lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Mar 2009 12:54:06 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-731-1] Apache vulnerabilities

===========================================================
Ubuntu Security Notice USN-731-1             March 10, 2009
apache2 vulnerabilities
CVE-2007-6203, CVE-2007-6420, CVE-2008-1678, CVE-2008-2168,
CVE-2008-2364, CVE-2008-2939
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  apache2-common                  2.0.55-4ubuntu2.4
  apache2-mpm-perchild            2.0.55-4ubuntu2.4
  apache2-mpm-prefork             2.0.55-4ubuntu2.4
  apache2-mpm-worker              2.0.55-4ubuntu2.4

Ubuntu 7.10:
  apache2-mpm-event               2.2.4-3ubuntu0.2
  apache2-mpm-perchild            2.2.4-3ubuntu0.2
  apache2-mpm-prefork             2.2.4-3ubuntu0.2
  apache2-mpm-worker              2.2.4-3ubuntu0.2
  apache2.2-common                2.2.4-3ubuntu0.2

Ubuntu 8.04 LTS:
  apache2-mpm-event               2.2.8-1ubuntu0.4
  apache2-mpm-perchild            2.2.8-1ubuntu0.4
  apache2-mpm-prefork             2.2.8-1ubuntu0.4
  apache2-mpm-worker              2.2.8-1ubuntu0.4
  apache2.2-common                2.2.8-1ubuntu0.4

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that Apache did not sanitize the method specifier header from
an HTTP request when it is returned in an error message, which could result in
browsers becoming vulnerable to cross-site scripting attacks when processing the
output. With cross-site scripting vulnerabilities, if a user were tricked into
viewing server output during a crafted server request, a remote attacker could
exploit this to modify the contents, or steal confidential data (such as
passwords), within the same domain. This issue only affected Ubuntu 6.06 LTS and
7.10. (CVE-2007-6203)

It was discovered that Apache was vulnerable to a cross-site request forgery
(CSRF) in the mod_proxy_balancer balancer manager. If an Apache administrator
were tricked into clicking a link on a specially crafted web page, an attacker
could trigger commands that could modify the balancer manager configuration


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists