| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Aug 2005 16:38:33 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-160-1] Apache 2 vulnerabilities
===========================================================
Ubuntu Security Notice USN-160-1 August 04, 2005
apache2 vulnerabilities
CAN-2005-1268, CAN-2005-2088
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
apache2-mpm-perchild
apache2-mpm-prefork
apache2-mpm-threadpool
apache2-mpm-worker
The problem can be corrected by upgrading the affected package to
version 2.0.50-12ubuntu4.3 (for Ubuntu 4.10), or 2.0.53-5ubuntu5.2
(for Ubuntu 5.04). In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
Marc Stern discovered a buffer overflow in the SSL module's
certificate revocation list (CRL) handler. If Apache is configured to
use a malicious CRL, this could possibly lead to a server crash or
arbitrary code execution with the privileges of the Apache web server.
(CAN-2005-1268)
Watchfire discovered that Apache insufficiently verified the
"Transfer-Encoding" and "Content-Length" headers when acting as an
HTTP proxy. By sending a specially crafted HTTP request, a remote
attacker who is authorized to use the proxy could exploit this to
bypass web application firewalls, poison the HTTP proxy cache, and
conduct cross-site scripting attacks against other proxy users.
(CAN-2005-2088)
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3.diff.gz
Size/MD5: 99222 a380f023e1e5afc50b8b92ba5c6489b9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3.dsc
Size/MD5: 1151 69c9462592c46b43a4ec8166aab6209a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz
Size/MD5: 6321209 9d0767f8a1344229569fcd8272156f8b
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.50-12ubuntu4.3_all.deb
Size/MD5: 3178388 566b8b373c0318b7d3f34692b30509ac
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.50-12ubuntu4.3_all.deb
Size/MD5: 163770 00c36a85687974f4eb90b5d8c13476e4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.50-12ubuntu4.3_all.deb
Size/MD5: 164524 6050010e24b4f5e4a9cb2cdd9686c6c0
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 864704 574b8e5c64df9913c8b66ccd107c60f0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 230390 e38acb634e12c57ed669aa568cc67d06
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 225610 a3bdfb1af745c6930136212c6fa33591
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 228988 94ff614ff1caa04fe845c8204c5bb91b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 229582 7b3a84aad84baaa7338ebff74f36d86c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 30006 3167fcb1062d529a724f5d4dbacb9a9c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 275506 bc6da6c57c8faf19d1f55108a4c2e98b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.3_amd64.deb
Size/MD5: 133452 e7b61a6aa6fec0146790b56ae41131d8
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 826108 01ed4c55e535c4f8a8e9fa62b03d2d6f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 209418 f4daec8b0b1a16a9c1056ea80a18818d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 205626 7b4216e725476c616d15ba87b35ab3aa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 208278 49de9f647e784fae7883c24741ab7b63
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 208698 092149b5d65d608ff023f74fad4419b3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 30008 0629ba1a00d24318da20620f904adf53
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 253472 f7fa9e49a15f97cc6f6b3487dad9f59b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.3_i386.deb
Size/MD5: 124174 e9a3bb0757ac735b5be257899dc7dccb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 903886 c79d8200dafe755df9b4353a461431f8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 223044 668546270ebbb3fc0722bb4e9e15c551
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 218040 8a720021cb2ad66178fa7338c321d9b9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 221164 d79bb29298a9e3b404f75feac66a4f0e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 221810 065beb73cd4d89f58b2937eb8f40f2e1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 30008 2df17775733e03d4b7a24f30db85abc0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 269302 d78bb039553b55d88fd7b0482b0fa45e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.3_powerpc.deb
Size/MD5: 130790 19af1dc64928adca136c3cd4a5d43368
Updated packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2.diff.gz
Size/MD5: 106802 52ae05de8e2234de5379947bc97e6b6f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2.dsc
Size/MD5: 1159 e21eb214e35d20449d52ea8e6c4a1256
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53.orig.tar.gz
Size/MD5: 6925351 40507bf19919334f07355eda2df017e5
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.53-5ubuntu5.2_all.deb
Size/MD5: 3578208 08bca5aab442a3483739f3b753f2b3a3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.53-5ubuntu5.2_all.deb
Size/MD5: 33806 47590c2159403038c34e51651b9b3ffe
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 826094 8b1404e64736660a2958992d3bc525f1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 221110 e3aa00811f28469bfbb8ef22ecd145d2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 216690 00e809503238ca2e73c42fc52f3016db
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 220032 10d8a9fce44a4096d31ade012a28079e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 167464 6c91ab0c339f3a74535ed36172ada81c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 168258 c4afd1d5a85633e95c2fe835def03ad7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 92934 26ccc095b0f9c15224bd054f758109a0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 33732 498cf774f6197fc10292365422739196
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 279090 536b2c9b9fa300090d53b48e746a9378
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.2_amd64.deb
Size/MD5: 137596 5559d096c8cf747ce5d7f68e672c73eb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 789008 09bbc361b3aaa028014a19d58f2186f5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 201274 cc9c15af3dbbcc5213eeb49cdef69f31
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 197146 26bc333b69cc2a58b2fe41c610c41927
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 200568 6c1189649fb0a3a04205f2528b0e1b5a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 167466 66b4c17f7b92ce69dc983b79d8beafa7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 168248 624c88d5d611211be441e5179489f134
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 90654 ff649857f12acf7164b78665a3df1340
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 33734 dc48007f8db1e2d870da4c69cb056bcf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 257040 f38390e08a7f1fb35a3bab2fe0aa43e4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.2_i386.deb
Size/MD5: 128270 d5e2e3bd12723420a852eab1e606cb2f
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 855412 fc8f89f45ed5fe9323228db12d5e6af4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 214298 abf499003a7cd1fb01908508375b9b0a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 209416 e67390ec75e08bd176093b44cd6a29e7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 213410 56548f06302e1e30c72d1e14568ef042
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 167472 0137079f14ad6afbbeafbe9c222e3099
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 168252 f595e5e6a871ce89a52494db766be9ed
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 102328 eccac03681d081ed37f2393196714edb
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 33744 b5c4d07b3e4a5b5945ad4670a52b818d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 272312 9ad600dd8a99577138bdc3d7081c490e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.2_powerpc.deb
Size/MD5: 134578 c0d2e7a4a29d9cf05cf99d3aa9b71621
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists