[packaging] [Bug 3986] New: Multiple vulnerabilities in bundled apache2 httpd

Kolab Bugzilla noreply at kolab.org
Wed Nov 26 09:30:08 CET 2014


            Bug ID: 3986
           Summary: Multiple vulnerabilities in bundled apache2 httpd
    Classification: Kolab Server
           Product: Kolab Server
           Version: unspecified
          Hardware: PC
                OS: Debian Wheezy
            Status: UNCONFIRMED
          Severity: critical
          Priority: P3
         Component: packaging
          Assignee: packaging-bugs at lists.kolabsys.com
          Reporter: kolab at sicherha.de
       Ticket Type: ---

The bundled apache2 package shipped with Kolab for the Debian_7.0 and
Ubuntu_12.04 platforms has not been maintained for two years. Since then, a
number of vulnerabilities have been discovered, including cross-site scripting,
denial of service, man-in-the-middle attacks, local privilege escalation,
information disclosure and remote code execution:


    The modules mod_info, mod_status, mod_imagemap, mod_ldap, and
    mod_proxy_ftp did not properly escape hostnames and URIs in
    HTML output, causing cross site scripting vulnerabilities.


    A flaw was found when mod_proxy_ajp connects to a backend
    server that takes too long to respond. Given a specific
    configuration, a remote attacker could send certain requests,
    putting a backend server into an error state until the retry
    timeout expired. This could lead to a temporary denial of


    Mod_proxy_balancer did not properly escape hostnames and URIs
    in its balancer-manager interface, causing a cross site scripting


    If using SSL/TLS data compression with HTTPS in an connection
    to a web browser, man-in-the-middle attackers may obtain
    plaintext HTTP headers. This issue is known as the "CRIME"
    attack. This update of apache2 disables SSL compression by
    default. A new SSLCompression directive has been backported
    that may be used to re-enable SSL data compression in
    environments where the "CRIME" attack is not an issue.
    For more information, please refer to:


    Hayawardh Vijayakumar noticed that the apache2ctl script created
    the lock directory in an unsafe manner, allowing a local attacker
    to gain elevated privileges via a symlink attack. This is a Debian
    specific issue.


    It was found that mod_rewrite writes data to a log file without
    sanitizing non-printable characters. A remote attacker could use
    this flaw to write terminal escape sequences to log files (if the
    RewriteLog directive was used by mod_rewrite). This could possibly
    cause arbitrary command execution, via HTTP requests containing an
    escape sequence for a terminal emulator. (if for example the log
    files were viewed in a terminal emulator)


    Sending a MERGE request against a URI handled by mod_dav_svn with
    the source href (sent as part of the request body as XML) pointing
    to a URI that is not configured for DAV will trigger a segfault.


    XML parsing code in mod_dav incorrectly calculates the end of the
    string when removing leading spaces and places a NUL character
    outside the buffer, causing random crashes. This XML parsing code
    is only used with DAV provider modules that support DeltaV, of
    which the only publicly released provider is mod_dav_svn.


    The DEFLATE input filter (inflates request bodies) in mod_deflate
    allows remote attackers to cause a denial of service (resource
    consumption) via crafted request data that decompresses to a much
    larger size.


    A race condition was found in mod_status. An attacker able to
    access a public server status page on a server could send carefully
    crafted requests which could lead to a heap buffer overflow,
    causing denial of service, disclosure of sensitive information, or
    potentially the execution of arbitrary code.


    A flaw was found in mod_cgid. If a server using mod_cgid hosted
    CGI scripts which did not consume standard input, a remote attacker
    could cause child processes to hang indefinitely, leading to denial
    of service.

These issues have been fixed in the Debian Wheezy distribution package, from
which the Kolab package was forked. It is highly recommended to merge the
respective Debian patches.

Inclusion requests:
https://obs.kolabsys.com/request/show/715 (Kolab:Development)
https://obs.kolabsys.com/request/show/714 (Kolab:3.3:Updates)

These merges also include the backported support for SSL ECC keys and ECDH
ciphers published with Debian 7.6, allowing administrators to enable forward
secrecy for their users.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolabsys.com/pipermail/packaging-bugs/attachments/20141126/1f757631/attachment-0001.htm>

More information about the packaging-bugs mailing list