Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod touch, and Google Chrome 4.0.249, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a STYLE element composed of a large number of *> sequences. (CVSS:5.0) (Last Update:2012-01-26)
[Announce] Apache HTTP Server (httpd) 2.2.15 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release and immediate availability of version
2.2.15 of the Apache HTTP Server ("httpd"). This version of httpd is
principally a security and bug fix release.
Notably, this release was updated to reflect the OpenSSL Project's
release 0.9.8m of the openssl library, and addresses CVE-2009-3555
(cve.mitre.org), the TLS renegotiation prefix injection attack.
This release further addresses the issues CVE-2010-0408, CVE-2010-0425
and CVE-2010-0434 within mod_proxy_ajp, mod_isapi and mod_headers
respectively.
We consider this release to be the best version of httpd available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.2.15 is available for download from:
http://httpd.apache.org/download.cgi
Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.15 provides the
complete list of changes since 2.2.14. A summary of security
vulnerabilities which were addressed in the previous 2.2.14 and earlier
releases is available:
http://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime
(APR) versions 1.3 and 1.4, APR-util library version 1.3, and
APR-iconv library version 1.2. The most current releases should
be used to address known security and platform bugs. At the time of
this httpd release, the recommended APR releases are:
* Apache Portable Runtime (APR) library version 1.4.2 (bundled),
or at minimum, version 1.3.12
* ARR-util library version 1.3.9 (bundled)
* APR-iconv library version 1.2.1 (only bundled in win32-src.zip)
Older releases of these libraries have known vulnerabilities or other
defects affecting httpd. For further information and downloads, visit:
http://apr.apache.org/
Apache HTTP Server 2.2 offers numerous enhancements, bug fixes, and
performance enhancements over the 2.0 codebase. For an overview of
new features introduced since 2.0 please see:
http://httpd.apache.org/docs/2.2/new_features_2_2.html
This release builds upon and extends the httpd 2.0 API. Modules written
for httpd 2.0 will need to be recompiled in order to run with httpd 2.2,
and may require minimal or no source code changes.
When upgrading or installing this version of httpd, please bear in mind
that if you intend to use httpd with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
SA-CORE-2010-001 – Drupal core – Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2010-001
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2010-March-03
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting, Open redirect, Authorization vulnerability
Description
Multiple vulnerabilities and weaknesses were discovered in Drupal.
Installation cross site scripting
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.
This issue affects Drupal 6.x only.
Open redirection
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.
This issue affects Drupal 5.x and 6.x.
Locale module cross site scripting
Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the ‘administer languages’ permission.
This issue affects Drupal 5.x and 6.x.
Blocked user session regeneration
Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.
This issue affects Drupal 5.x and 6.x.
Versions affected
- Drupal 6.x before version 6.16.
- Drupal 5.x before version 5.22.
Solution
Install the latest version:
- If you are running Drupal 6.x then upgrade to Drupal 6.16.
- If you are running Drupal 5.x then upgrade to Drupal 5.22.
Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. These patches fix the security vulnerabilities, but do not contain other fixes which were released in Drupal 6.16 or Drupal 5.22.
- To patch Drupal 6.15 use SA-CORE-2010-001-6.15.patch.
- To patch Drupal 5.21 use SA-CORE-2010-001-5.21.patch.
Reported by
The installation cross site scripting issue was reported by David Rothstein (*).
The open redirection was reported by Martin Barbella.
The locale module cross site scripting was reported by Justin Klein Keane.
The blocked user session regeneration issue was reported by Craig A. Hancock.
(*) Member of the Drupal security team.
Fixed by
The installation cross site scripting issue was fixed by Heine Deelstra.
The open redirection was fixed by Gerhard Killesreiter and Heine Deelstra.
The locale module cross site scripting was fixed by Stéphane Corlosquet, Peter Wolanin, Heine Deelstra and Neil Drumm.
The blocked user session regeneration issue was fixed by Gerhard Killesreiter.
All the fixes were done by members of the Drupal security team.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Front page news:
Drupal version:
Oracle Security Alert for CVE-2010-0073 – February 2010
Oracle Security Alert for CVE-2010-0073
Apache HTTP Server 1.3.42 released (final release of 1.3.x)
Apache HTTP Server 1.3.42 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 1.3.42 of the Apache HTTP
Server ("Apache"). This release is intended as the final release of
version 1.3 of the Apache HTTP Server, which has reached end of life
status.
There will be no more full releases of Apache HTTP Server 1.3.
However, critical security updates may be made available from the
following website:
http://www.apache.org/dist/httpd/patches/
Our thanks go to everyone who has helped make Apache HTTP Server 1.3
the most successful, and most used, webserver software on the planet!
This Announcement notes the significant changes in
1.3.42 as compared to 1.3.41.
This version of Apache is is principally a bug and security fix release.
The following moderate security flaw has been addressed:
* CVE-2010-0010 (cve.mitre.org)
mod_proxy: Prevent chunk-size integer overflow on platforms
where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
Please see the CHANGES_1.3.42 file in this directory for a full list
of changes for this version.
Apache 1.3.42 is the final stable release of the Apache 1.3 family. We
strongly recommend that users of all earlier versions, including 1.3
family releases, upgrade to to the current 2.2 version as soon as possible.
For information about how to upgrade, please see the documentation:
http://httpd.apache.org/docs/2.2/upgrading.html
Apache 1.3.42 is available for download from
http://httpd.apache.org/download.cgi
This service utilizes the network of mirrors listed at:
http://www.apache.org/mirrors/
Binary distributions may be available for your specific platform from
http://www.apache.org/dist/httpd/binaries/
Binaries distributed by the Apache HTTP Server Project are provided as a
courtesy by individual project contributors. The project makes no
commitment to release the Apache HTTP Server in binary form for any
particular platform, nor on any particular schedule.
IMPORTANT NOTE FOR APACHE USERS: Apache 1.3 was designed for Unix OS
variants. While the ports to non-Unix platforms (such as Win32, Netware or
OS2) will function for some applications, Apache 1.3 is not designed for
these platforms. Apache 2 was designed from the ground up for security,
stability, or performance issues across all modern operating systems.
Users of any non-Unix ports are strongly cautioned to move to Apache 2.
The Apache project no longer distributes non-Unix platform binaries from
the main download pages for Apache 1.3. If absolutely necessary, a binary
may be available at http://archive.apache.org/dist/httpd/.
Apache 1.3.42 Major changes
Security vulnerabilities
The main security vulnerabilities addressed in 1.3.42 are:
*) SECURITY: CVE-2010-0010 (cve.mitre.org)
mod_proxy: Prevent chunk-size integer overflow on platforms
where sizeof(int) < sizeof(long). Reported by Adam Zabrocki.
Bugfixes addressed in 1.3.42 are:
*) Protect logresolve from mismanaged DNS records that return
blank/null hostnames.
--
Colm MacCárthaigh
CVE-2010-0295
lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. (CVSS:5.0) (Last Update:2011-01-26)
Apache HTTP Server 2.3.5-alpha Released
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Apache HTTP Server 2.3.5-alpha Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.3.5-alpha of the Apache HTTP
Server ("Apache"). This version of Apache is principally an alpha release
to test new technology and features that are incompatible or too large for
the stable 2.2.x branch. This alpha release should not be presumed to
be compatible with binaries built against any prior or future version.
Apache HTTP Server 2.3.5-alpha is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.3 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.3 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.3 file, linked from the download page, for a
full list of changes.
This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR-Util version 1.3.9 in a separate -deps tarball. The APR libraries
must be upgraded for all features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.3, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkth7HAACgkQ94h19kJyHwDjxwCeP4E1Xpts6XJO3wua1Hm2Ds8A
hi0An2MCpiAdVGKQLjrK5ixxzaAq1kIg
=+YL2
-----END PGP SIGNATURE-----
Critical Patch Update – January 2010
SA-CORE-2009-009 – Drupal Core – Cross site scripting
- Advisory ID: DRUPAL-SA-CORE-2009-009
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2009-December-16
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
Description
Multiple vulnerabilities were discovered in Drupal.
Contact category name cross-site scripting
The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).
This issue affects Drupal 6.x and Drupal 5.x.
Menu description cross-site scripting
The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).
This issue affects Drupal 6.x only.
Versions affected
- Drupal 5.x before version 5.21.
- Drupal 6.x before version 6.15.
Solution
Install the latest version:
- If you are running Drupal 6.x then upgrade to Drupal 6.15.
- If you are running Drupal 5.x then upgrade to Drupal 5.21.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade. Theses patches fix the security vulnerability, but do not contain other fixes which were released in Drupal 5.21 or Drupal 6.15.
- To patch Drupal 6.14 use SA-CORE-2009-009-6.14.patch.
- To patch Drupal 5.20 use SA-CORE-2009-009-5.20.patch.
Reported by
The contact category XSS issue was independently reported by mr.baileys and Justin Klein Keane.
The menu description XSS issue was reported by mr.baileys.
Fixed by
The contact category XSS issue was fixed by Justin Klein Keane and Dave Reid.
The menu description XSS issue was fixed by Gábor Hojtsy and Heine Deelstra.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Drupal version:
Conferma la tua richiesta di iscrizione a perlulivo
Ciao [email protected], Abbiamo ricevuto la tua richiesta di iscrizione al gruppo perlulivo uno dei gruppi che trovi su Yahoo! Gruppi, un servizio gratuito e facile da usare per creare ed entrare a far parte di tante community. Questa richiesta scade fra 7 giorni. PER ISCRIVERTI AL GRUPPO DEVI: 1) Andare su Yahoo! Gruppi cliccando su questo link: http://it.groups.yahoo.com/i?i=eecdlcvukwi1ahar5rvg4css40rxcxgk&e=announce-archive%40httpd%2Eapache%2Eorg (Se cliccando sul link non ti si apre una finestra di browser, prova a fare copiare l'indirizzo e incollarlo su una finestra di browser.) -OPPURE- 2) RISPONDI a questo messaggio e-mail cliccando su pulsante "Rispondi" e poi su quelli di "Invia" sul tuo programma di posta Se non hai richiesto questa iscrizione a perlulivo, o non desideri più completarla, ignora questo messaggio.. Ciao, Il team di Yahoo! Gruppi L'utilizzo di Yahoo! Gruppi è soggetto alle http://it.docs.yahoo.com/info/utos.html