CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
Confidence
Low
EPSS
Percentile
94.2%
Debian Security Advisory DSA-2579-1 [email protected]
http://www.debian.org/security/ Stefan Fritsch
November 30, 2012 http://www.debian.org/security/faq
Package : apache2
Vulnerability : Multiple issues
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-4557 CVE-2012-4929
Debian Bug : 689936
A vulnerability has been found in the Apache HTTPD Server:
CVE-2012-4557
A flaw was found when mod_proxy_ajp connects to a backend
server that takes too long to respond. Given a specific
configuration, a remote attacker could send certain requests,
putting a backend server into an error state until the retry
timeout expired. This could lead to a temporary denial of
service.
In addition, this update also adds a server side mitigation for the
following issue:
CVE-2012-4929
If using SSL/TLS data compression with HTTPS in an connection
to a web browser, man-in-the-middle attackers may obtain
plaintext HTTP headers. This issue is known as the "CRIME"
attack. This update of apache2 disables SSL compression by
default. A new SSLCompression directive has been backported
that may be used to re-enable SSL data compression in
environments where the "CRIME" attack is not an issue.
For more information, please refer to:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression
For the stable distribution (squeeze), these problems have been fixed in
version 2.2.16-6+squeeze10.
For the testing distribution (wheezy), these problems have been fixed in
version 2.2.22-12.
For the unstable distribution (sid), these problems have been fixed in
version 2.2.22-12.
We recommend that you upgrade your apache2 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: [email protected]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 7 | s390 | libcrypto1.0.0-udeb | < 1.0.1e-2+deb7u11 | libcrypto1.0.0-udeb_1.0.1e-2+deb7u11_s390.deb |
Debian | 6 | sparc | apache2-dbg | < 2.2.16-6+squeeze10 | apache2-dbg_2.2.16-6+squeeze10_sparc.deb |
Debian | 7 | i386 | openssl | < 1.0.1e-2+deb7u11 | openssl_1.0.1e-2+deb7u11_i386.deb |
Debian | 7 | mipsel | openssl | < 1.0.1e-2+deb7u11 | openssl_1.0.1e-2+deb7u11_mipsel.deb |
Debian | 6 | mipsel | apache2-suexec | < 2.2.16-6+squeeze10 | apache2-suexec_2.2.16-6+squeeze10_mipsel.deb |
Debian | 6 | amd64 | apache2.2-bin | < 2.2.16-6+squeeze10 | apache2.2-bin_2.2.16-6+squeeze10_amd64.deb |
Debian | 7 | armel | libssl-dev | < 1.0.1e-2+deb7u11 | libssl-dev_1.0.1e-2+deb7u11_armel.deb |
Debian | 6 | mips | apache2-mpm-event | < 2.2.16-6+squeeze10 | apache2-mpm-event_2.2.16-6+squeeze10_mips.deb |
Debian | 7 | ia64 | libssl-dev | < 1.0.1e-2+deb7u11 | libssl-dev_1.0.1e-2+deb7u11_ia64.deb |
Debian | 6 | mips | lighttpd-mod-cml | < 1.4.28-2+squeeze1.2 | lighttpd-mod-cml_1.4.28-2+squeeze1.2_mips.deb |