ID

VAR-201108-0132

CVE

CVE-2011-3192

TITLE

Apache HTTPD 1.3/2.x Range header DoS vulnerability

DESCRIPTION

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. Both the 'Range' header and the 'Range-Request' header are vulnerable. The attack tool causes a significant increase in CPU and memory usage on the server. Apache HTTPD The server has a service disruption (DoS) Vulnerabilities exist. Apache HTTPD The server Range Header and Request-Range There is a problem with header processing, and service operation is interrupted. (DoS) Vulnerabilities exist. Attacks using this vulnerability have been observed. Also, "Apache Killer" The attack tool called is released. Apache The advisory states that: "Background and the 2007 report There are two aspects to this vulnerability. One is new, is Apache specific; and resolved with this server side fix. The other issue is fundamentally a protocol design issue dating back to 2007: http://seclists.org/bugtraq/2007/Jan/83 The contemporary interpretation of the HTTP protocol (currently) requires a server to return multiple (overlapping) ranges; in the order requested. This means that one can request a very large range (e.g. from byte 0- to the end) 100's of times in a single request. Being able to do so is an issue for (probably all) webservers and currently subject of an IETF discussion to change the protocol: http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311 This advisory details a problem with how Apache httpd and its so called internal 'bucket brigades' deal with serving such "valid" request. The problem is that currently such requests internally explode into 100's of large fetches, all of which are kept in memory in an inefficient way. This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy."Service disruption by a remote third party (DoS) There is a possibility of being attacked. Successful exploits will result in a denial-of-service condition. ---------------------------------------------------------------------- The Secunia CSI 5.0 Beta - now available for testing Find out more, take a free test drive, and share your opinion with us: http://secunia.com/blog/242 ---------------------------------------------------------------------- TITLE: Hitachi Web Server ByteRange Filter Denial of Service Vulnerability SECUNIA ADVISORY ID: SA45865 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/45865/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=45865 RELEASE DATE: 2011-09-05 DISCUSS ADVISORY: http://secunia.com/advisories/45865/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/45865/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=45865 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged a vulnerability in Hitachi Web Server, which can be exploited by malicious people to cause a DoS (Denial of Service). SOLUTION: Apply a workaround (please see the vendor's advisory for details). ORIGINAL ADVISORY: Hitachi (Japanese): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS11-019/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. A local attacker could gain escalated privileges. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache HTTP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.22-r1" References ========== [ 1 ] CVE-2010-0408 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408 [ 2 ] CVE-2010-0434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434 [ 3 ] CVE-2010-1452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452 [ 4 ] CVE-2010-2791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791 [ 5 ] CVE-2011-3192 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192 [ 6 ] CVE-2011-3348 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348 [ 7 ] CVE-2011-3368 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368 [ 8 ] CVE-2011-3607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607 [ 9 ] CVE-2011-4317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4317 [ 10 ] CVE-2012-0021 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021 [ 11 ] CVE-2012-0031 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031 [ 12 ] CVE-2012-0053 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053 [ 13 ] CVE-2012-0883 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-25.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . HP System Management Homepage (SMH) before v7.0 running on Linux and Windows. The Hewlett-Packard Company thanks Silent Dream for reporting CVE-2012-0135 to security-alert@hp.com RESOLUTION HP has provided HP System Management Homepage v7.0 or subsequent to resolve the vulnerabilities. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: httpd security update Advisory ID: RHSA-2011:1294-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1294.html Issue date: 2011-09-14 CVE Names: CVE-2011-3192 ===================================================================== 1. Summary: Updated httpd packages that fix one security issue are now available for Red Hat Enterprise Linux 5.3 Long Life, 5.6 Extended Update Support, and 6.0 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux (v. 5.3.LL server) - i386, ia64, x86_64 Red Hat Enterprise Linux Server (v. 6.0.z) - i386, noarch, ppc64, s390x, x86_64 3. (CVE-2011-3192) All httpd users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 732928 - CVE-2011-3192 httpd: multiple ranges DoS 6. Package List: Red Hat Enterprise Linux (v. 5.3.LL server): Source: httpd-2.2.3-22.el5_3.3.src.rpm i386: httpd-2.2.3-22.el5_3.3.i386.rpm httpd-debuginfo-2.2.3-22.el5_3.3.i386.rpm httpd-devel-2.2.3-22.el5_3.3.i386.rpm httpd-manual-2.2.3-22.el5_3.3.i386.rpm mod_ssl-2.2.3-22.el5_3.3.i386.rpm ia64: httpd-2.2.3-22.el5_3.3.ia64.rpm httpd-debuginfo-2.2.3-22.el5_3.3.ia64.rpm httpd-devel-2.2.3-22.el5_3.3.ia64.rpm httpd-manual-2.2.3-22.el5_3.3.ia64.rpm mod_ssl-2.2.3-22.el5_3.3.ia64.rpm x86_64: httpd-2.2.3-22.el5_3.3.x86_64.rpm httpd-debuginfo-2.2.3-22.el5_3.3.i386.rpm httpd-debuginfo-2.2.3-22.el5_3.3.x86_64.rpm httpd-devel-2.2.3-22.el5_3.3.i386.rpm httpd-devel-2.2.3-22.el5_3.3.x86_64.rpm httpd-manual-2.2.3-22.el5_3.3.x86_64.rpm mod_ssl-2.2.3-22.el5_3.3.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: httpd-2.2.3-45.el5_6.2.src.rpm i386: httpd-2.2.3-45.el5_6.2.i386.rpm httpd-debuginfo-2.2.3-45.el5_6.2.i386.rpm httpd-devel-2.2.3-45.el5_6.2.i386.rpm httpd-manual-2.2.3-45.el5_6.2.i386.rpm mod_ssl-2.2.3-45.el5_6.2.i386.rpm ia64: httpd-2.2.3-45.el5_6.2.ia64.rpm httpd-debuginfo-2.2.3-45.el5_6.2.ia64.rpm httpd-devel-2.2.3-45.el5_6.2.ia64.rpm httpd-manual-2.2.3-45.el5_6.2.ia64.rpm mod_ssl-2.2.3-45.el5_6.2.ia64.rpm ppc: httpd-2.2.3-45.el5_6.2.ppc.rpm httpd-debuginfo-2.2.3-45.el5_6.2.ppc.rpm httpd-debuginfo-2.2.3-45.el5_6.2.ppc64.rpm httpd-devel-2.2.3-45.el5_6.2.ppc.rpm httpd-devel-2.2.3-45.el5_6.2.ppc64.rpm httpd-manual-2.2.3-45.el5_6.2.ppc.rpm mod_ssl-2.2.3-45.el5_6.2.ppc.rpm s390x: httpd-2.2.3-45.el5_6.2.s390x.rpm httpd-debuginfo-2.2.3-45.el5_6.2.s390.rpm httpd-debuginfo-2.2.3-45.el5_6.2.s390x.rpm httpd-devel-2.2.3-45.el5_6.2.s390.rpm httpd-devel-2.2.3-45.el5_6.2.s390x.rpm httpd-manual-2.2.3-45.el5_6.2.s390x.rpm mod_ssl-2.2.3-45.el5_6.2.s390x.rpm x86_64: httpd-2.2.3-45.el5_6.2.x86_64.rpm httpd-debuginfo-2.2.3-45.el5_6.2.i386.rpm httpd-debuginfo-2.2.3-45.el5_6.2.x86_64.rpm httpd-devel-2.2.3-45.el5_6.2.i386.rpm httpd-devel-2.2.3-45.el5_6.2.x86_64.rpm httpd-manual-2.2.3-45.el5_6.2.x86_64.rpm mod_ssl-2.2.3-45.el5_6.2.x86_64.rpm Red Hat Enterprise Linux Server (v. 6.0.z): Source: httpd-2.2.15-5.el6_0.1.src.rpm i386: httpd-2.2.15-5.el6_0.1.i686.rpm httpd-debuginfo-2.2.15-5.el6_0.1.i686.rpm httpd-devel-2.2.15-5.el6_0.1.i686.rpm httpd-tools-2.2.15-5.el6_0.1.i686.rpm mod_ssl-2.2.15-5.el6_0.1.i686.rpm noarch: httpd-manual-2.2.15-5.el6_0.1.noarch.rpm ppc64: httpd-2.2.15-5.el6_0.1.ppc64.rpm httpd-debuginfo-2.2.15-5.el6_0.1.ppc.rpm httpd-debuginfo-2.2.15-5.el6_0.1.ppc64.rpm httpd-devel-2.2.15-5.el6_0.1.ppc.rpm httpd-devel-2.2.15-5.el6_0.1.ppc64.rpm httpd-tools-2.2.15-5.el6_0.1.ppc64.rpm mod_ssl-2.2.15-5.el6_0.1.ppc64.rpm s390x: httpd-2.2.15-5.el6_0.1.s390x.rpm httpd-debuginfo-2.2.15-5.el6_0.1.s390.rpm httpd-debuginfo-2.2.15-5.el6_0.1.s390x.rpm httpd-devel-2.2.15-5.el6_0.1.s390.rpm httpd-devel-2.2.15-5.el6_0.1.s390x.rpm httpd-tools-2.2.15-5.el6_0.1.s390x.rpm mod_ssl-2.2.15-5.el6_0.1.s390x.rpm x86_64: httpd-2.2.15-5.el6_0.1.x86_64.rpm httpd-debuginfo-2.2.15-5.el6_0.1.i686.rpm httpd-debuginfo-2.2.15-5.el6_0.1.x86_64.rpm httpd-devel-2.2.15-5.el6_0.1.i686.rpm httpd-devel-2.2.15-5.el6_0.1.x86_64.rpm httpd-tools-2.2.15-5.el6_0.1.x86_64.rpm mod_ssl-2.2.15-5.el6_0.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3192.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFOcPvoXlSAg2UNWIIRAmGBAJwI2Fw6a21y6sQIufKOTMSqJsa8iwCghpOw pVtt5SPsKbyHm0L/nXt0ZQM= =shA7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Release Date: 2011-09-08 Last Updated: 2011-10-26 ------------------------------------------------------------------------------ Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX Apache Web Server. References: CVE-2011-3192, CVE-2011-0419 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.18 containing Apache v2.2.15.08 or earlier HP-UX B.11.11 running HP-UX Apache Web Server Suite v2.33 containing Apache v2.0.64.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-3192 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2011-0419 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve these vulnerabilities. HP-UX Web Server Suite (WSS) v3.19 containing Apache v2.2.15.09 The WSS v3.19 update is available for download from the following location https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW319 HP-UX 11i Releases / Apache Depot name B.11.23 & B.11.31 (32-bit) / HPUXWS22ATW-B319-32.depot B.11.23 & B.11.31 (64-bit) / HPUXWS22ATW-B319-64.depot HP-UX Web Server Suite (WSS) v2.34 containing Apache v2.0.64.02 The WSS v2.34 update is available for download from the following location https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW234 HP-UX 11i Release / Apache Depot name B.11.11 / HPUXWSATW-B234-1111.depot B.11.23 (32 & 64-bit) / No longer supported. Upgrade to WSS v3.19 B.11.31 (32 & 64-bit) / No longer supported. Upgrade to WSS v3.19 MANUAL ACTIONS: Yes - Update For B.11.23 and B.11.31 install HP-UX Web Server Suite v3.19 or subsequent. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX Web Server Suite v3.19 HP-UX B.11.23 HP-UX B.11.31 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 action: install revision B.2.2.15.09 or subsequent HP-UX Web Server Suite v2.34 HP-UX B.11.11 ================== hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY action: install revision B.2.0.64.02 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 8 September 2011 Initial release Version:2 (rev.2) - 8 September 2011 Updated affectivity, recommendations, typos Version:3 (rev.3) - 22 September 2011 New source for depots Version:4 (rev.4) - 23 September 2011 Apache WSS 2.33 depot for B.11.11 available Version:5 (rev.5) - 26 October 2011 Final depots available Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Enjoy! * apache has been upgraded to the latest version (2.2.21) for 2011 _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 5c4825e4c63b4a06c68a5fd81517de71 2011/i586/apache-base-2.2.21-0.1-mdv2011.0.i586.rpm b5a00191b27804f9735643cdcd704b19 2011/i586/apache-conf-2.2.21-0.1-mdv2011.0.i586.rpm 49defd7efbb4a37ec49c01c7ef9c64aa 2011/i586/apache-devel-2.2.21-0.1-mdv2011.0.i586.rpm a023e40689777630df036eae1a84a475 2011/i586/apache-doc-2.2.21-0.1-mdv2011.0.noarch.rpm f03744bb74a3e0872cb08465799c3ee1 2011/i586/apache-htcacheclean-2.2.21-0.1-mdv2011.0.i586.rpm bb9efa66089deef66f9434b813d41a95 2011/i586/apache-mod_authn_dbd-2.2.21-0.1-mdv2011.0.i586.rpm bb334eb7fe43927ba7c6c9196b4e1fd1 2011/i586/apache-mod_cache-2.2.21-0.1-mdv2011.0.i586.rpm 086b5ed82c064b16964fff70bf9c841e 2011/i586/apache-mod_dav-2.2.21-0.1-mdv2011.0.i586.rpm 115008b2471e10ea01689dafe5c46bcd 2011/i586/apache-mod_dbd-2.2.21-0.1-mdv2011.0.i586.rpm 6b686ec6612ff8740d1e482faa06c544 2011/i586/apache-mod_deflate-2.2.21-0.1-mdv2011.0.i586.rpm 8c8f14074bc0dbbeb2b3890611f95c6b 2011/i586/apache-mod_disk_cache-2.2.21-0.1-mdv2011.0.i586.rpm b03569edc20c9393e0b5eea09f590368 2011/i586/apache-mod_file_cache-2.2.21-0.1-mdv2011.0.i586.rpm 343703d3822a6757e000edeebe7e0a06 2011/i586/apache-mod_ldap-2.2.21-0.1-mdv2011.0.i586.rpm 3457011403525d40e525716c4da8e477 2011/i586/apache-mod_mem_cache-2.2.21-0.1-mdv2011.0.i586.rpm 3d060145b3665ca4c0b309f812af9370 2011/i586/apache-mod_proxy-2.2.21-0.1-mdv2011.0.i586.rpm a0e00b0610eb5a8c5c57afabeafc07f8 2011/i586/apache-mod_proxy_ajp-2.2.21-0.1-mdv2011.0.i586.rpm dd4bb38bbc2997ca398fb37225eca371 2011/i586/apache-mod_proxy_scgi-2.2.21-0.1-mdv2011.0.i586.rpm 2966cdfddf02fa32447711af6a3046dd 2011/i586/apache-mod_reqtimeout-2.2.21-0.1-mdv2011.0.i586.rpm 48774d9c282dc476f35a0c8b2e821a7f 2011/i586/apache-mod_ssl-2.2.21-0.1-mdv2011.0.i586.rpm 7b832f85bd258abf0c7abb161f4028b4 2011/i586/apache-mod_suexec-2.2.21-0.1-mdv2011.0.i586.rpm 1c6b93eaa5b27477989bf82ea9a63685 2011/i586/apache-modules-2.2.21-0.1-mdv2011.0.i586.rpm 1e7dc0ee3fafae8a786be0cc164ebe4a 2011/i586/apache-mod_userdir-2.2.21-0.1-mdv2011.0.i586.rpm ab2d074f2dfe57a64b022d4e6b8254ab 2011/i586/apache-mpm-event-2.2.21-0.1-mdv2011.0.i586.rpm a22debf09366b64e236965a4091009e9 2011/i586/apache-mpm-itk-2.2.21-0.1-mdv2011.0.i586.rpm 174aed4327491b83f147f3b4e76bcd1f 2011/i586/apache-mpm-peruser-2.2.21-0.1-mdv2011.0.i586.rpm e141881c27496e7e74ad7f3f566a1bd2 2011/i586/apache-mpm-prefork-2.2.21-0.1-mdv2011.0.i586.rpm 97893069a3d6eb73e3773bc0ee78c9a4 2011/i586/apache-mpm-worker-2.2.21-0.1-mdv2011.0.i586.rpm fe530e2da15b3e0bf14c617824ff82c9 2011/i586/apache-source-2.2.21-0.1-mdv2011.0.i586.rpm 4376094cd799523a1a7666f4e768707d 2011/SRPMS/apache-2.2.21-0.1.src.rpm b37e2a1dafb6883a10cefb4140e9635e 2011/SRPMS/apache-conf-2.2.21-0.1.src.rpm d83c587ad4d56a31362f67334bbf9455 2011/SRPMS/apache-doc-2.2.21-0.1.src.rpm 0b4a145fd5ff8c11a53956f750cdbd42 2011/SRPMS/apache-mod_suexec-2.2.21-0.1.src.rpm Mandriva Linux 2011/X86_64: 8837c56966896e10d3403956e7cf86ac 2011/x86_64/apache-base-2.2.21-0.1-mdv2011.0.x86_64.rpm aec6da25319585e53623471734f99c57 2011/x86_64/apache-conf-2.2.21-0.1-mdv2011.0.x86_64.rpm e8600455214ad4f2303d9f36576e4952 2011/x86_64/apache-devel-2.2.21-0.1-mdv2011.0.x86_64.rpm 90694f3211fca3d436ec4130b8bb43e2 2011/x86_64/apache-doc-2.2.21-0.1-mdv2011.0.noarch.rpm fd3f6a51c8abf8b1ff8356489ba6d6e1 2011/x86_64/apache-htcacheclean-2.2.21-0.1-mdv2011.0.x86_64.rpm 796c8129bbc160455587bc54c58c2220 2011/x86_64/apache-mod_authn_dbd-2.2.21-0.1-mdv2011.0.x86_64.rpm 61add54b6e0c8306dff065a150b262e2 2011/x86_64/apache-mod_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm cb98169c29008c256662f3a08141bf95 2011/x86_64/apache-mod_dav-2.2.21-0.1-mdv2011.0.x86_64.rpm 5aa03ee54a7e40d41fd746fd1a223c72 2011/x86_64/apache-mod_dbd-2.2.21-0.1-mdv2011.0.x86_64.rpm 386a956f014fe2d64dfe38fc261abd39 2011/x86_64/apache-mod_deflate-2.2.21-0.1-mdv2011.0.x86_64.rpm 5a473bc45fa59323c4d526dd4f5a30d3 2011/x86_64/apache-mod_disk_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm aaa544f7a4912c161a2c73e222ae87d6 2011/x86_64/apache-mod_file_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm f04054edc62a24ea9042c5b41074bd1d 2011/x86_64/apache-mod_ldap-2.2.21-0.1-mdv2011.0.x86_64.rpm 1c97f63c1169f483d086a94b97f5c421 2011/x86_64/apache-mod_mem_cache-2.2.21-0.1-mdv2011.0.x86_64.rpm ca912c34fec5cf470947a7f87e9705a4 2011/x86_64/apache-mod_proxy-2.2.21-0.1-mdv2011.0.x86_64.rpm b5ae70a8ed412e40275b4de7b639caa0 2011/x86_64/apache-mod_proxy_ajp-2.2.21-0.1-mdv2011.0.x86_64.rpm 6b11b032c13277712c336405ea23a8b0 2011/x86_64/apache-mod_proxy_scgi-2.2.21-0.1-mdv2011.0.x86_64.rpm 874a420342f1ea9278e014b79fe5a337 2011/x86_64/apache-mod_reqtimeout-2.2.21-0.1-mdv2011.0.x86_64.rpm 2757b3d7c8261563e22c41d3f94aaa29 2011/x86_64/apache-mod_ssl-2.2.21-0.1-mdv2011.0.x86_64.rpm 6edbc6963aab9beee507f9a3c8be38a2 2011/x86_64/apache-mod_suexec-2.2.21-0.1-mdv2011.0.x86_64.rpm fe6143eaa1acc0de751198ea19129279 2011/x86_64/apache-modules-2.2.21-0.1-mdv2011.0.x86_64.rpm 3e66fa1e1e2cf243c1c6472243cb86fe 2011/x86_64/apache-mod_userdir-2.2.21-0.1-mdv2011.0.x86_64.rpm 7d45bfd7d3aa87d45d2287fdd9507847 2011/x86_64/apache-mpm-event-2.2.21-0.1-mdv2011.0.x86_64.rpm bce9e2cdffe45cbc4baf72f0d0c4000e 2011/x86_64/apache-mpm-itk-2.2.21-0.1-mdv2011.0.x86_64.rpm 217bd96dfa802f7d049b6fd12600b154 2011/x86_64/apache-mpm-peruser-2.2.21-0.1-mdv2011.0.x86_64.rpm cc304b9011d16d7f3cf5c8250e4d9f18 2011/x86_64/apache-mpm-prefork-2.2.21-0.1-mdv2011.0.x86_64.rpm a8bb9b62c39f98a6df728d51a4fff39a 2011/x86_64/apache-mpm-worker-2.2.21-0.1-mdv2011.0.x86_64.rpm 7d41c857be2574ac5f3ea7090a1f3c78 2011/x86_64/apache-source-2.2.21-0.1-mdv2011.0.x86_64.rpm 4376094cd799523a1a7666f4e768707d 2011/SRPMS/apache-2.2.21-0.1.src.rpm b37e2a1dafb6883a10cefb4140e9635e 2011/SRPMS/apache-conf-2.2.21-0.1.src.rpm d83c587ad4d56a31362f67334bbf9455 2011/SRPMS/apache-doc-2.2.21-0.1.src.rpm 0b4a145fd5ff8c11a53956f750cdbd42 2011/SRPMS/apache-mod_suexec-2.2.21-0.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOdErbmqjQ0CJFipgRArO0AJ9MeU1I/ItvY699awHPqXD7TZZ46gCeP/Lc OVJD0GobLzQ3q1XZS8WiqdY= =O8Ag -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

AFFECTED PRODUCTS