Bug#540862: reassign
reassign 540862 libxerces2-java thanks this appears to be a flaw in the xerces xml parser. see previous discussion and pdf. -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#540862: apache2: xml-based firewall bypass / port scanning vulnerability
package: apache2 version: 2.2.3-4+etch6 severity: important tags: security it has been dislosed that apache (and potentially other web servers) can be used to port scan behind a firewall. i don't think this issue issue too severe, but a firewall bypass nevertheless is probably not a good thing. see [0]. [0] http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#536718: apache2: CVE-2009-1890 denial-of-service vulnerability
Package: apache2 Version: 2.2.3-4+etch6 Severity: serious Tags: security , patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for apache2. CVE-2009-1890[0]: | The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy | module in the Apache HTTP Server before 2.3.3, when a reverse proxy is | configured, does not properly handle an amount of streamed data that | exceeds the Content-Length value, which allows remote attackers to | cause a denial of service (CPU consumption) via crafted requests. Patches are available [0]. Please coordinate with the security team to prepare updates for the stable releases. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890 http://security-tracker.debian.net/tracker/CVE-2009-1890 -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#535886: apache2: htaccess override
package: apache2 severity: important version: 2.2.3-4+etch6 tags: security apache2 in etch is vulnerable to an override vulnerability in .htaccess [1]. [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=44262 -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#533661: "slowloris" denial-of-service vulnerability
package: apache2 version: 2.2.3-4+etch6 severity: important tags: security hello, this package is supposedly vulnerable to something called a "slowloris" denial-of-service attack. please check to see whether this is a correct assessment. see [1],[2] for more info. thanks. [1] http://ha.ckers.org/slowloris/ [2] http://www.securityfocus.com/archive/1/456339/30/0/threaded -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org