Oval Definition:oval:org.mitre.oval:def:13623
Revision Date:2014-06-23Version:20
Title:DSA-1934-1 apache2 -- multiple issues
Description:A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability. As a partial mitigation against this attack, this apache2 update disables client-initiated renegotiations. This should fix the vulnerability for the majority of Apache configurations in use. NOTE: This is not a complete fix for the problem. The attack is still possible in configurations where the server initiates the renegotiation. This is the case for the following configurations: - - The "SSLVerifyClient" directive is used in a Directory or Location context. - - The "SSLCipherSuite" directive is used in a Directory or Location context. As a workaround, you may rearrange your configuration in a way that SSLVerifyClient and SSLCipherSuite are only used on the server or virtual host level. A complete fix for the problem will require a protocol change. Further information will be included in a separate announcement about this issue. In addition, this update fixes the following issues in Apache's mod_proxy_ftp: CVE-2009-3094: Insufficient input validation in the mod_proxy_ftp module allowed remote FTP servers to cause a denial of service via a malformed reply to an EPSV command. CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp module allowed remote authenticated attackers to bypass intended access restrictions and send arbitrary FTP commands to an FTP server. For the stable distribution, these problems have been fixed in version 2.2.9-10+lenny6. This version also includes some non-security bug fixes that were scheduled for inclusion in the next stable point release. The oldstable distribution, these problems have been fixed in version 2.2.3-4+etch11. For the testing distribution and the unstable distribution, these problems will be fixed in version 2.2.14-2. This advisory also provides updated apache2-mpm-itk packages which have been recompiled against the new apache2 packages. Updated apache2-mpm-itk packages for the armel architecture are not included yet. They will be released as soon as they become available. We recommend that you upgrade your apache2 and apache2-mpm-itk packages.
Family:unixClass:patch
Status:ACCEPTEDReference(s):CVE-2009-3094
CVE-2009-3095
CVE-2009-3555
DSA-1934-1
Platform(s):Debian GNU/Linux 4.0
Debian GNU/Linux 5.0
Product(s):apache2
Definition Synopsis
  • Release section
  • Debian GNU/Linux 5.0 is installed
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • apache2-doc DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-src DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2 DPKG is earlier than 2.2.9-10+lenny6
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is s390
  • OR Installed architecture is amd64
  • OR Installed architecture is sparc
  • OR Installed architecture is arm
  • OR Installed architecture is i386
  • OR Installed architecture is armel
  • OR Installed architecture is mips
  • OR Installed architecture is ia64
  • OR Installed architecture is alpha
  • OR Installed architecture is powerpc
  • OR Installed architecture is mipsel
  • OR Installed architecture is hppa
  • AND Packages section
  • apache2-threaded-dev DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-utils DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-mpm-worker DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2.2-common DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-suexec-custom DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-suexec DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-mpm-prefork DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-dbg DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-mpm-event DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-prefork-dev DPKG is earlier than 2.2.9-10+lenny6
  • OR apache2-mpm-itk DPKG is earlier than 2.2.6-02-1+lenny2+b2
  • OR Release section
  • Debian GNU/Linux 4.0 is installed.
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • apache2-mpm-perchild DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-doc DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-src DPKG is earlier than 2.2.3-4+etch11
  • OR apache2 DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-utils DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-mpm-worker DPKG is earlier than 2.2.3-4+etch11
  • OR apache2.2-common DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-mpm-prefork DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-threaded-dev DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-mpm-event DPKG is earlier than 2.2.3-4+etch11
  • OR apache2-mpm-itk DPKG is earlier than 2.2.3-01-2+etch4+b1
  • OR apache2-prefork-dev DPKG is earlier than 2.2.3-4+etch11
    • BACK