Summary
The remote host is missing an update to apache2
announced via advisory DSA 2579-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202579-1
Insight
A vulnerability has been found in the Apache HTTPD Server:
CVE-2012-4557
A flaw was found when mod_proxy_ajp connects to a backend server that takes too long to respond. Given a specific configuration, a remote attacker could send certain requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service.
In addition, this update also adds a server side mitigation for the following issue:
CVE-2012-4929
If using SSL/TLS data compression with HTTPS in an connection to a web browser, man-in-the-middle attackers may obtain plaintext HTTP headers. This issue is known as the CRIME attack. This update of apache2 disables SSL compression by default. A new SSLCompression directive has been backported that may be used to re-enable SSL data compression in environments where the CRIME attack is not an issue.
For more information, please refer to:
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression
For the stable distribution (squeeze), these problems have been fixed in version 2.2.16-6+squeeze10.
For the testing distribution (wheezy), these problems have been fixed in version 2.2.22-12.
For the unstable distribution (sid), these problems have been fixed in version 2.2.22-12.
We recommend that you upgrade your apache2 packages.
Severity
Classification
-
CVE CVE-2012-4557, CVE-2012-4929 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:N/A:P
Related Vulnerabilities