Details

It was discovered that the mod_negotiation module incorrectly handled

certain filenames, which could result in browsers becoming vulnerable to

cross-site scripting attacks when processing the output. With cross-site

scripting vulnerabilities, if a user were tricked into viewing server

output during a crafted server request, a remote attacker could exploit

this to modify the contents, or steal confidential data (such as

passwords), within the same domain. (CVE-2012-2687)

It was discovered that the Apache HTTP Server was vulnerable to the "CRIME"

SSL data compression attack. Although this issue had been mitigated on the

client with newer web browsers, this update also disables SSL data

compression on the server. A new SSLCompression directive for Apache has

been backported that may be used to re-enable SSL data compression in

certain environments. For more information, please refer to:

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression

(CVE-2012-4929)