-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0059 Title: Apache Security Update Version history: 02.08.2013 Initial publication Summary ======= The Apache Software Foundation and the Apache HTTP Server Project have released a new version of Apache Httpd server which solves several vulnerabilities. Vulnerable systems ================== 2.4, 2.2, 2.0 See Original Details below. Original Details ================ 1) Fixed in Apache httpd 2.4.6: ============= moderate: mod_dav crash CVE-2013-1896 Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. Affects: 2.4.4, 2.4.3, 2.4.2, 2.4.1 moderate: mod_session_dbd session fixation flaw CVE-2013-2249 A flaw in mod_session_dbd caused it to proceed with save operations for a session without considering the dirty flag and the requirement for a new session ID. Affects: 2.4.4, 2.4.3, 2.4.2, 2.4.1 2) Fixed in Apache httpd 2.2.25: ============= low: mod_rewrite log escape filtering CVE-2013-1862 mod_rewrite does not filter terminal escape sequences from logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Affects: 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 moderate: mod_dav crash CVE-2013-1896 Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. Affects: 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.2.17, 2.2.16, 2.2.15, 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 3) Fixed in Apache httpd 2.0.65 ============= important: Range header remote DoS CVE-2011-3192 A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack. Advisory: CVE-2011-3192.txt Affects: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 low: mod_rewrite log escape filtering CVE-2013-1862 mod_rewrite does not filter terminal escape sequences from logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Affects: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 low: mod_setenvif .htaccess privilege escalation CVE-2011-3607 An integer overflow flaw was found which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. Affects: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 low: scoreboard parent DoS CVE-2012-0031 A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly. Affects: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 moderate: error responses can expose cookies CVE-2012-0053 A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified. Affects: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 moderate: mod_proxy reverse proxy exposure CVE-2011-3368 An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. Affects: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 moderate: apr_fnmatch flaw leads to mod_autoindex remote DoS CVE-2011-0419 A flaw was found in the apr_fnmatch() function of the bundled APR library. Where mod_autoindex is enabled, and a directory indexed by mod_autoindex contained files with sufficiently long names, a remote attacker could send a carefully crafted request which would cause excessive CPU usage. This could be used in a denial of service attack. Workaround: Setting the 'IgnoreClient' option to the 'IndexOptions' directive disables processing of the client-supplied request query arguments, preventing this attack. Resolution: Update APR to release 0.9.20 (to be bundled with httpd 2.0.65) Affects: 2.0.64, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35 What can you do? ================ Patches available at [1] What to tell your users? ======================== N/A More information ================ [1] http://httpd.apache.org/ [2] http://httpd.apache.org/security/vulnerabilities_24.html [3] http://httpd.apache.org/security/vulnerabilities_22.html [4] http://httpd.apache.org/security/vulnerabilities_20.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJR+3z6AAoJEPpzpNLI8SVolDYP/j47h1GqyDNzRgmMumj/wsu6 mK/mO+8bIvEhILkFVibOmWoKfj2xUPsOGqpLX8Xv8zBommNzU8ppCYg82VwwfRCS S3QKo95Ga8mLMxPZAEoD1sgoS1WAiEUw/e7URuveVNReg7JbHoQUzlTy5NrK9mQC B5xHRT1iV3nduoQ5gAKNYxTzcRl/2hj5jhntJ9M3VZB+07ADHx+oJ4tJkNw3BL0I onbdRV9cKSRLlp2WbFngD1DUdW5C7gnBMqWIveNLtzwnp7L5JAyUISrl8L0hEZFu e5fSWuEb3b6vzVfhG9KSNbfXc8RKhRZFopGKtATjfADOh3hPVFUHC4KUz00SNWOx xXpv7QzaC3ZjOwPob7Xt/21EpzhX+/ntGZM7QBq73P4MFOGP/tgjNTN04Vw4XCEe rPNbDyTpbyBkRyeL3qztHk/o9wj3M8OKbN4gd4GOhV3cPUz/seuRIDpSTPR7keRe RR7/0D1y4OtCl6f1wIKkEaycbxIAwBb0c081ZZzKWk3EjTVNH9elovIWCpFwnt3U KuzBbBFkRixSCrMf4OaPicDEKoXRDDiAK6GXEAuLlYpc5RIyJH3xcOxwCehPZxWK 5+VEtXVi0Je6LgtyQ48H2nqfobAtdQM45IPYSyGP6AohzS5loYF/KIqobIwk9Up6 krX1bshDOiyL5HV60SRW =nNIk -----END PGP SIGNATURE-----