English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 148472 CVE descriptions
and 72306 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 --------------------------------------------------------------------------
   Turbolinux Security Advisory TLSA-2009-30
   http://www.turbolinux.co.jp/security/
                                             security-team@turbolinux.co.jp
 --------------------------------------------------------------------------

 Original released date: 30 Nov 2009
 Last revised: 30 Nov 2009

 Package: httpd

 Summary: Four vulnerabilities exist in Apache

 More information:
    Apache is a powerful, full-featured, efficient, and freely-available
    Web server. Apache is also the most popular Web server on the Internet.

    The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until
    completion even after the associated network connection is closed, which allows remote
    attackers to cause a denial of service (CPU consumption). (CVE-2009-1891)

    The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp
    module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause
    a denial of service (NULL pointer dereference and child process crash) via a malformed
    reply to an EPSV command. (CVE-2009-3094)

    The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass 
    intended access restrictions and send arbitrary commands to an FTP server via vectors
    related to the embedding of these commands in the Authorization HTTP header, as demonstrated by
    a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903,
    this disclosure has no actionable information. However, because the VulnDisco Pack author
    is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. (CVE-2009-3095)

    The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet
    Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL
    before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier,
    multiple Cisco products, and other products, does not properly associate renegotiation handshakes
    with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS
    sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated
    request that is processed retroactively by a server in a post-renegotiation context, related to a
    "plaintext injection" attack, aka the "Project Mogul" issue. (CVE-2009-3555)

 Affected Products:
    - Turbolinux Client 2008
    - Turbolinux Appliance Server 3.0 x64 Edition
    - Turbolinux Appliance Server 3.0
    - Turbolinux 11 Server x64 Edition
    - Turbolinux 11 Server
    - Turbolinux Appliance Server 2.0
    - Turbolinux FUJI
    - Turbolinux 10 Server x64 Edition
    - Turbolinux 10 Server


 <Turbolinux Client 2008>

   Source Packages
   Size: MD5

   http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-source/httpd-2.2.6-16.src.rpm
      4785010 20695448ec1cbbbdf8e8364332077b07

   Binary Packages
   Size: MD5

   http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-updates/httpd-2.2.6-16.i586.rpm
      1233544 3e066aff0683a819396ad3b4292f7005
   http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-updates/httpd-devel-2.2.6-16.i586.rpm
       149105 77a56d8fbb240b2ad1ee8ab4810c4a10

 <Turbolinux Appliance Server 3.0 x64 Edition>

   Source Packages
   Size: MD5

   httpd-2.2.6-16.src.rpm
      4794391 a6022c274b47646b55d30bee3f2803eb

   Binary Packages
   Size: MD5

   httpd-2.2.6-16.x86_64.rpm
      1250674 a84110510572555cb1bf1004e6c3b3b0
   httpd-devel-2.2.6-16.x86_64.rpm
       153755 827a1900362169f5f9694ebd69fa5e16
   httpd-manual-2.2.6-16.x86_64.rpm
       858935 b34e8a9ae2b8899e0d8c0e1408e354bc
   httpd-rootsrv-2.2.6-16.x86_64.rpm
       229220 8a6ef778e4bd8fefc90fd70d5dcf6667
   mod_ssl-2.2.6-16.x86_64.rpm
        90466 29fb8dacaf9e7c842e10869245409e10

 <Turbolinux Appliance Server 3.0>

   Source Packages
   Size: MD5

   httpd-2.2.6-16.src.rpm
      4794391 a6022c274b47646b55d30bee3f2803eb

   Binary Packages
   Size: MD5

   httpd-2.2.6-16.i686.rpm
      1176037 b1a3b3b56904697e24b652f6c66322d5
   httpd-devel-2.2.6-16.i686.rpm
       153850 856f6d60f9e146860d855303ecca3f93
   httpd-manual-2.2.6-16.i686.rpm
       858780 e699f5cc8ed989bc8a42d88471c2d671
   httpd-rootsrv-2.2.6-16.i686.rpm
       216812 011696e1cfb3e9cfb69611dee16d00bf
   mod_ssl-2.2.6-16.i686.rpm
        85661 ae79764553935f71c7c003bf5ab8afb5

 <Turbolinux 11 Server x64 Edition>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/11/updates/SRPMS/httpd-2.2.6-16.src.rpm
      4794391 a6022c274b47646b55d30bee3f2803eb

   Binary Packages
   Size: MD5

   httpd-2.2.6-16.x86_64.rpm
      1250674 a84110510572555cb1bf1004e6c3b3b0
   httpd-devel-2.2.6-16.x86_64.rpm
       153755 827a1900362169f5f9694ebd69fa5e16
   httpd-manual-2.2.6-16.x86_64.rpm
       858935 b34e8a9ae2b8899e0d8c0e1408e354bc
   mod_ssl-2.2.6-16.x86_64.rpm
        90466 29fb8dacaf9e7c842e10869245409e10

 <Turbolinux 11 Server>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/11/updates/SRPMS/httpd-2.2.6-16.src.rpm
      4794391 a6022c274b47646b55d30bee3f2803eb

   Binary Packages
   Size: MD5

   httpd-2.2.6-16.i686.rpm
      1176037 b1a3b3b56904697e24b652f6c66322d5
   httpd-devel-2.2.6-16.i686.rpm
       153850 856f6d60f9e146860d855303ecca3f93
   httpd-manual-2.2.6-16.i686.rpm
       858780 e699f5cc8ed989bc8a42d88471c2d671
   mod_ssl-2.2.6-16.i686.rpm
        85661 ae79764553935f71c7c003bf5ab8afb5

 <Turbolinux Appliance Server 2.0>

   Source Packages
   Size: MD5

   httpd-2.0.51-40.src.rpm
      6913114 7c6bbad3ba962c9cefb4f8d8ebc5dfb5

   Binary Packages
   Size: MD5

   httpd-2.0.51-40.i586.rpm
      1033855 c634b20de8fc0f24107ac44004c48698
   httpd-devel-2.0.51-40.i586.rpm
       226090 3c899a214442a34b4d3601a6ce0ff664
   httpd-manual-2.0.51-40.i586.rpm
      1133178 170807635ebaa2b68ec7bd3e97736d67
   mod_bwshare-2.0.51-40.i586.rpm
        42034 0c6c8dc430e527ac006507b44134e052
   mod_ssl-2.0.51-40.i586.rpm
        90085 cae713b83ad9d0384f25eabdc495cff1

 <Turbolinux FUJI>

   Binary Packages
   Size: MD5

   httpd-2.0.54-26.i686.rpm
      1268447 2c58989ca893dd0b1c0538c8aa09e8de
   httpd-devel-2.0.54-26.i686.rpm
       278223 735ebd3bfd2c3e70474351d19ba18970

 <Turbolinux 10 Server x64 Edition>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/SRPMS/httpd-2.0.51-40.src.rpm
      6913114 7c6bbad3ba962c9cefb4f8d8ebc5dfb5

   Binary Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-2.0.51-40.x86_64.rpm
      1144589 f691054dba3e14133fdf59b0a741d0cb
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-debug-2.0.51-40.x86_64.rpm
      3534148 b08aee2416e398ab023b747acb513698
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-devel-2.0.51-40.x86_64.rpm
       226050 f02a977f38b2e1080be2dbaf34f6c0e1
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-manual-2.0.51-40.x86_64.rpm
      1134455 16d71d466663b0d64fdc9d6135e05078
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/mod_bwshare-2.0.51-40.x86_64.rpm
        42771 fde90789210fe506de9bcf9a79b1da0a
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/mod_ssl-2.0.51-40.x86_64.rpm
        97814 f86fa2645b6bab6a1ee884f0be862d6a

 <Turbolinux 10 Server>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/httpd-2.0.51-40.src.rpm
      6913114 7c6bbad3ba962c9cefb4f8d8ebc5dfb5

   Binary Packages
   Size: MD5

   httpd-2.0.51-40.i586.rpm
      1033855 c634b20de8fc0f24107ac44004c48698
   httpd-debug-2.0.51-40.i586.rpm
      3548927 fb92f52134419784b0a41877a7c79ff2
   httpd-devel-2.0.51-40.i586.rpm
       226090 3c899a214442a34b4d3601a6ce0ff664
   httpd-manual-2.0.51-40.i586.rpm
      1133178 170807635ebaa2b68ec7bd3e97736d67
   mod_bwshare-2.0.51-40.i586.rpm
        42034 0c6c8dc430e527ac006507b44134e052
   mod_ssl-2.0.51-40.i586.rpm
        90085 cae713b83ad9d0384f25eabdc495cff1


 References:

 CVE
   [CVE-2009-1891]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
   [CVE-2009-3094]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
   [CVE-2009-3095]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
   [CVE-2009-3555]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

 --------------------------------------------------------------------------
 Revision History
    30 Nov 2009 Initial release
 --------------------------------------------------------------------------

 Copyright(C) 2009 Turbolinux, Inc. All rights reserved. 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (GNU/Linux)

iEYEARECAAYFAksTb/MACgkQK0LzjOqIJMy9GACdGJJb8EtbvUe5O4VcceF8PlSn
lLMAoLM//yVioR0DLZjRsBgjyQyRDlhm
=tKHV
-----END PGP SIGNATURE-----

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe

© 1998-2019 E-Soft Inc. All rights reserved.