-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:065 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : apache Date : March 20, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in apache (ASF HTTPD): XML parsing code in mod_dav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provider is mod_dav_svn (CVE-2013-6438). A flaw was found in mod_log_config. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM (CVE-2014-0098). The updated packages have been upgraded to the latest 2.2.27 version which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098 https://httpd.apache.org/security/vulnerabilities_24.html http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES http://svn.apache.org/viewvc?view=revision&revision=1576716 http://svn.apache.org/viewvc?view=revision&revision=1576706 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: b5e67e1ec8eecc90ed3c776be71884b5 mes5/i586/apache-base-2.2.27-0.1mdvmes5.2.i586.rpm e16c269288c33326c63dad69fbd5d742 mes5/i586/apache-conf-2.2.27-0.1mdvmes5.2.i586.rpm 11490118b15176832c62e64b72873609 mes5/i586/apache-devel-2.2.27-0.1mdvmes5.2.i586.rpm 8a34bbef25421b5e2383ac562078aed5 mes5/i586/apache-doc-2.2.27-0.1mdvmes5.2.i586.rpm 3891966385c973595a02762c7a7feaaf mes5/i586/apache-htcacheclean-2.2.27-0.1mdvmes5.2.i586.rpm fc0a5bf2b0f1a76e872ea576f58d109c mes5/i586/apache-mod_authn_dbd-2.2.27-0.1mdvmes5.2.i586.rpm 45637e33dbf459ad74b73bb8e499cb76 mes5/i586/apache-mod_cache-2.2.27-0.1mdvmes5.2.i586.rpm bdc00a86280c77f0e304daf07a36012b mes5/i586/apache-mod_dav-2.2.27-0.1mdvmes5.2.i586.rpm 2f0dd4c1914cb339975e2452a8431db5 mes5/i586/apache-mod_dbd-2.2.27-0.1mdvmes5.2.i586.rpm 993a009191f7c94ef0571308de37659d mes5/i586/apache-mod_deflate-2.2.27-0.1mdvmes5.2.i586.rpm 791d43838768761473fe188ff9da7f05 mes5/i586/apache-mod_disk_cache-2.2.27-0.1mdvmes5.2.i586.rpm a236df927b98accfed0ac37630e887fd mes5/i586/apache-mod_file_cache-2.2.27-0.1mdvmes5.2.i586.rpm 6c1f38d784ed01fdf773d600f25bc822 mes5/i586/apache-mod_ldap-2.2.27-0.1mdvmes5.2.i586.rpm db6236186f3ed655ff14f8190a6b9b11 mes5/i586/apache-mod_mem_cache-2.2.27-0.1mdvmes5.2.i586.rpm f3c6a2e67c302d940ed7789e14730adb mes5/i586/apache-mod_proxy-2.2.27-0.1mdvmes5.2.i586.rpm 2ff0faab5b2e6bf9032ab602cc721f87 mes5/i586/apache-mod_proxy_ajp-2.2.27-0.1mdvmes5.2.i586.rpm 570084346136e6ca0a2eb71a37523996 mes5/i586/apache-mod_proxy_scgi-2.2.27-0.1mdvmes5.2.i586.rpm 04c90937763864425f46e4447280cf4a mes5/i586/apache-mod_reqtimeout-2.2.27-0.1mdvmes5.2.i586.rpm 01baf75de1196eed684d3dd296607322 mes5/i586/apache-mod_ssl-2.2.27-0.1mdvmes5.2.i586.rpm d8df1a10ffbad3c3700f3e9028882dbb mes5/i586/apache-mod_suexec-2.2.27-0.1mdvmes5.2.i586.rpm 60478eb5d2d1fc7a53c42e2ad3536dee mes5/i586/apache-modules-2.2.27-0.1mdvmes5.2.i586.rpm 0985355dcf2786d5df081584a5365075 mes5/i586/apache-mod_userdir-2.2.27-0.1mdvmes5.2.i586.rpm 589ff991bbc2418a558952aab141802e mes5/i586/apache-mpm-event-2.2.27-0.1mdvmes5.2.i586.rpm e7f2e1496d22505ae65e62284b2b970c mes5/i586/apache-mpm-itk-2.2.27-0.1mdvmes5.2.i586.rpm 620f4244f503eab2b96a6be9e8ab1666 mes5/i586/apache-mpm-peruser-2.2.27-0.1mdvmes5.2.i586.rpm e114434dafc66f47f8e52ab75aa7143e mes5/i586/apache-mpm-prefork-2.2.27-0.1mdvmes5.2.i586.rpm 962a5a9c092f23eb11c16167a836cc3f mes5/i586/apache-mpm-worker-2.2.27-0.1mdvmes5.2.i586.rpm 9a5b83b069447c37e3a0a3120f6f1048 mes5/i586/apache-source-2.2.27-0.1mdvmes5.2.i586.rpm 2507314b81d2c933cf4879c6d0f19c18 mes5/SRPMS/apache-2.2.27-0.1mdvmes5.2.src.rpm d5e8602ed0ea75413c7ad540c1bd4cb3 mes5/SRPMS/apache-conf-2.2.27-0.1mdvmes5.2.src.rpm c8f195227825c721a4c618cf31cf5fcb mes5/SRPMS/apache-mod_suexec-2.2.27-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: d943ec6695e181bb18f2d8c4e3222ffd mes5/x86_64/apache-base-2.2.27-0.1mdvmes5.2.x86_64.rpm b49b023b202a2bad32ecf8d48711f7bf mes5/x86_64/apache-conf-2.2.27-0.1mdvmes5.2.x86_64.rpm feb28ca173194c44d0973c0c470f2193 mes5/x86_64/apache-devel-2.2.27-0.1mdvmes5.2.x86_64.rpm 391d8d6b95d2b4689bb4e426df332ce6 mes5/x86_64/apache-doc-2.2.27-0.1mdvmes5.2.x86_64.rpm 173911d5948fefa17765495b8092e76d mes5/x86_64/apache-htcacheclean-2.2.27-0.1mdvmes5.2.x86_64.rpm 1759fe1247cad34ea0e47d8ab2a0f16e mes5/x86_64/apache-mod_authn_dbd-2.2.27-0.1mdvmes5.2.x86_64.rpm 624d53cfd9eba36e27538170fad22448 mes5/x86_64/apache-mod_cache-2.2.27-0.1mdvmes5.2.x86_64.rpm 207b1e9c9ae0209dd474f476dd8058af mes5/x86_64/apache-mod_dav-2.2.27-0.1mdvmes5.2.x86_64.rpm f64626bd170b85077cb155199a0a7b7d mes5/x86_64/apache-mod_dbd-2.2.27-0.1mdvmes5.2.x86_64.rpm b03d31b694c3547afd34d770809a228d mes5/x86_64/apache-mod_deflate-2.2.27-0.1mdvmes5.2.x86_64.rpm 29d10687579ab5063b9b13c1ec9413f4 mes5/x86_64/apache-mod_disk_cache-2.2.27-0.1mdvmes5.2.x86_64.rpm 14b29246f53953558ea1cb0378c015e1 mes5/x86_64/apache-mod_file_cache-2.2.27-0.1mdvmes5.2.x86_64.rpm 41130c165e310f3b811d1a37e251b064 mes5/x86_64/apache-mod_ldap-2.2.27-0.1mdvmes5.2.x86_64.rpm 5599f490c632ba8b8bc3572d00cadf28 mes5/x86_64/apache-mod_mem_cache-2.2.27-0.1mdvmes5.2.x86_64.rpm c30200d51d074f274dacbbf9b6a0e509 mes5/x86_64/apache-mod_proxy-2.2.27-0.1mdvmes5.2.x86_64.rpm e8bd582626b42bf5f953ae8f574ecc05 mes5/x86_64/apache-mod_proxy_ajp-2.2.27-0.1mdvmes5.2.x86_64.rpm 15b83bafb6460e87cb2e2225c1f36f8e mes5/x86_64/apache-mod_proxy_scgi-2.2.27-0.1mdvmes5.2.x86_64.rpm 9882e8d318d67f0545289707945d5d5d mes5/x86_64/apache-mod_reqtimeout-2.2.27-0.1mdvmes5.2.x86_64.rpm 78da0fd6eb45543c7b6445504055e65b mes5/x86_64/apache-mod_ssl-2.2.27-0.1mdvmes5.2.x86_64.rpm 3b5cced3102d837ad69ea89776041aa0 mes5/x86_64/apache-mod_suexec-2.2.27-0.1mdvmes5.2.x86_64.rpm 562020cac2840f941538410e1b2e2d30 mes5/x86_64/apache-modules-2.2.27-0.1mdvmes5.2.x86_64.rpm 08261dd04dcc1b36ba6a5790e71ea9df mes5/x86_64/apache-mod_userdir-2.2.27-0.1mdvmes5.2.x86_64.rpm e9a3b15af20da1f18bb33664595eeae2 mes5/x86_64/apache-mpm-event-2.2.27-0.1mdvmes5.2.x86_64.rpm 4126660d6e4bbf93ccae6d825c71d402 mes5/x86_64/apache-mpm-itk-2.2.27-0.1mdvmes5.2.x86_64.rpm 89a50add3e4ef8a0e8d618225dad48bf mes5/x86_64/apache-mpm-peruser-2.2.27-0.1mdvmes5.2.x86_64.rpm 3139a9eaf050b5d36904e8d9594037fe mes5/x86_64/apache-mpm-prefork-2.2.27-0.1mdvmes5.2.x86_64.rpm 5ee83c2ddd05bc4bf4b181572901e4d1 mes5/x86_64/apache-mpm-worker-2.2.27-0.1mdvmes5.2.x86_64.rpm 148c679fdebbcfc2db352e54e2601986 mes5/x86_64/apache-source-2.2.27-0.1mdvmes5.2.x86_64.rpm 2507314b81d2c933cf4879c6d0f19c18 mes5/SRPMS/apache-2.2.27-0.1mdvmes5.2.src.rpm d5e8602ed0ea75413c7ad540c1bd4cb3 mes5/SRPMS/apache-conf-2.2.27-0.1mdvmes5.2.src.rpm c8f195227825c721a4c618cf31cf5fcb mes5/SRPMS/apache-mod_suexec-2.2.27-0.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 728c1edd6393661989108a7366c17153 mbs1/x86_64/apache-2.2.27-1.mbs1.x86_64.rpm 88c168a73dd792a713b8a1fddbb7064a mbs1/x86_64/apache-devel-2.2.27-1.mbs1.x86_64.rpm 80c94adda8494d789468fb91f94667ca mbs1/x86_64/apache-doc-2.2.27-1.mbs1.noarch.rpm 24e02863dab7c758e53057ab83473654 mbs1/x86_64/apache-htcacheclean-2.2.27-1.mbs1.x86_64.rpm e7bcff8aadefad739f730aacf2bfe40f mbs1/x86_64/apache-mod_authn_dbd-2.2.27-1.mbs1.x86_64.rpm ed043b70acda2c73dac9e1a3d1e557ea mbs1/x86_64/apache-mod_cache-2.2.27-1.mbs1.x86_64.rpm c1c03eab1681f186752f0944b2b5d70a mbs1/x86_64/apache-mod_dav-2.2.27-1.mbs1.x86_64.rpm f5be2ccab0a0d6ff085117643e189df8 mbs1/x86_64/apache-mod_dbd-2.2.27-1.mbs1.x86_64.rpm 177ef274249c7d0f393cc22b62f4d9a2 mbs1/x86_64/apache-mod_deflate-2.2.27-1.mbs1.x86_64.rpm 0a30594a7e7aeb0871c5cfa94d942d5a mbs1/x86_64/apache-mod_disk_cache-2.2.27-1.mbs1.x86_64.rpm 67702789c9838c767c023a1bb2571fac mbs1/x86_64/apache-mod_file_cache-2.2.27-1.mbs1.x86_64.rpm f72e3480d50dfbcdd776ff07ec5d31f0 mbs1/x86_64/apache-mod_ldap-2.2.27-1.mbs1.x86_64.rpm df6b4e550100e4f8532e7d4a4c7c18e3 mbs1/x86_64/apache-mod_mem_cache-2.2.27-1.mbs1.x86_64.rpm c69d91ebc72f15221aa56fee982b35cc mbs1/x86_64/apache-mod_proxy-2.2.27-1.mbs1.x86_64.rpm 6dce9fabb3d6c6e482fbdc640f852506 mbs1/x86_64/apache-mod_proxy_ajp-2.2.27-1.mbs1.x86_64.rpm b30af36aeee0d8f2d4f5fd1cc801c8eb mbs1/x86_64/apache-mod_proxy_scgi-2.2.27-1.mbs1.x86_64.rpm 11abe25adefdaaf6955e5636fa6be368 mbs1/x86_64/apache-mod_reqtimeout-2.2.27-1.mbs1.x86_64.rpm 7afd66d37f530771bb50559224513558 mbs1/x86_64/apache-mod_ssl-2.2.27-1.mbs1.x86_64.rpm 521f46b704f64869e2ae142489ba8f4e mbs1/x86_64/apache-mod_suexec-2.2.27-1.mbs1.x86_64.rpm 73e41eaade715b59c51739e937d49d97 mbs1/x86_64/apache-mod_userdir-2.2.27-1.mbs1.x86_64.rpm 183176fe544deffab73e187a6b6837df mbs1/x86_64/apache-mpm-event-2.2.27-1.mbs1.x86_64.rpm 153d52dbca8cef01eb71210c7877f7ce mbs1/x86_64/apache-mpm-itk-2.2.27-1.mbs1.x86_64.rpm ffe2a2ad92be8303db5f33a551af70d8 mbs1/x86_64/apache-mpm-peruser-2.2.27-1.mbs1.x86_64.rpm 78cba8364678e0ec37727955557be71a mbs1/x86_64/apache-mpm-prefork-2.2.27-1.mbs1.x86_64.rpm 4fb059e3c63e99c36c05a2cf98485247 mbs1/x86_64/apache-mpm-worker-2.2.27-1.mbs1.x86_64.rpm 8822901f7d57c4f280b029dd6e9157d3 mbs1/x86_64/apache-source-2.2.27-1.mbs1.noarch.rpm 0e308e214a758f2e703059db6b11103c mbs1/SRPMS/apache-2.2.27-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTKq52mqjQ0CJFipgRAnE4AJ9VvdPz8fTEBhXeuOOpB4ICr/mSXgCgjjqo tbRNgzbwe6j2OyL9Q3x9jM8= =T90d -----END PGP SIGNATURE-----