(Oracle Issues Fix for Oracle Linux) Apache Bugs Let Remote Users Deny Service
SecurityTracker Alert ID: 1033370|
SecurityTracker URL: http://securitytracker.com/id/1033370
(Links to External Site)
Date: Aug 25 2015
Denial of service via network, Not specified|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2.4.x prior to 2.4.16|
Several vulnerabilities were reported in Apache. A remote user can cause denial of service conditions on the target system. The impact of some vulnerabilities was not specified.|
A remote user can trigger a crash with ErrorDocument 400 pointing to a local URL-path with the INCLUDES filter active [CVE-2015-0253]. Versions 2.4.11 and after are affected. The vendor has assigned PR 57531 to this vulnerability.
A remote user can send a specially crafted websockets ping to trigger a flaw in mod_lua and cause the target child process to crash [CVE-2015-0228]. The vulnerability occurs when the ping is received and then a script calls the r:wsupgrade() function.
A remote user can trigger a chunk header parsing flaw in apr_brigade_flatten() [CVE-2015-3183]. The impact was not specified.
A remote user can trigger an unspecified flaw in ap_some_auth_required() [CVE-2015-3185]. The impact was not specified.
A remote user can cause denial of service conditions.|
Oracle has issued a fix for CVE-2015-3183 for Oracle Linux.|
The Oracle Linux advisory is available at:
Access control error, Input validation error, Not specified, State error|
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 6|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2015-1668 Moderate: Oracle Linux 6 httpd security update|
Oracle Linux Security Advisory ELSA-2015-1668
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- replace index.html with Oracle's index page oracle_index.html
- update vstring in specfile
- fix regressions caused by fix for CVE-2015-3183
El-errata mailing list