----------------------------------------------------------------------


Use WSUS to deploy 3rd party patches

Public BETA
http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/


----------------------------------------------------------------------

TITLE:
Apache HTTP Server Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA38776

VERIFY ADVISORY:
http://secunia.com/advisories/38776/

DESCRIPTION:
Some vulnerabilities have been reported in Apache HTTP Server, where
one has unknown impacts and others can be exploited by malicious
people to gain access to potentially sensitive information or cause a
DoS (Denial of Service).

1) The "ap_proxy_ajp_request()" function in
modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the
"HTTP_INTERNAL_SERVER_ERROR" error code when processing certain
malformed requests. This can be exploited to put the backend server
into an error state until the retry timeout expired by sending
specially crafted requests.

2) The mod_isapi module could unload ISAPI modules before the request
processing is complete, potentially leaving orphaned callback pointers
behind.

3) An error exists within the header handling when processing
subrequests, which can lead to sensitive information from a request
being handled by the wrong thread if a multi-threaded
Multi-Processing Module (MPM) is used.

Vulnerabilities #1 and #3 are reported in version 2.2.0, 2.2.2,
2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.11, 2.2.12, 2.2.13, and
2.2.14.

SOLUTION:
Fixed in httpd 2.2.15-dev. Update to version 2.2.15 as soon as it
becomes available.

PROVIDED AND/OR DISCOVERED BY:
1, 2) Reported by the vendor.
3) Reported in a bug report by Philip Pickett

ORIGINAL ADVISORY:
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=917875 
http://svn.apache.org/viewvc?view=revision&revision=917870
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------