From security em unicamp.br  Tue Jul  5 10:23:06 2016
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Tue, 5 Jul 2016 10:23:06 -0300
Subject: [SECURITY-L] [ANNOUNCE] Apache HTTP Server 2.4.23 Released
Message-ID: <20160705132306.GL19446@unicamp.br>

----- Forwarded message from Jim Jagielski <jim em apache.org> -----

Date: Tue, 5 Jul 2016 09:08:01 -0400
From: Jim Jagielski <jim em apache.org>
To: announce em httpd.apache.org
Subject: [ANNOUNCE] Apache HTTP Server 2.4.23 Released
X-Mailer: Apple Mail (2.3124)


          Apache HTTP Server 2.4.23 Released

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.23 of the Apache
HTTP Server ("Apache").  This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a feature and bug fix release.

NOTE: Versions 2.4.22 and 2.4.21 were not released.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.4.23 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase.  For an overview of new features
introduced since 2.4 please see:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

Of particular note are 2 reverse proxy additions: Support of
HTTP/2 and dynamic health checks.

Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.23 includes only
those changes introduced since the prior 2.4 release.  A summary of all 
of the security vulnerabilities addressed in this and earlier releases 
is available:

http://httpd.apache.org/security/vulnerabilities_24.html

This release requires the Apache Portable Runtime (APR) version 1.5.x
and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.

Please note that Apache Web Server Project will only provide maintenance
releases of the 2.2.x flavor through June of 2017, and will provide some
security patches beyond this date through at least December of 2017.
Minimal maintenance patches of 2.2.x are expected throughout this period,
and users are strongly encouraged to promptly complete their transitions
to the the 2.4.x flavor of httpd to benefit from a much larger assortment
of minor security and bug fixes as well as new features.


----- End forwarded message -----


From security-news em drupal.org  Sun Jul 17 14:18:06 2016
From: security-news em drupal.org (security-news em drupal.org)
Date: Sun, 17 Jul 2016 17:18:06 +0000 (UTC)
Subject: [SECURITY-L] [Security-news] Drupal 8.x core release on Monday --
	PSA-2016-002
Message-ID: <mailman.1243.1468775918.103656.security-news@drupal.org>

View online: https://www.drupal.org/PSA-2016-002

   * Advisory ID: DRUPAL-PSA-2016-002
   * Project: Drupal
   * Version: 8.x
   * Date: 2016-July-17
   * Security risk: TBD
   * Vulnerability: TBD

-------- DESCRIPTION
---------------------------------------------------------

We will be doing a Drupal 8 core patch release on Monday, July 18th. This
will occur between 14:15 UTC and 19:00 UTC.

There will not be a Drupal 7 release during this window.

-------- WHY IS THIS RELEASE BEING ISSUED?
-----------------------------------

The Drupal security team has learned that a third-party Drupal 8 dependency
will be making a security release on Monday, July 18th and in accordance we
will be making a Drupal 8 release soon after. We will not disclose details of
the third-party update in advance of that release and cannot respond to
requests for further information. This security release is for the dependency
only and only affects Drupal 8 sites. Other mitigating factors will be
included with our published SA.

-------- WHAT ABOUT THE REGULARLY SCHEDULED RELEASE WINDOW ON WEDNESDAY, JULY
           20?
-----------------------------------------------------------------

We are moving the regularly scheduled window two days earlier to provide the
third-party dependency update, so this replaces that window.

There will not be another core release on Wednesday, July 20th.

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [1].

Learn more about the Drupal Security team and their policies [2], writing
secure code for Drupal [3], and  securing your site [4].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [5]


[1] https://www.drupal.org/contact
[2] https://www.drupal.org/security-team
[3] https://www.drupal.org/writing-secure-code
[4] https://www.drupal.org/security/secure-configuration
[5] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

From security em unicamp.br  Mon Jul 18 14:24:04 2016
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Mon, 18 Jul 2016 14:24:04 -0300
Subject: [SECURITY-L] [Security-news] Drupal Core - Highly Critical -
 Injection - SA-CORE-2016-003]
Message-ID: <20160718172404.GI29650@unicamp.br>


View online: https://www.drupal.org/SA-CORE-2016-003

  * Advisory ID: DRUPAL-SA-2016-002
  * Project: Drupal core [1]
  * Version: 8.x
  * Date: 2016-July-18
  * Security risk: 20/25 ( Highly Critical)
    AC:Basic/A:None/CI:All/II:All/E:Proof/TD:Default [2]
  * Vulnerability: Injection

-------- DESCRIPTION
---------------------------------------------------------

Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP
requests. An attacker can provide a proxy server that Guzzle will use. The
details of this are explained at https://httpoxy.org/ [3].


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * /A CVE identifier [4] will be requested, and added upon issuance, in
    accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

  * Drupal core 8.x versions prior to 8.1.7

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

  * If you use Drupal 8.x, upgrade to Drupal core 8.1.7 [5]
  * If you use Drupal 7.x, Drupal core is not affected.  However you should
    consider using the mitigation steps at https://httpoxy.org/ [6] since you
    might have modules or other software on your server affected by this
    issue.  For example, sites using Apache can add the following code to
    .htaccess:



       RequestHeader unset Proxy

We also suggest mitigating it as described here: https://httpoxy.org/ [7]

Also see the Drupal core [8] project page.

-------- WHAT IF I AM RUNNING DRUPAL CORE 8.0.X?
-----------------------------

Drupal core 8.0.x is no longer supported. Update to 8.1.7 to get the latest
security and bug fixes.

-------- WHY IS THIS BEING RELEASED MONDAY RATHER THAN WEDNESDAY?
------------

The Drupal Security Team usually releases Security Advisories on Wednesdays.
However, this vulnerability affects more than Drupal, and the authors of
Guzzle and reporters of the issue coordinated to make it public Monday.
Therefore, we are issuing a core release to update to the secure version of
Guzzle today.

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and  securing your site [12].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://httpoxy.org/
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal/releases/8.1.7
[6] https://httpoxy.org/
[7] https://httpoxy.org/
[8] https://www.drupal.org/project/drupal
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list


From security em unicamp.br  Mon Jul 18 15:41:01 2016
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Mon, 18 Jul 2016 15:41:01 -0300
Subject: [SECURITY-L] [Advisory] Apache Software Foundation Projects and
 "httpoxy" CERT VU#797896]
Message-ID: <20160718184101.GO29650@unicamp.br>

Advisory: Apache Software Foundation Projects and "httpoxy" CERT
VU#797896

Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt

Publication: v1.0  18 July 2016


Audience
--------

This Advisory is directed to HTTP web server administrators and users of
the software indicated below, including CGI developers.

This Advisory is not directed to a general audience, especially web
browser
users. The issues raised by the "httpoxy" class of vulnerabilities
affect
web servers, and are not an issue for consumers of web services to
address.


Background
----------

The ASF (Apache Software Foundation) offers a number of software
packages
which offer HTTP protocol ("Web") requests and responses, and offer the
developer or admininstrator CGI (Common Gateway Interface) routing
through
these software packages.

The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and
Apache Tomcat projects all offer CGI handling of HTTP requests.

The Apache Traffic Server proxies HTTP requests, but offers no CGI
support.

Many other ASF projects utilize the HTTP protocol, but at this time we
have
not identified any which provide CGI handling, or forward the HTTP
"Proxy:"
header implicated in the "httpoxy" class of issues. In the event that
other
projects discover such a defect, or can contribute to mitigating this
class
of issues, this Advisory will be updated.

Note especially that PHP (http://www.php.net) is not an Apache Software
Foundation project (this is a common point of confusion), and that this
Advisory does not attempt to address third-party software, scripts, 
libraries or components affected by the "httpoxy" group of issues.

See https://httpoxy.org/ (not affiliated with the ASF) for a complete 
discussion of the "httpoxy" class of issues, which are not reiterated
in this advisory.

The Apache Software Foundation wishes to thank Dominic Scheirlinck
and Scott Geary of Vend for bringing this issue to the attention of
the ASF Security Team for a well-coordinated community response.


Apache HTTP Server (httpd)
--------------------------

Apache HTTP Server may be configured to proxy HTTP requests as a forward
or reverse (gateway) proxy server, can proxy requests to a FastCGI
service
using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
or mod_cgid or the related mod_isapi service. The project's mod_fcgid
subproject (available as a separate add-in module) directly manages CGI
scripts using the FastCGI protocol.

It may also be configured to directly host a number of external modules
which run CGI-style applications in-process. The server itself does not 
modify the CGI environment in this case, however, these external modules
may perform such modifications of their environment variables
in-process.
Such examples include mod_php, mod_perl and mod_wsgi.

To mitigate "httpoxy" issues across all of the above mechanisms, the
most
direct solution is to drop any "Proxy:" header arriving from an upstream
proxy server or the origin user-agent. this will mitigate the issue for
any
vulnerable back-end server or CGI across all traffic through this
server. 

The two lines below enabled in the httpd.conf file will remove the
"Proxy:"
header from all incoming requests, before further processing;

    LoadModule headers_module {path-to}/mod_headers.so

    RequestHeader unset Proxy early

(Users who have mod_headers compiled-in to the httpd binary must omit
the LoadModule directive above, others must adjust the {path-to} to
point
to the mod_headers.so file.)

If the administrator wishes to preserve the value of the "Proxy:" header
for most traffic, and only eliminate it from the CGI environment
variable
HTTP_PROXY, a second mitigation is offered. This patch will address this
behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
along with all other consumers of httpd's built-in environment handling.

The bundled httpd modules all rely on ap_add_common_vars() to set up the
target CGI environment. The project will include the recommended patch
below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
Users who build httpd 2.2.x or 2.4.x from source may apply the patch
below,
recompile and re-install httpd to obtain this mitigation. This
migitation
has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.

======= Patch to httpd sources 2.4.x and 2.2.x =======
--- server/util_script.c	(revision 1752426)
+++ server/util_script.c	(working copy)
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you
must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
         /*
          * You really don't want to disable this check, since it leaves
          * you
          * wide open to CGIs stealing passwords and people viewing them
======= End Patch =======


Apache HTTP Server (mod_fcgid)
------------------------------

Either mitigation listed above for Apache HTTP Server (httpd) guidance
above
also mitigates all risks for CGI's which are invoked by mod_fcgid.
Therefore
any CVE with respect to mod_fcgid is revoked as duplicate of
CVE-2016-5387.


Apache Perl Module (mod_perl)
-----------------------------

Either mitigation listed for Apache HTTP Server (httpd) guidance above
also mitigates "httpoxy" risks for requests which are served by
mod_perl.

Note also that the Perl LWP::HTTP package has long avoided recognizing
the HTTP_PROXY environment variable, when serving CGI requests.


Apache Tomcat
-------------

Apache Tomcat provides a CGI Servlet that allows to execute a CGI
script. The CGI Servlet isn't active in the configuration delivered by
the ASF and activating it requires the user to modify the web.xml
delivered.

To mitigate "httpoxy" issues in CGI Servlet there are 3 possible ways:

1 - Add a filter in the webapp that uses CGI scripts simple code to
reject the  requests with PROXY headers via 400 "bad request" error.
Map the filter in web.xml of the webapp. Code like the following will
allow that:
+++
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.ServletException;

/*
 * Simple filter
 */
public class PoxyFilter implements Filter {

    protected FilterConfig filterConfig;

    public void init(FilterConfig filterConfig) throws ServletException
{
        this.filterConfig = filterConfig;
    }


    public void destroy() {
        this.filterConfig = null;
    }

    public void doFilter(ServletRequest request, ServletResponse
response,
                         FilterChain chain) throws java.io.IOException,
                                                   ServletException {


        HttpServletRequest req = (HttpServletRequest)request;
        HttpServletResponse res = (HttpServletResponse)response;

        String poxy = req.getHeader("proxy");
        if (poxy == null) {
          // call next filter in the chain.
          chain.doFilter(request, response);
        } else {
          res.sendError(400);
        }
    }
}
+++

2 - Add a global valve to reject requests with PROXY header, create a
PoxyValve.java with below content, compile it and put it in a jar and
put the jar in the lib installation of your tomcat. Add the line  <Valve
className="PoxyValve" /> in conf/server.xml (like after the
AccessLogValve) and restart Tomcat:

+++

import java.io.IOException;
import javax.servlet.ServletException;

import org.apache.catalina.valves.ValveBase;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;

import org.apache.catalina.Context;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;

public class PoxyValve
    extends ValveBase {

    public void invoke(Request request, Response response)
        throws IOException, ServletException {

        String poxy = request.getHeader("Proxy");
        if (poxy != null) {
            response.sendError(400);
            return;
        }
        getNext().invoke(request, response);
    }
}
+++

3 - Fix the CGIServlet code with the following patch and recompile
Tomcat and replace the catalina.jar by the produced one in you
installation and restart Tomcat:

+++
--- java/org/apache/catalina/servlets/CGIServlet.java   (revision
1724080)
+++ java/org/apache/catalina/servlets/CGIServlet.java   (working copy)
@@ -1095,7 +1095,8 @@
                 //REMIND: change character set
                 //REMIND: I forgot what the previous REMIND means
                 if ("AUTHORIZATION".equalsIgnoreCase(header) ||
-                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
+                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header) ||
+                    "PROXY".equalsIgnoreCase(header)) {
                     //NOOP per CGI specification section 11.2
                 } else {
                     envp.put("HTTP_" + header.replace('-', '_'),
+++

A mitigation is planned for future releases of Tomcat, tracked as
CVE-2016-5388, which will allow the user to prevent values like
HTTP_PROXY from being propagated to the CGI Servlet environment.


Apache Traffic Server (ATS)
---------------------------

Apache Traffic Server is unaffected by this class of vulnerabilities, as
it provides no direct CGI or FastCGI request handling. As a proxy
server,
ATS may be configured to route requests to vulnerable CGI applications
as
described by the "httpoxy" class of exploits.

Apache Traffic Server can be configured to drop the HTTP "Proxy:"
request
header from incoming requests as a mitigation, to prevent this request
header from being forwarded to potentially unhardened backend servers.
One configuration to strip the Proxy header is:

    /usr/local/etc/trafficserver/plugin.config
        header_rewrite.so strip_proxy.conf

    /usr/local/etc/trafficserver/strip_proxy.conf
        cond %{READ_REQUEST_HDR_HOOK}
        rm-header Proxy




From security em unicamp.br  Wed Jul 27 17:12:13 2016
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Wed, 27 Jul 2016 17:12:13 -0300
Subject: [SECURITY-L] [carnil@debian.org: [SECURITY] [DSA 3632-1]
 mariadb-10.0 security update]
Message-ID: <20160727201213.GC16288@unicamp.br>

----- Forwarded message from Salvatore Bonaccorso <carnil em debian.org> -----

Date: Wed, 27 Jul 2016 14:48:54 +0000
From: Salvatore Bonaccorso <carnil em debian.org>
To: debian-security-announce em lists.debian.org
Subject: [SECURITY] [DSA 3632-1] mariadb-10.0 security update

-------------------------------------------------------------------------
Debian Security Advisory DSA-3632-1                   security em debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 27, 2016                         https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : mariadb-10.0
CVE ID         : CVE-2016-3477 CVE-2016-3521 CVE-2016-3615 CVE-2016-5440

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.26. Please see the MariaDB 10.0 Release Notes for further
details:

 https://mariadb.com/kb/en/mariadb/mariadb-10026-release-notes/

For the stable distribution (jessie), these problems have been fixed in
version 10.0.26-0+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 10.0.26-1.

We recommend that you upgrade your mariadb-10.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce em lists.debian.org


----- End forwarded message -----


From security em unicamp.br  Fri Jul 29 11:52:17 2016
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Fri, 29 Jul 2016 11:52:17 -0300
Subject: [SECURITY-L] [adconrad@ubuntu.com: Ubuntu 15.10 (Wily Werewolf) End
 of Life reached on July 28 2016]
Message-ID: <20160729145217.GU16288@unicamp.br>

----- Forwarded message from Adam Conrad <adconrad em ubuntu.com> -----

Date: Thu, 28 Jul 2016 23:32:17 +0000
From: Adam Conrad <adconrad em ubuntu.com>
To: ubuntu-announce em lists.ubuntu.com
Cc: ubuntu-security-announce em lists.ubuntu.com
Subject: Ubuntu 15.10 (Wily Werewolf) End of Life reached on July 28 2016

This is a follow-up to the End of Life warning sent earlier this month
to confirm that as of today (July 28, 2016), Ubuntu 15.10 is no longer
supported.  No more package updates will be accepted to 15.10, and
it will be archived to old-releases.ubuntu.com in the coming weeks.

The original End of Life warning follows, with upgrade instructions:

Ubuntu announced its 15.10 (Wily Werewolf) release almost 9 months
ago, on October 22, 2015.  As a non-LTS release, 15.10 has a 9-month
month support cycle and, as such, the support period is now nearing
its end and Ubuntu 15.10 will reach end of life on Thursday, July
28th.  At that time, Ubuntu Security Notices will no longer include
information or updated packages for Ubuntu 15.10.

The supported upgrade path from Ubuntu 15.10 is via Ubuntu 16.04.
Instructions and caveats for the upgrade may be found at:

https://help.ubuntu.com/community/XenialUpgrades

Ubuntu 16.04 continues to be actively supported with security updates
and select high-impact bug fixes.  Announcements of security updates
for Ubuntu releases are sent to the ubuntu-security-announce mailing
list, information about which may be found at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.

On behalf of the Ubuntu Release Team,

Adam Conrad

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce em lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

----- End forwarded message -----