Information Armor » apache http://www.informationarmor.com Protecting Your Data. A public service from Arizona IT Management LLC Tue, 22 Jun 2010 16:27:09 +0000 en hourly 1 http://wordpress.org/?v=3.0 Apache HTTP server 2.2.15 http://www.informationarmor.com/2010/03/09/apache-http-server-2-2-15/ http://www.informationarmor.com/2010/03/09/apache-http-server-2-2-15/#comments Tue, 09 Mar 2010 22:14:19 +0000 root http://www.informationarmor.com/?p=90 Apache has released HTTP Server version 2.2.15, which addresses a number of security exposures in prior versions of the HTTP server. Of particular note is the updating of the OpenSSL library to 0.9.8m which addresses the renegotiation issues outlined in CVE-2009-3555. At the time of writing, the links to the complete changelog and downloads for 2.2.15 were not visible on the Apache Web site, however, we urge users to apply this latest vendor update as soon as possible.
http://mail-archives.apache.org/mod_mbox/www-announce/201003.mbox/%3C4B92BC77.8050401@apache.org%3E
http://httpd.apache.org/download.cgi

Proof of concept code exploiting a vulnerability (CVE-2010-0425) in the Apache HTTP server version 2.2.14, mod_isapi, was published to a well known Web site. Notes in the code state that the exploit may need to be run several times to achieve successful spawning of a shell however – a success rate of 70% is reported. Also mentioned in the code is that, if DEP is enabled (Windows platforms) for the Apache process, the result may be a denial of service condition. As CVE-2010-0425 is one of those noted as addressed in the above 2.2.15 release, we again suggest updating as soon as possible.
http://www.exploit-db.com/exploits/11650
http://securityreason.com/wlb_show/WLB-2010030028

]]> http://www.informationarmor.com/2010/03/09/apache-http-server-2-2-15/feed/ 0 Vulnerabilities http://www.informationarmor.com/2010/01/29/vulnerabilities/ http://www.informationarmor.com/2010/01/29/vulnerabilities/#comments Fri, 29 Jan 2010 15:21:47 +0000 root http://www.informationarmor.com/?p=59 Cisco disclosed multiple vulnerabilities in their Unified MeetingPlace product. These issues leave the product vulnerable to SQL injection attacks and could allow attackers to bypass authentication. Cisco has released patches to address these issues.
http://www.cisco.com/warp/public/707/cisco-sa-20100127-mp.shtml
http://secunia.com/advisories/38259/

The open source library YaSSL was found to have a security vulnerability related to the negotiation of SSL certificates. The possibility of a buffer overflow exists under these conditions. There has been a patch released to address this vulnerability.
http://secunia.com/advisories/38344/
http://osvdb.org/show/osvdb/61956
http://yassl.com/news.html#yassl199

A overflow vulnerability was found in the 1.3.xx Apache open source web server. This issue leaves the server open to remote unauthenticated access and denial of service attacks. Upgrading to version 1.3.42 resolves this issue.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0589.html
http://secunia.com/advisories/38319/2/

]]> http://www.informationarmor.com/2010/01/29/vulnerabilities/feed/ 1