Award-Winning Line of Web Content, DLP and Messaging Security Appliances to Go Virtual
Apache HTTP Server 2.4.1 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the GA release of version 2.4.1 of the Apache HTTP Server. This version of Apache HTTP Server is the first GA release of the new 2.4.x branch. Apache HTTP Server 2.4 provides a number of improvements and enhancements over the 2.2 version. A listing and description of these features is available via: http://httpd.apache.org/docs/2.4/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. We consider this release to be the best version of Apache HTTP Server available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.4.1 is available for download from: http://httpd.apache.org/download.cgi This release requires the Apache Portable Runtime (APR) version 1.4.x and APR-Util version 1.4.x. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and may require minimal source code changes. http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_24.html Important: Windows users: AcceptFilter None has replaced Win32DisableAcceptEx and the feature appears to have interoperability issues with mod_ssl. Apache 2.4.1 may not yet be suitable for all Windows servers. There is not yet a Windows binary distribution of httpd 2.4, but this is expected to be remedied soon as various dependencies graduate from beta to GA.
common_startup.cc in PowerDNS (aka pdns) Authoritative Server before 188.8.131.52 and 3.x before 3.0.1 allows remote attackers to cause a denial of service (packet loop) via a crafted UDP DNS response.
Google Chrome before 17.0.963.56 does not properly parse H.264 data, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
- Advisory ID: DRUPAL-SA-CORE-2012-001
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2012-February-01
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilities
Cross Site Request Forgery vulnerability in Aggregator module
An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited (e.g. Twitter limits requests to 150 per hour) this could lead to a denial of service.
This issue affects Drupal 6.x and 7.x.
OpenID not verifying signed attributes in SREG and AX
A group of security researchers identified a flaw in how some OpenID relying parties implement Attribute Exchange (AX). Not verifying that attributes being passed through AX have been signed could allow an attacker to modify users’ information.
This issue affects Drupal 6.x and 7.x.
Access bypass in File module
When using private files in combination with certain field access modules, the File module will allow users to download the file even if they do not have access to view the field it was attached to.
This issue affects Drupal 7.x only.
- Drupal 6.x core prior to 6.23.
- Drupal 7.x core prior to 7.11.
Install the latest version:
See also the Drupal core project page.
- The Aggregator module CSRF vulnerability was reported by Dylan Tack of the Drupal Security Team.
- The OpenID vulnerability was reported by Rui Wang, Shuo Chen and Xiao Feng Wang.
- The File module access bypass issue was reported by David Rothstein of the Drupal Security Team, and by Sascha Grossenbacher.
- Aggregator CSRF issue fixed by Dave Reid of the Drupal Security Team
- OpenID issue fixed by Vojtech Kusy and Christian Schmidt
- The File module access bypass issue was fixed by David Rothstein of the Drupal Security Team, Sascha Grossenbacher, and Derek Wright of the Drupal Security Team.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.