[packaging] [Bug 3986] New: Multiple vulnerabilities in bundled apache2 httpd
noreply at kolab.org
Wed Nov 26 09:30:08 CET 2014
Bug ID: 3986
Summary: Multiple vulnerabilities in bundled apache2 httpd
Classification: Kolab Server
Product: Kolab Server
OS: Debian Wheezy
Assignee: packaging-bugs at lists.kolabsys.com
Reporter: kolab at sicherha.de
Ticket Type: ---
The bundled apache2 package shipped with Kolab for the Debian_7.0 and
Ubuntu_12.04 platforms has not been maintained for two years. Since then, a
number of vulnerabilities have been discovered, including cross-site scripting,
denial of service, man-in-the-middle attacks, local privilege escalation,
information disclosure and remote code execution:
The modules mod_info, mod_status, mod_imagemap, mod_ldap, and
mod_proxy_ftp did not properly escape hostnames and URIs in
HTML output, causing cross site scripting vulnerabilities.
A flaw was found when mod_proxy_ajp connects to a backend
server that takes too long to respond. Given a specific
configuration, a remote attacker could send certain requests,
putting a backend server into an error state until the retry
timeout expired. This could lead to a temporary denial of
Mod_proxy_balancer did not properly escape hostnames and URIs
in its balancer-manager interface, causing a cross site scripting
If using SSL/TLS data compression with HTTPS in an connection
to a web browser, man-in-the-middle attackers may obtain
plaintext HTTP headers. This issue is known as the "CRIME"
attack. This update of apache2 disables SSL compression by
default. A new SSLCompression directive has been backported
that may be used to re-enable SSL data compression in
environments where the "CRIME" attack is not an issue.
For more information, please refer to:
Hayawardh Vijayakumar noticed that the apache2ctl script created
the lock directory in an unsafe manner, allowing a local attacker
to gain elevated privileges via a symlink attack. This is a Debian
It was found that mod_rewrite writes data to a log file without
sanitizing non-printable characters. A remote attacker could use
this flaw to write terminal escape sequences to log files (if the
RewriteLog directive was used by mod_rewrite). This could possibly
cause arbitrary command execution, via HTTP requests containing an
escape sequence for a terminal emulator. (if for example the log
files were viewed in a terminal emulator)
Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing
to a URI that is not configured for DAV will trigger a segfault.
XML parsing code in mod_dav incorrectly calculates the end of the
string when removing leading spaces and places a NUL character
outside the buffer, causing random crashes. This XML parsing code
is only used with DAV provider modules that support DeltaV, of
which the only publicly released provider is mod_dav_svn.
The DEFLATE input filter (inflates request bodies) in mod_deflate
allows remote attackers to cause a denial of service (resource
consumption) via crafted request data that decompresses to a much
A race condition was found in mod_status. An attacker able to
access a public server status page on a server could send carefully
crafted requests which could lead to a heap buffer overflow,
causing denial of service, disclosure of sensitive information, or
potentially the execution of arbitrary code.
A flaw was found in mod_cgid. If a server using mod_cgid hosted
CGI scripts which did not consume standard input, a remote attacker
could cause child processes to hang indefinitely, leading to denial
These issues have been fixed in the Debian Wheezy distribution package, from
which the Kolab package was forked. It is highly recommended to merge the
respective Debian patches.
These merges also include the backported support for SSL ECC keys and ECDH
ciphers published with Debian 7.6, allowing administrators to enable forward
secrecy for their users.
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the packaging-bugs