----