[SECURITY] [DLA 2768-1] uwsgi security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2768-1] uwsgi security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 29 Sep 2021 21:53:04 +0200
Message-id: <[🔎] 20210929195304.GA23637@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2768-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
September 29, 2021                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : uwsgi
Version        : 2.0.14+20161117-3+deb9u4
CVE ID         : CVE-2021-36160

It was discovered that the uwsgi proxy module for Apache2
(mod_proxy_uwsgi) can read above the allocated memory when processing
a request with a carefully crafted uri-path. An attacker may cause the
server to crash (DoS).

For Debian 9 stretch, this problem has been fixed in version
2.0.14+20161117-3+deb9u4.

We recommend that you upgrade your uwsgi packages.

For the detailed security status of uwsgi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/uwsgi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmFUv0AACgkQDTl9HeUl
XjDOuA//bop1Nq/RmKCzx8VyWB5p9tpFdeLZhiT9V6/UvsvCSOPTptv28o5e+VOs
UnWXU6PeQeTBCly8pVf4is00MLaD1bnzmSaT6LNc6mQpqICs23KB8yEFue7yJS21
QCTKGYwCWWjOwVQkVGBqQ+fr8ehEINhsxExxkVyrwTLOfsB4E2QM1XoorfJBT6dG
cWtv5bdskb7ne+yRRvZfLbrJulXqXKcOmKtjMNjCJhuQ0fqQ+lbIVFe/OR4qmyRX
WgDM1sT6k6fmLZuuLk2rRb3Mp7EB5sqKXrbEfaEOFjcTOoo3V/kU8Lh2ujUcBaJ2
SnYf7BoF8lr43K8831p8R2I33pKxTcQifE+Wvtoubo5RpNALdTLDZLlaE59V2IuR
uVXKCoeM68pFSN1xOPOTd0SykVUMMcQqGLptIxGhVarc+qnXVhD3OtefkvD8anSE
eXFtkzhoG5Q+n3TLKYDGy2xx7uLr6bVvrhkHQm4NVOMWcTVmhPdEkDkDojMVj5y2
jbHMxuA/NJ0EObHgtjuWX+rPwqBKtieG6t9ismr43zLta328WMSWOnLdc5Pb+R99
D9YxzQaF2vYG47kTL15UMc6EO/GG5wn7Q3zKy8/e9i0Z/Kso2NYa2mFs9jbMkxP1
Zc/uCRcXvXD1nqJ3KKAvjXsGT5MwYxKO/tpebom4yTnnDY+gVxI=
=bh9b
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2767-1] libxml-security-java security update
Next by Date: [SECURITY] [DLA 2769-1] libxstream-java security update
Previous by thread: [SECURITY] [DLA 2767-1] libxml-security-java security update
Next by thread: [SECURITY] [DLA 2769-1] libxstream-java security update
Index(es):
- Date
- Thread