-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:154 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apache Date : September 28, 2012 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD): Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory (CVE-2012-0883). Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled (CVE-2012-2687). The updated packages have been upgraded to the latest 2.2.23 version which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687 http://httpd.apache.org/security/vulnerabilities_22.html http://www.apache.org/dist/httpd/CHANGES_2.2.23 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 2a6deb52a907ef25643d0bc49d0829aa mes5/i586/apache-base-2.2.23-0.1mdvmes5.2.i586.rpm cf6c25930c89694dbc23771030bed22b mes5/i586/apache-conf-2.2.23-0.1mdvmes5.2.i586.rpm 5853c6245a92e6a9f50d5ed8ea1f0873 mes5/i586/apache-devel-2.2.23-0.1mdvmes5.2.i586.rpm 96b6bc8398fd9bfe2216a3d34d3efa37 mes5/i586/apache-doc-2.2.23-0.1mdvmes5.2.i586.rpm 4dd0e9f2f8bd5418bb780c33e4030a81 mes5/i586/apache-htcacheclean-2.2.23-0.1mdvmes5.2.i586.rpm d8537cdd24e5cd259e6cb821e7d78b75 mes5/i586/apache-mod_authn_dbd-2.2.23-0.1mdvmes5.2.i586.rpm 33f926c8833af125afbe89679640e84b mes5/i586/apache-mod_cache-2.2.23-0.1mdvmes5.2.i586.rpm 763647d82824dc5b71a1296830cb04d9 mes5/i586/apache-mod_dav-2.2.23-0.1mdvmes5.2.i586.rpm 891dba584907e14fa965362bbe1e9df3 mes5/i586/apache-mod_dbd-2.2.23-0.1mdvmes5.2.i586.rpm 5778eaef034bb73259bd11d78a3f0474 mes5/i586/apache-mod_deflate-2.2.23-0.1mdvmes5.2.i586.rpm fa4186b16baa4f528b84af1c1bef6c4d mes5/i586/apache-mod_disk_cache-2.2.23-0.1mdvmes5.2.i586.rpm 05459bbd61b32f06d05082ad6e109a07 mes5/i586/apache-mod_file_cache-2.2.23-0.1mdvmes5.2.i586.rpm d729802408335fbed5db1553e2a3bef0 mes5/i586/apache-mod_ldap-2.2.23-0.1mdvmes5.2.i586.rpm a1877e86f5fb446a8adb1c0778bb7ecf mes5/i586/apache-mod_mem_cache-2.2.23-0.1mdvmes5.2.i586.rpm 01ab1dbeb1177af0950a1da7fa70b470 mes5/i586/apache-mod_proxy-2.2.23-0.1mdvmes5.2.i586.rpm 423dadd5f7c9ba6a7da8037ad54c2cde mes5/i586/apache-mod_proxy_ajp-2.2.23-0.1mdvmes5.2.i586.rpm 9c7af6f3f19b1e1697584e692808e86a mes5/i586/apache-mod_proxy_scgi-2.2.23-0.1mdvmes5.2.i586.rpm 8e816b0eeb136e6acfa24f27b4ad903c mes5/i586/apache-mod_reqtimeout-2.2.23-0.1mdvmes5.2.i586.rpm 8000c240a4c0f761017cda0c249282a1 mes5/i586/apache-mod_ssl-2.2.23-0.1mdvmes5.2.i586.rpm f3a62ecede37f013b2ddaf0b32a77ddb mes5/i586/apache-mod_suexec-2.2.23-0.1mdvmes5.2.i586.rpm 385ca21f2966e8b64c4dd0541996c21d mes5/i586/apache-modules-2.2.23-0.1mdvmes5.2.i586.rpm a7205d395f2c231acee8c73d8a383dab mes5/i586/apache-mod_userdir-2.2.23-0.1mdvmes5.2.i586.rpm 502eae665036c3973f69f986ce420c07 mes5/i586/apache-mpm-event-2.2.23-0.1mdvmes5.2.i586.rpm aebac24b0d8a7e24ec4e70b51359db68 mes5/i586/apache-mpm-itk-2.2.23-0.1mdvmes5.2.i586.rpm 5733be6c3a6c9efd63d4439854f55a37 mes5/i586/apache-mpm-peruser-2.2.23-0.1mdvmes5.2.i586.rpm 9c9f7e40e1903040088a1c35835a3c43 mes5/i586/apache-mpm-prefork-2.2.23-0.1mdvmes5.2.i586.rpm 06aaffabfbfda5f6d4f54f8bb58cf810 mes5/i586/apache-mpm-worker-2.2.23-0.1mdvmes5.2.i586.rpm 026532e051d72c31f3078d32249a392f mes5/i586/apache-source-2.2.23-0.1mdvmes5.2.i586.rpm 4682ce2fda81a55007d13c70bb2376f1 mes5/SRPMS/apache-2.2.23-0.1mdvmes5.2.src.rpm 45468b04e766eb6b59356395fd75cfd0 mes5/SRPMS/apache-conf-2.2.23-0.1mdvmes5.2.src.rpm 9680fd9ea4808d5939cd8fa00ef618b5 mes5/SRPMS/apache-mod_suexec-2.2.23-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: edb7104f5e0e69ba1b16155f56cdaf78 mes5/x86_64/apache-base-2.2.23-0.1mdvmes5.2.x86_64.rpm 0c8520eb535312e29fb685d84ac94431 mes5/x86_64/apache-conf-2.2.23-0.1mdvmes5.2.x86_64.rpm 3dc668b4f677ba4c6d11272cdd46d74a mes5/x86_64/apache-devel-2.2.23-0.1mdvmes5.2.x86_64.rpm 665467a06653cd4690d9674407c47183 mes5/x86_64/apache-doc-2.2.23-0.1mdvmes5.2.x86_64.rpm be95023bf533bba0245d6115aa0d3a21 mes5/x86_64/apache-htcacheclean-2.2.23-0.1mdvmes5.2.x86_64.rpm 8d55fbc21e43d404a95fdabbc4b5c8da mes5/x86_64/apache-mod_authn_dbd-2.2.23-0.1mdvmes5.2.x86_64.rpm bea7f4a121b78a159a5f7eb782593b2c mes5/x86_64/apache-mod_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm 386d2c7ffb035cd282315dd4fbfd71d3 mes5/x86_64/apache-mod_dav-2.2.23-0.1mdvmes5.2.x86_64.rpm 568303f666e0ec8755b2eb386aaf54ad mes5/x86_64/apache-mod_dbd-2.2.23-0.1mdvmes5.2.x86_64.rpm 2df5ec32ada4acb3f7fff12f151bc1a1 mes5/x86_64/apache-mod_deflate-2.2.23-0.1mdvmes5.2.x86_64.rpm ec4ad6d0f722e225ad2551cbdbcfcc4f mes5/x86_64/apache-mod_disk_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm be2fbe50607b150d8847b84df1ebe8e0 mes5/x86_64/apache-mod_file_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm 6e63be0d6867d49e578da8cc3923598c mes5/x86_64/apache-mod_ldap-2.2.23-0.1mdvmes5.2.x86_64.rpm a96853ec44db86b46ef626a9b1b6bc52 mes5/x86_64/apache-mod_mem_cache-2.2.23-0.1mdvmes5.2.x86_64.rpm ff96dc83bea37765fcf010e6acc38561 mes5/x86_64/apache-mod_proxy-2.2.23-0.1mdvmes5.2.x86_64.rpm 4dccdde9516d099ff6d7d47611c509a2 mes5/x86_64/apache-mod_proxy_ajp-2.2.23-0.1mdvmes5.2.x86_64.rpm 04a4ec93d067626f75d9372e6355f0a2 mes5/x86_64/apache-mod_proxy_scgi-2.2.23-0.1mdvmes5.2.x86_64.rpm 4b66f4a23616a24728e78f5de7ff611b mes5/x86_64/apache-mod_reqtimeout-2.2.23-0.1mdvmes5.2.x86_64.rpm d1936911f3666dae08a7246047720c58 mes5/x86_64/apache-mod_ssl-2.2.23-0.1mdvmes5.2.x86_64.rpm 12e673bf6b9cf5c3bb8d169bcb1d592a mes5/x86_64/apache-mod_suexec-2.2.23-0.1mdvmes5.2.x86_64.rpm 9c1f3daa78a7c16aef87996e7adb2f7d mes5/x86_64/apache-modules-2.2.23-0.1mdvmes5.2.x86_64.rpm 2e765c5007b9ae87d52fd54adccc02bf mes5/x86_64/apache-mod_userdir-2.2.23-0.1mdvmes5.2.x86_64.rpm df910acc362dd1d19d684041a3ad3f0d mes5/x86_64/apache-mpm-event-2.2.23-0.1mdvmes5.2.x86_64.rpm 0a451c5cc78971ff3a8a7e7c124384b9 mes5/x86_64/apache-mpm-itk-2.2.23-0.1mdvmes5.2.x86_64.rpm da8a8853e3c43ba0429bce6965826505 mes5/x86_64/apache-mpm-peruser-2.2.23-0.1mdvmes5.2.x86_64.rpm f143a74d64b59f0e60a025ef56caebc9 mes5/x86_64/apache-mpm-prefork-2.2.23-0.1mdvmes5.2.x86_64.rpm 536ab2c713bd7dbf8ab1a8fd839fe12d mes5/x86_64/apache-mpm-worker-2.2.23-0.1mdvmes5.2.x86_64.rpm 77e1637d806dbc6d06501bc4c98f1ae4 mes5/x86_64/apache-source-2.2.23-0.1mdvmes5.2.x86_64.rpm 4682ce2fda81a55007d13c70bb2376f1 mes5/SRPMS/apache-2.2.23-0.1mdvmes5.2.src.rpm 45468b04e766eb6b59356395fd75cfd0 mes5/SRPMS/apache-conf-2.2.23-0.1mdvmes5.2.src.rpm 9680fd9ea4808d5939cd8fa00ef618b5 mes5/SRPMS/apache-mod_suexec-2.2.23-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQZWg/mqjQ0CJFipgRAnH7AKCE8P/B3z8Z7c0AKEsKH8YuK/wenACgov5R nQTUKFMMk3mSevCSc4j5hLk= =XvNR -----END PGP SIGNATURE-----