Apache HTTP Server 2.2.26 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.26 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a bug fix
maintenance release.
We consider the Apache HTTP Server 2.4 release to be the best version
of Apache available, and encourage users of 2.2 and all prior versions
to upgrade. This 2.2 maintenance release is offered for those unable
to upgrade at this time. For further details, see:
http://www.apache.org/dist/httpd/Announcement2.4.txt
Apache HTTP Server 2.4 and 2.2.26 are available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.26 includes only
those changes introduced since the prior 2.2 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_22.html
This release includes the Apache Portable Runtime (APR) version 1.4.8
and APR Utility Library (APR-util) version 1.5.2, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.
APR-util version 1.5 represents a minor version upgrade from earlier
httpd 2.2 source distributions.
This release builds on and extends the Apache 2.0 API and is superceeded
by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need
to be recompiled in order to run with Apache 2.2, and most will require
minimal or no source code changes.
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Monthly Archives: November 2013
TA13-317A: Microsoft Updates for Multiple Vulnerabilities
Original release date: November 13, 2013 | Last revised: November 16, 2013
Systems Affected
- Windows Operating System and Components
- Microsoft Office
- Internet Explorer
Overview
Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.
Description
The Microsoft Security Bulletin Summary for November 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities. The November Security Bulletin includes a patch for the new “watering hole†campaign which utilizes a US-based website that specializes in domestic and international security policy.
Impact
These vulnerabilities could allow remote code execution, elevation of privilege, information disclosure or denial of service.
Solution
Apply Updates
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for November 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.
References
- Microsoft Security Bulletin Summary for November 2013
- Microsoft Windows Server Update Services
- Turn Automatic Updating On or Off
Revision History
- November 13, 2013: Initial Release
This product is provided subject to this Notification and this Privacy & Use policy.
[BSA-086] Security update for strongswan
Updated strongswan packages for squeeze-backports and wheezy-backports fix the following vulnerabilities: - CVE-2013-2944: When using the openssl plugin for ECDSA based authentication, an empty, zeroed or otherwise invalid signature is handled as a legitimate one. - CVE-2013-6075: DoS vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload. - CVE-2013-6076: DoS vulnerability triggered by crafted IKEv1 fragmentation payloads. The squeeze-backports distribution was affected by CVE-2013-2944 and CVE-2013-6075. These problems have been fixed in version 4.5.2-1.5+deb7u2~bpo60+1. The wheezy-backports distribution was affected by CVE-2013-6075 and CVE-2013-6076. These problems have been fixed in version 5.1.0-3~bpo70+1.
[BSA-085] Security Update for roundcube
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : roundcube Vulnerability : design error Problem type : remote Debian-specific: no CVE ID : CVE-2013-6172 Debian Bug : 727668 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution. roundcube in the oldstable distribution (squeeze) is not affected by this problem. For backports for the oldstable distribution (squeeze-backports-sloppy), this problem has been fixed in 0.9.5-1~bpo60+1. For the stable distribution (wheezy), this problem has been fixed in version 0.7.2-9+deb7u1. For backports for the stable distribution (wheezy-backports), this problem has been fixed in 0.9.5-1~bpo70+1. For the unstable distribution (sid), this
[BSA-087] Security Update for openssh
Colin Watson uploaded new packages for openssh which fixed the following security problems: CVE-2013-4548 A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm-ZT/51Pfwho1BDgjK7y7TUQ< at >public.gmane.org or aes256-gcm-ZT/51Pfwho1BDgjK7y7TUQ< at >public.gmane.org) is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations. https://security-tracker.debian.org/tracker/CVE-2013-4548 For the wheezy-backports distribution, this problem has been fixed in version 1:6.4p1-1~bpo70+1. For the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 1:6.4p1-1. Other distributions are not vulnerable.
CVE-2013-4508
lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. (CVSS:5.8) (Last Update:2014-01-23)
WatchGuard Technologies Secures Aerospace Company's Confidential Reports and Data Across Multiple Continents
Scalable, customizable integrated security platforms ensure a distributed workforce can collaborate while following global compliance standards
TA13-309A: CryptoLocker Ransomware Infections
Original release date: November 05, 2013 | Last revised: August 18, 2014
Systems Affected
Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems
Overview
US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.
Description
CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. Â In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.
Impact
The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.
Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).
Solution
Prevention
US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:
- Conduct routine backups of important files, keeping the backups stored offline.
- Maintain up-to-date anti-virus software.
- Keep your operating system and software up-to-date with the latest patches.
- Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
- Use caution when opening email attachments. For more information on safely handling email attachments read Recognizing and Avoiding Email Scams (pdf), and Refer to the Security Tip Using Caution with Email Attachments.
- Follow safe practices when browsing the web. For further reading on Safe Browsing habits, see Good Security Habits and Safeguarding Your Data.
Â
Mitigation
US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:
- Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware.
- If possible, change all online account passwords and network passwords after removing the system from the network. Change all system passwords once the malware is removed from the system.
- If your computer has not yet been encrypted with the CryptoLocker malware, the tools listed in TA14-150A may be able to remove this malware from your machine.
- FireEye and Fox-IT have created a web portal claiming to restore/decrypt files of CryptoLocker victims. US-CERT has performed no evaluation of this claim, but is providing a link to enable individuals to make their own determination of suitability for their needs. At present, US-CERT is not aware of any other product that claims similar functionality. (Note: DHS does not endorse any private sector product or service. The link above is provided for informational purposes only.)
References
- CryptoLocker Virus: New Malware Holds Computers For Ransom, Demands $300 Within 100 Hours And Threatens To Encrypt Hard Drive
- CryptoLocker Wants Your Money!
- CryptoLocker ransomware – see how it works, learn about prevention, cleanup and recovery
- Microsoft Support – Description of the Software Restriction Policies in Windows XP
- Microsoft Software Restriction Policies Technical Reference – How Software Restriction Policies Work
- CryptoLocker Ransomware Information Guide and FAQ
Revision History
- November 5, 2013: Initial Release
- November 13, 2013: Update to Systems Affected (inclusion of Windows 8)
- November 15, 2013: Updates to Impact and Prevention sections.
- November 18, 2013: Updated Prevention and Mitigation Sections
- June 2, 2014: Update to include GameOver Zeus Alert (TA14-150A) reference in Mitigation Section
- August 15, 2014: Updated Mitigation section for FireEye and Fox-IT
This product is provided subject to this Notification and this Privacy & Use policy.
CVE-2013-6114
Integer overflow in the OZDocument::parseElement function in Apple Motion 5.0.7 allows remote attackers to cause a denial of service (application crash) via a (1) large or (2) small value in the subview attribute of a viewer element in a .motn file. (CVSS:5.0) (Last Update:2014-01-13)
WatchGuard Technologies Presents the Top Five Tips to Secure Critical Data
Watch Gartner IT Expo Session Video of WatchGuard Technologies’ Director of Security Research Speaking on the State of Data Loss and Prevention Tips
