====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN339
____________________________________________________________________

DATE                :  23/08/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Apache version anterior to 2.4.3.

======================================================================
http://httpd.apache.org/security/vulnerabilities_24.html
______________________________________________________________________

Vulnerabilities Fixed in Apache httpd 2.4.3

important: Response mixup when using mod_proxy_ajp or mod_proxy_http
CVE-2012-3502

The modules mod_proxy_ajp and mod_proxy_http did not always close the
connection to the back end server when necessary as part of error
handling. This could lead to an information disclosure due to a response
mixup between users.
    Issue public: 16th August 2012
    Update Released: 21st August 2012
    Affects: 2.4.2, 2.4.1

low: XSS in mod_negotiation when untrusted uploads are supported
CVE-2012-2687

Possible XSS for sites which use mod_negotiation and allow untrusted
uploads to locations which have MultiViews enabled.
    Reported to security team: 31st May 2012
    Issue public: 13th June 2012
    Update Released: 21st August 2012
    Affects: 2.4.2, 2.4.1

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================