-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:142 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : apache Date : July 30, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated apache package fixes security vulnerabilities: A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the apache user (CVE-2014-0226). A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the DEFLATE input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system (CVE-2014-0118). A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely (CVE-2014-0231). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231 http://advisories.mageia.org/MGASA-2014-0304.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: e7ed0d96bdef964dcb281969c84ee246 mbs1/x86_64/apache-2.2.27-1.1.mbs1.x86_64.rpm 630779667690cc0344dc3a130922efb2 mbs1/x86_64/apache-devel-2.2.27-1.1.mbs1.x86_64.rpm 02f62e776b47bc71917bacc530116601 mbs1/x86_64/apache-doc-2.2.27-1.1.mbs1.noarch.rpm 5ac808d10784e0a0fed1b1238e965dc8 mbs1/x86_64/apache-htcacheclean-2.2.27-1.1.mbs1.x86_64.rpm 12d7209a6ac1af471fef5754d1efe901 mbs1/x86_64/apache-mod_authn_dbd-2.2.27-1.1.mbs1.x86_64.rpm 08e3be5cd2f1b233ead6ba70ee9a7e40 mbs1/x86_64/apache-mod_cache-2.2.27-1.1.mbs1.x86_64.rpm 9ca153c3ee32b84a5d6e694426d93b06 mbs1/x86_64/apache-mod_dav-2.2.27-1.1.mbs1.x86_64.rpm a7df22dbf57ad3f926300dd250a8a34c mbs1/x86_64/apache-mod_dbd-2.2.27-1.1.mbs1.x86_64.rpm 93fd5123adf783e19a7e77c49bb2bab8 mbs1/x86_64/apache-mod_deflate-2.2.27-1.1.mbs1.x86_64.rpm e967eab04bbfefc1c038460652834e16 mbs1/x86_64/apache-mod_disk_cache-2.2.27-1.1.mbs1.x86_64.rpm 44c6603d4f40f820b702d107e367838e mbs1/x86_64/apache-mod_file_cache-2.2.27-1.1.mbs1.x86_64.rpm e257e68818d03a7e05f99f872aadb761 mbs1/x86_64/apache-mod_ldap-2.2.27-1.1.mbs1.x86_64.rpm 7636b2db4a8461242f3eaa58ca6c5810 mbs1/x86_64/apache-mod_mem_cache-2.2.27-1.1.mbs1.x86_64.rpm 795f09dd6508ce6f84683c0a4e0f50d8 mbs1/x86_64/apache-mod_proxy-2.2.27-1.1.mbs1.x86_64.rpm 31549291edb6d91b20dda3bbf4376f3e mbs1/x86_64/apache-mod_proxy_ajp-2.2.27-1.1.mbs1.x86_64.rpm 231002ea53e9c7b1fdf78d2b415e7ebe mbs1/x86_64/apache-mod_proxy_scgi-2.2.27-1.1.mbs1.x86_64.rpm c5ec340109b8eb0aa36113ea2b9dff8b mbs1/x86_64/apache-mod_reqtimeout-2.2.27-1.1.mbs1.x86_64.rpm 7b20b71e0c7e424212d2b941cc8e70b7 mbs1/x86_64/apache-mod_ssl-2.2.27-1.1.mbs1.x86_64.rpm fb27d8413c6f22b94af69e23084e61b0 mbs1/x86_64/apache-mod_suexec-2.2.27-1.1.mbs1.x86_64.rpm 3965833259f643f0a7141451e442c7b2 mbs1/x86_64/apache-mod_userdir-2.2.27-1.1.mbs1.x86_64.rpm 2b7434565978780882e69bbaa9102907 mbs1/x86_64/apache-mpm-event-2.2.27-1.1.mbs1.x86_64.rpm 7c350be0d459259ce9c49c1cf51564d3 mbs1/x86_64/apache-mpm-itk-2.2.27-1.1.mbs1.x86_64.rpm ef3a271c37fde6b19ab6adaacd3fd046 mbs1/x86_64/apache-mpm-peruser-2.2.27-1.1.mbs1.x86_64.rpm cd7752c067797c22144f5299fe782d42 mbs1/x86_64/apache-mpm-prefork-2.2.27-1.1.mbs1.x86_64.rpm 7d8576115cb675340084b8fbf884fb94 mbs1/x86_64/apache-mpm-worker-2.2.27-1.1.mbs1.x86_64.rpm 8fd89d82d258f6cdfab8bc8bfa581872 mbs1/x86_64/apache-source-2.2.27-1.1.mbs1.noarch.rpm 5dd921dbff39365fa187e6a24975e5e8 mbs1/SRPMS/apache-2.2.27-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFT2LgtmqjQ0CJFipgRAjI4AKCa/EAlbAtSuYQmxwqlnBVwnpQQ4ACgqEFK 1ZYV3mxcngE2yTMgkLb4G+U= =zVB3 -----END PGP SIGNATURE-----