Executive Summary
Summary | |
---|---|
Title | httpd security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:0130 | First vendor Publication | 2013-01-08 |
Vendor | RedHat | Last vendor Modification | 2013-01-08 |
Severity (Vendor) | Low | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated httpd packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: The httpd packages contain the Apache HTTP Server (httpd), which is the namesake project of The Apache Software Foundation. Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes: * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the "%post" script for the "mod_ssl" package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The "%post" script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. (BZ#752618) * The "mod_ssl" module did not support operation under FIPS mode. Consequently, when operating Red Hat Enterprise Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. (BZ#773473) * Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command "service httpd reload" was run and httpd failed, the exit status code returned was "0" and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns "1" as an exit status code. (BZ#783242) * Chunked Transfer Coding is described in RFC 261 |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-0130.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
33 % | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18832 | |||
Oval ID: | oval:org.mitre.oval:def:18832 | ||
Title: | HP-UX Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities | ||
Description: | Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-2687 | Version: | 11 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19539 | |||
Oval ID: | oval:org.mitre.oval:def:19539 | ||
Title: | HP-UX Apache Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Cross Site Scripting (XSS) | ||
Description: | Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-2687 | Version: | 9 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21017 | |||
Oval ID: | oval:org.mitre.oval:def:21017 | ||
Title: | RHSA-2013:0130: httpd security, bug fix, and enhancement update (Low) | ||
Description: | Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0130-00 CESA-2013:0130 CVE-2008-0455 CVE-2008-0456 CVE-2012-2687 | Version: | 45 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | httpd |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23042 | |||
Oval ID: | oval:org.mitre.oval:def:23042 | ||
Title: | ELSA-2013:0130: httpd security, bug fix, and enhancement update (Low) | ||
Description: | Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0130-00 CVE-2008-0455 CVE-2008-0456 CVE-2012-2687 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | httpd |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26266 | |||
Oval ID: | oval:org.mitre.oval:def:26266 | ||
Title: | SUSE-SU-2013:0387-1 -- Security update for apache2 | ||
Description: | This update fixes the following security issues with apache2 httpd: * Improper LD_LIBRARY_PATH handling (CVE-2012-0883 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883 > ) * Filename escaping problem (CVE-2012-2687 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687 > ) Additionally, some non-security bugs have been fixed as enumerated in the changelog of the RPM. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0387-1 CVE-2012-0883 CVE-2012-2687 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | apache2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27403 | |||
Oval ID: | oval:org.mitre.oval:def:27403 | ||
Title: | DEPRECATED: ELSA-2013-0130 -- httpd security, bug fix, and enhancement update (low) | ||
Description: | [2.2.3-74.0.1.el5] - fix mod_ssl always performing full renegotiation (Joe Jin) [orabug 12423387] - replace index.html with Oracle's index page oracle_index.html - update vstring and distro in specfile [2.2.3-74] - further %post scriptlet fix (#752618, #867736) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0130 CVE-2008-0455 CVE-2008-0456 CVE-2012-2687 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | httpd |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-11-26 | Name : FreeBSD Ports: apache22 File : nvt/freebsd_apache22.nasl |
2012-11-09 | Name : Ubuntu Update for apache2 USN-1627-1 File : nvt/gb_ubuntu_USN_1627_1.nasl |
2012-10-03 | Name : Mandriva Update for apache MDVSA-2012:154-1 (apache) File : nvt/gb_mandriva_MDVSA_2012_154_1.nasl |
2010-05-12 | Name : Mac OS X 10.5.7 Update / Mac OS X Security Update 2009-002 File : nvt/macosx_upd_10_5_7_secupd_2009-002.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-19 (apache) File : nvt/glsa_200803_19.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
41019 | Apache HTTP Server mod_negotiation Module Multi-Line Filename Upload XSS |
41018 | Apache HTTP Server mod_negotiation Module Multi-Line Filename Upload CRLF |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-07-16 | IAVM : 2015-A-0149 - Multiple Vulnerabilities in Juniper Networks and Security Manager(NSM) Appliance Severity : Category I - VMSKEY : V0061101 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-09-01 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL17201.nasl - Type : ACT_GATHER_INFO |
2015-08-31 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL17189.nasl - Type : ACT_GATHER_INFO |
2015-07-20 | Name : The remote host is affected by multiple vulnerabilities. File : juniper_nsm_jsa10685_cred.nasl - Type : ACT_GATHER_INFO |
2015-07-20 | Name : The remote host is affected by multiple vulnerabilities. File : juniper_nsm_jsa10685.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-0469-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-0387-1.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_apache_20130129.nasl - Type : ACT_GATHER_INFO |
2014-12-16 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-770.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15901.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-81.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-80.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-308.nasl - Type : ACT_GATHER_INFO |
2013-09-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_8_5.nasl - Type : ACT_GATHER_INFO |
2013-09-13 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-004.nasl - Type : ACT_GATHER_INFO |
2013-08-11 | Name : The remote web server may be affected by multiple vulnerabilities. File : oracle_http_server_cpu_jul_2013.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0130.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0512.nasl - Type : ACT_GATHER_INFO |
2013-03-10 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0512.nasl - Type : ACT_GATHER_INFO |
2013-03-05 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_apache2-8443.nasl - Type : ACT_GATHER_INFO |
2013-03-05 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_apache2-130225.nasl - Type : ACT_GATHER_INFO |
2013-03-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130221_httpd_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-02-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0512.nasl - Type : ACT_GATHER_INFO |
2013-02-13 | Name : The remote Fedora host is missing a security update. File : fedora_2013-1661.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1592.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1591.nasl - Type : ACT_GATHER_INFO |
2013-01-17 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130108_httpd_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-01-17 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0130.nasl - Type : ACT_GATHER_INFO |
2013-01-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0130.nasl - Type : ACT_GATHER_INFO |
2012-11-09 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1627-1.nasl - Type : ACT_GATHER_INFO |
2012-11-05 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_65539c54251711e2b9d620cf30e32f6d.nasl - Type : ACT_GATHER_INFO |
2012-10-02 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-154.nasl - Type : ACT_GATHER_INFO |
2012-09-14 | Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_2_23.nasl - Type : ACT_GATHER_INFO |
2012-08-23 | Name : The remote web server is affected by multiple vulnerabilities. File : apache_2_4_3.nasl - Type : ACT_GATHER_INFO |
2011-11-18 | Name : The remote web server may be affected by one or more issues. File : apache_mod_negotiation_xss.nasl - Type : ACT_GATHER_INFO |
2009-05-13 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_5_7.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-19.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:56:38 |
|
2013-01-08 09:18:09 |
|