DOCUMENTATION

Views

Search

Toolbox

Advisories:rPSA-2009-0142

From rPath Wiki

Jump to: navigation, search

rPath Security Advisory 2009-0142-2

Published: 2009-11-12

Updated

2009-11-12 updated to reference CVE-2009-1891

Products

rPath Appliance Platform Linux Service 2
rPath Linux 2

Rating

Major

Exposure Level Classification

Local System User Deterministic Privilege Escalation

Updated Versions

httpd=conary.rpath.com@rpl:2/2.2.9-4.2-1
httpd=rap-emc.rpath.com@rpath:emc-production-2/2.2.9-5-1
mod_ssl=conary.rpath.com@rpl:2/2.2.9-4.2-1
mod_ssl=rap-emc.rpath.com@rpath:emc-production-2/2.2.9-5-1

rPath Issue Tracking System

References

Description

Previous versions of httpd do not properly handle Options=IncludesNOEXEC

in the AllowOverride directive, which allows local users to gain

privileges via a specially crafted .htaccess file combined with an exec

element in a .shtml file.

Additionally, two similar vulnerabilities exist -- one in mod_proxy,

and one in mod_deflate -- which could allow a remote attacker

to cause a denial of service (CPU consumption) via crafted requests.

These three issues have been addressed in this release.

Copyright 2009 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html

Retrieved from "http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0142"

Categories: Support Issue | Advisories