* PGP Signed: 27/02/2013 at 18:41:00 Reference: CERT-EU Security Advisory 2013-0026 Title: New Apache HTTP server version corrects some vulnerabilities [1] Version history: 27.02.2013 Initial publication Summary ================ The Apache Software Foundation has released a new version the Apache HTTP server that fixes some vulnerabilities [1]. CVE-names[2]: CVE-2012-4558 Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. CVE-2012-3499 XSS in mod_proxy_balancer manager interface. Vulnerable systems ================== Versions 2.4.3 and earlier (see below for details). Original Details ================ Apache HTTP Server 2.4.4 is available for download from: http://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.4 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.4.4 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_24.html This release requires the Apache Portable Runtime (APR) version 1.4.x and APR-Util version 1.4.x. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe. What can you do? ================ Affected users should upgrade to Apache HTTP server 2.4.4 [1]. Please refer to your vendor, Linux distributor, etc. for an update of your flavour of the software. What to tell your users? ======================== N/A More information ================ [1] http://www.apache.org/dist/httpd/Announcement2.4.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, * CERT for the European Institutions * 0x46AC4383:0xC8F12568(L)