Scientific Linux Security Update : httpd on SL6.x i386/x86_64 (20130221)

Medium Nessus Plugin ID 64952

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 3.8

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

An input sanitization flaw was found in the mod_negotiation Apache HTTP Server module. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687)

It was discovered that mod_proxy_ajp, when used in configurations with mod_proxy in load balancer mode, would mark a back-end server as failed when request processing timed out, even when a previous AJP (Apache JServ Protocol) CPing request was responded to by the back-end. A remote attacker able to make a back-end use an excessive amount of time to process a request could cause mod_proxy to not send requests to back-end AJP servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2012-4557)

After installing the updated packages, the httpd daemon will be restarted automatically.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?99857930

Plugin Details

Severity: Medium

ID: 64952

File Name: sl_20130221_httpd_on_SL6_x.nasl

Version: 1.8

Type: local

Agent: unix

Published: 2013/03/01

Updated: 2020/09/24

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 3.8

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:fermilab:scientific_linux:httpd, p-cpe:/a:fermilab:scientific_linux:httpd-debuginfo, p-cpe:/a:fermilab:scientific_linux:httpd-devel, p-cpe:/a:fermilab:scientific_linux:httpd-manual, p-cpe:/a:fermilab:scientific_linux:httpd-tools, p-cpe:/a:fermilab:scientific_linux:mod_ssl, x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 2013/02/21

Vulnerability Publication Date: 2008/01/25

Reference Information

CVE: CVE-2008-0455, CVE-2012-2687, CVE-2012-4557

CWE: 79