Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
100
security advisorymoderate severitysuse managerSUSE: 2023:4228-1 - Minor Update for PostgreSQL Security Issue
The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update:. SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:4227-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.10 , suse/manager/4.3/proxy-httpd:4.3.10.9.43.6 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.10 , suse/manager/4.3/proxy-httpd:susemanager-4.3.10.9.43.6 Container Release : 9.43.6 Severity : moderate Type : security References : 1201384 1218014 CVE-2023-50495 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4891-1 Released: Mon Dec 18 16:31:49 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1201384,1218014,CVE-2023-50495 This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) - Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384) The following package changes have been done: - libncurses6-6.1-150000.5.20.1 updated - terminfo-base-6.1-150000.5.20.1 updated - ncurses-utils-6.1-150000.5.20.1 updated . SUSE Container Notification for suse/manager/4.3/proxy-httpd addressing critical security flaws.. SUSE Container, Proxy-Httpd, Nginx, Security Update. . LinuxSecurity.com Team
Dec 20, 2023
SuSE
99
security advisorydenial of serviceslackwareSlackware 14.1 Security Advisory: Apache DDoS Mitigation Updates
New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2014-204-01) New httpd packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.10-i486-1_slack14.1.txz: Upgraded. This update fixes the following security issues: *) SECURITY: CVE-2014-0117 (cve.mitre.org) mod_proxy: Fix crash in Connection header handling which allowed a denial of service attack against a reverse proxy with a threaded MPM. [Ben Reser] *) SECURITY: CVE-2014-0118 (cve.mitre.org) mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of sevice via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] *) SECURITY: CVE-2014-0226 (cve.mitre.org) Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. [Joe Orton, Eric Covener] *) SECURITY: CVE-2014-0231 (cve.mitre.org) mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts. [Rainer Jung, Eric Covener, Yann Ylavic] For more information, see: https://www.cve.org/CVERecord?id=CVE-2014-0117 https://www.cve.org/CVERecord?id=CVE-2014-0118 https://www.cve.org/CVERecord?id=CVE-2014-0226 https://www.cve.org/CVERecord?id=CVE-2014-0231 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 13.0: Updated package for Slackware x86_64 13.0: Updated package for Slackware 13.1: Updated package for Slackware x86_64 13.1: Updated package for Slackware 13.37: Updated package for Slackware x86_64 13.37: Updated package for Slackware 14.0: Updated package for Slackware x86_64 14.0: Updated package for Slackware 14.1: Updated package for Slackware x86_64 14.1: Updated package for Slackware -current: Updated package for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 13.0 package: c79e696c379625efd18e6414f30dba80 httpd-2.2.27-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 28be181b3a0aae494371279230f190e9 httpd-2.2.27-x86_64-1_slack13.0.txz Slackware 13.1 package: fc409fff4d79cb1969a40756f8a9f576 httpd-2.2.27-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 07ab0f3337fc15656cd2e841c9b0eba4 httpd-2.2.27-x86_64-1_slack13.1.txz Slackware 13.37 package: b5cefd8903745aceaa68b482cb63e4e2 httpd-2.2.27-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 610a33703e7f84fd14f09bc9529c1cd5 httpd-2.2.27-x86_64-1_slack13.37.txz Slackware 14.0 package: d6dedc1064a6a4d039b188fed02de89b httpd-2.4.10-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 7d150bf3bd558bf70ea2c21a08a1b5b7 httpd-2.4.10-x86_64-1_slack14.0.txz Slackware 14.1 package: 7e9b03930b0452a95595a61cf1b093d8 httpd-2.4.10-i486-1_slack14.1.txz Slackware x86_64 14.1 package: efc9893a3428d87a8d78787fbde793e0 httpd-2.4.10-x86_64-1_slack14.1.txz Slackware -current package: 1ac5a4cc6275c8f7cfa6e3a77a27f2db n/httpd-2.4.10-i486-1.txz Slackware x86_64 -currentpackage: 7fa5fda601a324238f5a2768204a7476 n/httpd-2.4.10-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.10-i486-1_slack14.1.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ . Recent updates to the httpd packages tackle a range of security vulnerabilities in Slackware, enhancing overall system reliability and protection for users.. httpd updates, Slackware security, denial of service fix, package management. . Severity: Important. LinuxSecurity.com Team
Jul 24, 2014
•Important
Slackware
200
security advisorybug fixsecurity fixScientific Linux: January 8, 2013 Low Security Update for httpd
Low: httpd security, bug fix, and enhancement update. Date: Wed, 16 Jan 2013 16:10:29 -0600 Reply-To: Pat Riehecky Sender: Security Errata for Scientific Linux From: Pat Riehecky Organization: Fermilab Subject: Security ERRATA Low: httpd on SL5.x i386/x86_64 MIME-Version: 1.0 Synopsis: Low: httpd security, bug fix, and enhancement update Issue Date: 2013-01-08 CVE Numbers: CVE-2012-2687 CVE-2008-0455 CVE-2008-0456 -- Input sanitization flaws were found in the mod_negotiation module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use these flaws to conduct cross-site scripting and HTTP response splitting attacks against users visiting the site. (CVE-2008-0455, CVE-2008-0456, CVE-2012-2687) Bug fixes: * Previously, no check was made to see if the /etc/pki/tls/private/localhost.key file was a valid key prior to running the "%post" script for the "mod_ssl" package. Consequently, when /etc/pki/tls/certs/localhost.crt did not exist and "localhost.key" was present but invalid, upgrading the Apache HTTP Server daemon (httpd) with mod_ssl failed. The "%post" script has been fixed to test for an existing SSL key. As a result, upgrading httpd with mod_ssl now proceeds as expected. * The "mod_ssl" module did not support operation under FIPS mode. Consequently, when operating Scientific Linux 5 with FIPS mode enabled, httpd failed to start. An upstream patch has been applied to disable non-FIPS functionality if operating under FIPS mode and httpd now starts as expected. * Prior to this update, httpd exit status codes were not Linux Standard Base (LSB) compliant. When the command "service httpd reload" was run and httpd failed, the exit status code returned was "0" and not in the range 1 to 6 as expected. A patch has been applied to the init script and httpd now returns "1" as an exit status code. * Chunked Transfer Coding is described in RFC 2616. Previously, the Apache server did not correctly handle a chunked encoded POSTrequest with a "chunk- size" or "chunk-extension" value of 32 bytes or more. Consequently, when such a POST request was made the server did not respond. An upstream patch has been applied and the problem no longer occurs. * Due to a regression, when mod_cache received a non-cacheable 304 response, the headers were served incorrectly. Consequently, compressed data could be returned to the client without the cached headers to indicate the data was compressed. An upstream patch has been applied to merge response and cached headers before data from the cache is served to the client. As a result, cached data is now correctly interpreted by the client. * In a proxy configuration, certain response-line strings were not handled correctly. If a response-line without a "description" string was received from the origin server, for a non-standard status code, such as the "450" status code, a "500 Internal Server Error" would be returned to the client. This bug has been fixed so that the original response line is returned to the client. Enhancements: * The configuration directive "LDAPReferrals" is now supported in addition to the previously introduced "LDAPChaseReferrals". * The AJP support module for "mod_proxy", "mod_proxy_ajp", now supports the "ProxyErrorOverride" directive. Consequently, it is now possible to configure customized error pages for web applications running on a backend server accessed via AJP. * The "%posttrans" scriptlet which automatically restarts the httpd service after a package upgrade can now be disabled. If the file /etc/sysconfig/httpd- disable-posttrans exists, the scriptlet will not restart the daemon. * The output of "httpd -S" now includes configured alias names for each virtual host. * New certificate variable names are now exposed by "mod_ssl" using the "_DN_userID" suffix, such as "SSL_CLIENT_S_DN_userID", which use the commonly used object identifier (OID) definition of "userID", OID 0.9.2342.19200300.100.1.1. -- SL5 x86_64 httpd-2.2.3-74.el5.x86_64.rpm httpd-debuginfo-2.2.3-74.el5.x86_64.rpm mod_ssl-2.2.3-74.el5.x86_64.rpm httpd-debuginfo-2.2.3-74.el5.i386.rpm httpd-devel-2.2.3-74.el5.i386.rpm httpd-devel-2.2.3-74.el5.x86_64.rpm httpd-manual-2.2.3-74.el5.x86_64.rpm i386 httpd-2.2.3-74.el5.i386.rpm httpd-debuginfo-2.2.3-74.el5.i386.rpm mod_ssl-2.2.3-74.el5.i386.rpm httpd-devel-2.2.3-74.el5.i386.rpm httpd-manual-2.2.3-74.el5.i386.rpm - Scientific Linux Development Team . Tackling security patches for httpd in Scientific Linux SL5, emphasizing vital bug resolutions and improvements.. httpd Patch, Low Severity Fix, Scientific Linux Update, Cross-Site Scripting, Bug Fix. . Severity: Low. LinuxSecurity.com Team
Jan 16, 2013
•Low
Scientific Linux
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!