Bulletin d'alerte Debian

DSA-2035-1 apache2 -- Plusieurs problèmes

Date du rapport :
17 avril 2010
Paquets concernés :
apache2
Vulnérabilité :
Oui
Références dans la base de données de sécurité :
Dans le dictionnaire CVE du Mitre : CVE-2010-0408, CVE-2010-0434.
Plus de précisions :

Deux problèmes ont été découverts dans le serveur web HTTPD Apache :

  • CVE-2010-0408

    mod_proxy_ajp reverrait le mauvais code d'état en cas d'erreur, provoquant une mise en état d'erreur du serveur moteur jusqu'à expiration du délai de réessai. Un attaquant distant pourrait envoyer des requêtes malveillantes pour déclencher ce problème, provoquant un déni de service.

  • CVE-2010-0434

    Un défaut dans le code de traitement de sous-requête principal a été découvert. Cela pourrait conduire au plantage du démon (erreur de segmentation) ou à la révélation de renseignements sensibles si les en-têtes d'une sous-requête étaient modifiés par des modules comme mod_headers.

Pour la distribution stable (Lenny), ces problèmes ont été corrigés dans la version 2.2.9-10+lenny7.

Pour la distribution testing (Squeeze) et la distribution unstable (Sid), ces problèmes ont été corrigés dans la version 2.2.15-1.

Cette annonce fournit aussi les paquets apache2-mpm-itk mis à jour qui ont été recompilés avec les nouveaux paquets apache2.

Nous vous recommandons de mettre à jour vos paquets apache2 et apache2-mpm-itk.

Corrigé dans :

Debian GNU/Linux 5.0 (lenny)

Source :
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny7.dsc
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny7.diff.gz
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9.orig.tar.gz
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny7_all.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.9-10+lenny7_all.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.9-10+lenny7_all.deb
Alpha:
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_alpha.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b4_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_amd64.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_arm.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_armel.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_hppa.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_i386.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_ia64.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_mips.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_mipsel.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_powerpc.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_s390.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny7_sparc.deb
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b3_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.