Home page logo

fulldisclosure logo Full Disclosure mailing list archives

rPSA-2009-0142-1 httpd mod_ssl
From: rPath Update Announcements <announce-noreply () rpath com>
Date: Thu, 12 Nov 2009 17:49:51 -0500

rPath Security Advisory: 2009-0142-1
Published: 2009-11-12
    rPath Appliance Platform Linux Service 2
    rPath Linux 2

Rating: Major
Exposure Level Classification:
    Local System User Deterministic Privilege Escalation
Updated Versions:
    httpd=conary.rpath.com () rpl:2/2.2.9-4.2-1
    mod_ssl=conary.rpath.com () rpl:2/2.2.9-4.2-1

rPath Issue Tracking System:


    Previous versions of httpd do not properly handle Options=IncludesNOEXEC
    in the AllowOverride directive, which allows local users to gain
    privileges via a specially crafted .htaccess file combined with an exec
    element in a .shtml file.
    Additionally, when a reverse proxy is configured, a vulnerability in 
    mod_proxy could allow a remote attacker to cause a denial of service
    (CPU consumption) via crafted requests.
    Both of these issues have been addressed in this release.


Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • rPSA-2009-0142-1 httpd mod_ssl rPath Update Announcements (Nov 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]