Security Advisory 2013-07-23

Jul25
by Ike on July 25, 2013 at 11:05 am
Posted In: 11.32, 11.34, 11.36, 11.38, Community, cPanel, Hosting, News, Ruby, security, SSL

SUMMARY

The Apache HTTPD Server Project have released httpd-2.2.25 and httpd-2.4.6 to correct multiple vulnerabilities that were issues CVE’s.

Apache HTTP Server 2.2.25

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

CVE-2013-1862 mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file.

AFFECTED VERSIONS

All versions of Apache 2.2 before 2.2.25.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-1896 – MEDIUM
CVE-2013-1862 – MEDIUM

Apache HTTP Server 2.4.6

CVE-2013-2249 mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session
without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

CVE-2013-1896 mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML)
pointing to a URI that is not configured for DAV will trigger a segfault.

AFFECTED VERSIONS

All versions of Apache 2.4 before 2.4.6.

SECURITY RATING

The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2013-2249 – HIGH
CVE-2013-1896 – MEDIUM

SOLUTION

cPanel, Inc. has released EasyApache 3.20.6 with updated versions of Apache 2.2 and 2.4 to correct these issues. To update, please rebuild your EasyApache
profile. For more information on rebuilding profiles, please consult our documentation (http://go.cpanel.net/ea).

Unless EasyApache updates are disabled on your system, the latest version of EasyApache will be used whenever EasyApache is run. Note that
EasyApache updates must be done manually.

REFERENCES

CVE-2013-1862 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1862)
CVE-2013-2249 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2249)
CVE-2013-1896 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896)

Apache 2.2.25 Announcement (http://www.apache.org/dist/httpd/Announcement2.2.html)
Apache 2.4.6 Announcement (http://www.apache.org/dist/httpd/Announcement2.4.html)

For the PGP Signed message, please go here.

└ Tags: , , , , , , , , , , ,
 Comment 

Red Hat: 2013:1103-01: ruby193-ruby: Moderate Advisory

Jul24
by Ike on July 24, 2013 at 8:26 pm
Posted In: Other

(Jul 23) Updated ruby193-ruby packages that fix one security issue are now available for Red Hat OpenStack 3.0 (Grizzly). The Red Hat Security Response Team has rated this update as having moderate [More…]

└ Tags: , , ,
 Comment 

WordPress 3.6 Release Candidate 2

Jul24
by Ike on July 24, 2013 at 7:25 am
Posted In: Backups, CMS, Development, PHP, Releases, security, Testing, Wordpress

The second release candidate for WordPress 3.6 is now available for download and testing.

We’re down to only a few remaining issues, and the final release should be available in a matter of days. In RC2, we’ve tightened up some aspects of revisions, autosave, and the media player, and fixed some bugs that were spotted in RC1. Please test this release candidate as much as you can, so we can deliver a smooth final release!

Think you’ve found a bug? Please post to the Alpha/Beta area in the support forums.

Developers, please continue to test your plugins and themes, so that if there is a compatibility issue, we can figure it out before the final release. You can find our list of known issues here.

To test WordPress 3.6, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).

Revisions so smooth
We autosave your changes
Data loss begone!

└ Tags: , , ,

Ubuntu: 1908-1: OpenJDK 6 vulnerabilities

Jul23
by Ike on July 23, 2013 at 8:55 pm
Posted In: Other

(Jul 23) Several security issues were fixed in OpenJDK 6.

 Comment 

Red Hat: 2013:1100-01: qemu-kvm: Important Advisory

Jul23
by Ike on July 23, 2013 at 8:24 pm
Posted In: Other

(Jul 22) Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More…]

└ Tags: , , ,
 Comment 

50 queries. 8.75 mb Memory usage. 4.377 seconds.