[slackware-security] httpd (SSA:2015-198-01)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 slackware-security httpd SSA:2015-198-01 New httpd packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: patches/packages/php-5.4.41-i486-1slack14.1.txz: Upgraded. This update fixes some bugs and security issues. For more information, see:...

php: pipelined request executed in deinitialized interpreter under httpd 2.4

A flaw was found in the way the PHP module for the Apache httpd web server handled pipelined requests. A remote attacker could use this flaw to trigger the execution of a PHP script in a deinitialized interpreter, causing it to crash or, possibly, execute arbitrary code...

openSUSE Security Update : php5 (openSUSE-2015-352)

PHP was updated to fix three security issues. The following vulnerabilities were fixed : - CVE-2015-3330: Specially crafted PHAR files could, when executed under Apache httpd 2.4 apache2handler, allow arbitrary code execution bnc928506 - CVE-2015-3329: Specially crafted PHAR data could lead to...

Security update for php5 (important)

PHP was updated to fix three security issues. The following vulnerabilities were fixed: CVE-2015-3330: Specially crafted PHAR files could, when executed under Apache httpd 2.4 apache2handler, allow arbitrary code execution bnc928506 CVE-2015-3329: Specially crafted PHAR data could lead to...

[slackware-security] php

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: patches/packages/php-5.4.40-i486-1slack14.1.txz: Upgraded. This update fixes some security issues. Please note that this package build also moves t...

Apache Httpd < 2.4.16 : HTTP request smuggling attack against chunked request parser

An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use...

Apache Httpd < 2.2.31 : HTTP request smuggling attack against chunked request parser

An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use...

Mandriva Linux Security Advisory : apache (MDVSA-2015:093)

Updated apache packages fix security vulnerabilities : Apache HTTPD before 2.4.9 was vulnerable to a denial of service in moddav when handling DAVWRITE requests CVE-2013-6438. Apache HTTPD before 2.4.9 was vulnerable to a denial of service when logging cookies CVE-2014-0098. A race condition flaw...

mod-gnutls 'gnutls_hooks.c' security bypass vulnerability

modgnutls is an extension to the GnuTLS library used by Apache for httpd to provide HTTPS. A security bypass vulnerability exists in mod-gnutls 'gnutlshooks.c' that allows attackers to bypass certain security restrictions and perform unauthorized operations...

Apache Httpd < 2.4.16 : Crash in ErrorDocument 400 handling

A crash in ErrorDocument handling was found. If ErrorDocument 400 was configured pointing to a local URL-path with the INCLUDES filter active, a NULL dereference would occur when handling the error, causing the child process to crash. This issue affected the 2.4.12 release only...

Internet Bug Bounty: mod_lua: Crash in websockets PING handling

A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...

Apache Httpd < 2.4.16 : mod_lua: Crash in websockets PING handling

A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...

CVE-2014-8108

The moddavsvn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service NULL pointer dereference and crash via a request for a URI that triggers a lookup for a virtual transaction name that does not exist...

CVE-2014-8108

The CVE-2014-8108 issue affects the Apache Subversion mod_dav_svn module. According to connected docs, Subversion 1.7.x is vulnerable before 1.7.19 and 1.8.x is vulnerable before 1.8.11, where a remote attacker can trigger a NULL pointer dereference by requesting a URI that causes a lookup for a ...

UBUNTU-CVE-2014-3580

The moddavsvn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service NULL pointer dereference and server crash via a REPORT request for a resource that does not exist...

CVE-2014-8108

The moddavsvn Apache HTTPD server module in Apache Subversion 1.7.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service NULL pointer dereference and crash via a request for a URI that triggers a lookup for a virtual transaction name that does not exist...

subversion -- DoS vulnerabilities

Subversion Project reports: Subversion's moddavsvn Apache HTTPD server module will crash when it receives a REPORT request for some invalid formatted special URIs. Subversion's moddavsvn Apache HTTPD server module will crash when it receives a request for some invalid formatted special URIs. We...

Apache Httpd < 2.4.12 : mod_lua multiple "Require" directive handling is broken

Fix handling of the Require line in modlua when a LuaAuthzProvider is used in multiple Require directives with different arguments. This could lead to different authentication rules than expected...

RHEL 5 : pki (RHSA-2012:1550)

Updated pki-common and pki-tps packages that fix multiple security issues are now available for Red Hat Certificate System 8.1. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed...