lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050824152619.GA16385@piware.de>
Date: Wed, 24 Aug 2005 17:26:19 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-173-2] PCRE vulnerability

===========================================================
Ubuntu Security Notice USN-173-2	    August 24, 2005
pcre3, apache2 vulnerabilities
CAN-2005-2491
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog):

The following packages are affected:

apache2
apache2-mpm-perchild
apache2-mpm-prefork
apache2-mpm-threadpool
apache2-mpm-worker
libpcre3

The problem can be corrected by upgrading the affected package to
version 2.0.50-12ubuntu4.4 (apache2 for Ubuntu 4.10),
4.5-1.1ubuntu0.4.10.1 (libpcre3 for Ubuntu4.10), or
4.5-1.1ubuntu0.5.04.1 (libpcre3 for Ubuntu 5.04).

A standard system upgrade is NOT SUFFICIENT to effect the necessary
changes! If you can afford to reboot your machine, this is the easiest
way to ensure that all services using this library are restarted
correctly. If not, please manually restart all server processes (exim,
PHP, etc.). It is advised to also restart your desktop session.


Details follow:

USN-173-1 fixed a buffer overflow vulnerability in the PCRE library.
However, it was determined that this did not suffice to prevent all
possible overflows, so another update is necessary.

In addition, it was found that the Ubuntu 4.10 version of Apache 2
contains a static copy of the library code, so this package needs to
be updated as well. In Ubuntu 5.04, Apache 2 uses the external library
from the libpcre3 package.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4.diff.gz
      Size/MD5:    99437 2ec7366e3b6cb2b5c71181b6548808d5
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4.dsc
      Size/MD5:     1151 1683a2c86a5f8f64cc200c13684c0af8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz
      Size/MD5:  6321209 9d0767f8a1344229569fcd8272156f8b
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.4.10.1.diff.gz
      Size/MD5:   186473 23255683011d112e0d640005529fdcb6
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.4.10.1.dsc
      Size/MD5:      611 1aa3ef1882be8157f4633a6b969a0f60
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5.orig.tar.gz
      Size/MD5:   476057 a58971177114a3b7a5da0e5a89a43c96

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.50-12ubuntu4.4_all.deb
      Size/MD5:  3178264 a5df71bfa12ecbe37e46173508948b1e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.50-12ubuntu4.4_all.deb
      Size/MD5:   163816 d5d16be7b8a61b7a1a7150573d0ae1c2
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.50-12ubuntu4.4_all.deb
      Size/MD5:   164576 73dd7539b67d6b39db994a14d88fd767
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_4.5-1.1ubuntu0.4.10.1_all.deb
      Size/MD5:      770 475394a2acc796700888067434ed1fa3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:   864696 51e05b5c49dea16124af0291aeddd34a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:   230442 e4d0ab0e0f4e12c1d165f5d0688d2f0e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:   225648 fed779ea47e97f77d8e480461a11bfa2
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:   229042 f3932e8a42c725324547bd5fff8687f9
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:   229632 a948e60571700bd0130d5b260b6899d1
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:    30046 16e716b545d917d5df294432d5635064
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:   275550 129e8fdad596ae2885083e7237599022
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.4_amd64.deb
      Size/MD5:   133502 4f42fad8d02976fa9143b608481205ee
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10.1_amd64.deb
      Size/MD5:   106882 3c0e8b8a59d32ae2be91835a2a85cd18
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10.1_amd64.deb
      Size/MD5:   107072 033e5fe0052ac64310edcd86936d94bc
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10.1_amd64.deb
      Size/MD5:     9162 3d73e3dd0a0bf59f83ddb9c31af88cc8

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:   826136 448d8292cd63da6e97c20fb75808aaed
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:   209442 fa3613ea6f664c70e603356206074e2c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:   205660 5fd6d83f773a051e1960e40092952d33
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:   208318 9a55bea5039f3776d5c1776afbfe6fe7
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:   208740 d54a2ca9c5397ed6dc601bb85664ddc3
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:    30040 6fc8ef0b828e3a642170c2a568a4e7d0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:   253496 59fcec5f8fe52f02dfafa1f7ad08593c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.4_i386.deb
      Size/MD5:   124212 4a76225f2129ea76d56ba6b70499fc4e
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10.1_i386.deb
      Size/MD5:   105234 189a4f988570bca3b2365f88a4cf9270
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10.1_i386.deb
      Size/MD5:   106854 99ad2737d3d3fd27fed11765913aacaf
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10.1_i386.deb
      Size/MD5:     8438 0c7adfb2729a43501c238293e2188155

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:   903896 a2a8b50a1178d9d3118a500190851bbd
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:   223112 fd4174be29e547b530a1139d259b2d49
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:   218062 41ea2b90a54588035346bca0529185fe
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:   221308 e5642bd8744f3fc8239da9d764e3dfce
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:   221898 376dee961786a2a0eea7d6e7248ab134
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:    30052 411594b6e4fcba4565fe9abc77e847e7
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:   269314 d89744b51bac7c5bcbac2852f7e87225
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.4_powerpc.deb
      Size/MD5:   130824 9111e8dd27a24c8fc0f6a26a05c9cee0
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10.1_powerpc.deb
      Size/MD5:   111252 f58cf5b717e4466d47c276b38ebc55ed
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10.1_powerpc.deb
      Size/MD5:   109924 0cb232a94b4a8f2eba5be80e9c1a3895
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10.1_powerpc.deb
      Size/MD5:    10684 7afe87ad27a361b835a423adf44f0c65

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.5.04.1.diff.gz
      Size/MD5:   186471 912614b401d34df8c183f58fd15c2a4f
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.5.04.1.dsc
      Size/MD5:      611 99a5654a9d99d82cbebf753f35fdfd63
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5.orig.tar.gz
      Size/MD5:   476057 a58971177114a3b7a5da0e5a89a43c96

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_4.5-1.1ubuntu0.5.04.1_all.deb
      Size/MD5:      770 0112a4f8db49e364b511d0913e7db850

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04.1_amd64.deb
      Size/MD5:   106860 d59d8b1bcf9eddb4dd618234d7afac47
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04.1_amd64.deb
      Size/MD5:   107086 8bec3f336d9d74483d15e16306fa3651
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04.1_amd64.deb
      Size/MD5:     9160 8fa63c4f1f9998f0b3cfa432037bd525

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04.1_i386.deb
      Size/MD5:   105268 0dcdea19b3d29ef7e87359c239367d54
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04.1_i386.deb
      Size/MD5:   106790 7d1ba079a7ff75967aa432e725bf6899
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04.1_i386.deb
      Size/MD5:     8394 8f43d61d69a44dead76472421cc7a602

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04.1_powerpc.deb
      Size/MD5:   111232 96f1afd42831adaa9c5d9af8e6c60f0d
    http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04.1_powerpc.deb
      Size/MD5:   109990 71dc3404a424f2449855f8d80bf8f8fd
    http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04.1_powerpc.deb
      Size/MD5:    10678 6f16535e47fe355d683829a1435600cf

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ