apache2 - several

A vulnerability has been found in the Apache HTTPD Server:

• CVE-2012-4557
  A flaw was found when mod_proxy_ajp connects to a backend
  server that takes too long to respond. Given a specific
  configuration, a remote attacker could send certain requests,
  putting a backend server into an error state until the retry
  timeout expired. This could lead to a temporary denial of
  service.

In addition, this update also adds a server side mitigation for the
following issue:

• CVE-2012-4929
  If using SSL/TLS data compression with HTTPS in an connection
  to a web browser, man-in-the-middle attackers may obtain
  plaintext HTTP headers. This issue is known as the CRIME
  attack. This update of apache2 disables SSL compression by
  default. A new SSLCompression directive has been backported
  that may be used to re-enable SSL data compression in
  environments where the CRIME attack is not an issue.
  For more information, please refer to the SSLCompression
  Directive documentation.

For the stable distribution (squeeze), these problems have been fixed in
version 2.2.16-6+squeeze10.

For the testing distribution (wheezy), these problems have been fixed in
version 2.2.22-12.

For the unstable distribution (sid), these problems have been fixed in
version 2.2.22-12.

We recommend that you upgrade your apache2 packages.