envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. (CVSS:6.9) (Last Update:2013-09-17)
[ANNOUNCEMENT] Apache HTTP Server 2.4.2 Released
Apache HTTP Server 2.4.2 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.2 of the Apache
HTTP Server ("Apache"). This version of Apache is our 2nd GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This version of Apache is
principally a security and bug fix release, including the following
security fix:
*) SECURITY: CVE-2012-0883 (cve.mitre.org)
envvars: Fix insecure handling of LD_LIBRARY_PATH that could
lead to the current working directory to be searched for DSOs.
Apache HTTP Server 2.4.2 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.2 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR) version 1.4.x
and APR-Util version 1.4.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
NOTE to Windows users: AcceptFilter None has replaced Win32DisableAcceptEx
and the feature appears to have interoperability issues with mod_ssl.
Apache 2.4.2 may not yet be suitable for all Windows servers. There
is not yet a Windows binary distribution of httpd 2.4, but this is
expected to be remedied soon as various dependencies graduate from
beta to GA.
å”å文化暨总è£æ™ºæ…§ï¼ˆEMBA)Courseé«˜çº§ç ”ä¿®ç邀请函
2012å¹´5月19-21日在桂林举办的ä¸åŽå…¨å›½ï¼ˆå«æ¸¯æ¾³å°ï¼‰ç¬¬ä¸€å±Šå”å文化暨总è£æ™ºæ…§ï¼ˆEMBA)Courseé«˜çº§ç ”ä¿®ç,å‘您郑é‡å‘出邀请,直接点击链接http://www.zhkzwhyj.com/yjy/html/?85.html或登录“ä¸åŽå”åæ–‡åŒ–ç ”ç©¶ä¼šâ€å®˜ç½‘:http://www.zhkzwhyj.com查看详情。ç¥æ‚¨å‰ç¥¥å®‰åº·ï¼Œä¸‡äº‹å¦‚æ„ï¼
[BSA-070] Security Update for samba
I uploaded new packages for samba which fixed the following security problem: CVE-2012-1182 PIDL based autogenerated code allows overwriting beyond of allocated array. For the squeeze-backports distribution the problems have been fixed in version 2:3.6.4-1~bpo60+1.
CVE-2012-1574
The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. (CVSS:6.5) (Last Update:2012-12-05)
WatchGuard Recognized as a UTM Market Leader
WatchGuard Recognized as a “Leader” in Latest 2012 Magic Quadrant for Unified Threat Management
lenny backports discontinued
Following the normal Debian Archive lenny-backports is now discontinued. That means that no upload will be possible anymore and lenny-backports(-sloppy) get moved to archive.debian.org. If you haven't updated yet - now is the time to move to squeeze. Some numbers about lenny-backports and lenny-backports-sloppy: - Source packages: lenny-backports: 667 - sloppy: 21 - Uploads: lenny-backports: 1445 - sloppy: 51 - Contributors: lenny-backports: 146 - sloppy: 17 Without all those contributors lenny-backports wouldn't have been possible. Thank you very much for your support! Alex and Rhonda - backports.debian.org ftpmasters P.S. and of course a big thanks to ganneff, without him we wouldn't be able to run the dak monster :)
WatchGuard Wins Security Industry's Global Excellence Award for Medium Enterprise Security Solution
WatchGuard XTM 8 Series Wins as Next-Generation Firewall
CVE-2012-1181
fcgid_spawn_ctl.c in the mod_fcgid module 2.3.6 for the Apache HTTP Server does not recognize the FcgidMaxProcessesPerClass directive for a virtual host, which makes it easier for remote attackers to cause a denial of service (memory consumption) via a series of HTTP requests that triggers a process count higher than the intended limit. (CVSS:5.0) (Last Update:2012-09-07)
CVE-2012-0612 (iphone_os, itunes, safari)
WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-03-07-1 and APPLE-SA-2012-03-07-2.