what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ubuntu Security Notice 177-1

Ubuntu Security Notice 177-1
Posted Sep 8, 2005
Authored by Ubuntu, Martin Pitt | Site security.ubuntu.com

Ubuntu Security Notice USN-177-1 - apache2, libapache-mod-ssl vulnerabilities - Apache did not honour the "SSLVerifyClient require" directive within a block if the surrounding block contained a directive "SSLVerifyClient optional". This allowed clients to bypass client certificate validation on servers with the above configuration. Also, Filip Sneppe discovered a Denial of Service vulnerability in the byte range filter handler. By requesting certain large byte ranges, a remote attacker could cause memory exhaustion in the server.

tags | advisory, remote, denial of service, vulnerability
systems | linux, ubuntu
advisories | CVE-2005-2700, CVE-2005-2728
SHA-256 | f63bd9e3e650b2f1d6cbf6e4bceff6b9f82ee6c95a22dc5b50cef9f0bab677b0
Download | Favorite | View

Ubuntu Security Notice 177-1

Change Mirror Download
===========================================================
Ubuntu Security Notice USN-177-1         September 07, 2005
apache2, libapache-mod-ssl vulnerabilities
CAN-2005-2700, CAN-2005-2728
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

apache2-mpm-perchild
apache2-mpm-prefork
apache2-mpm-threadpool
apache2-mpm-worker
libapache-mod-ssl

The problem can be corrected by upgrading the affected package to
version 2.0.50-12ubuntu4.8 (for Ubuntu 4.10), or 2.0.53-5ubuntu5.3
(for Ubuntu 5.04). In general, a standard system upgrade is sufficient
to effect the necessary changes.

Details follow:

Apache did not honour the "SSLVerifyClient require" directive within a
<Location> block if the surrounding <VirtualHost> block contained a
directive "SSLVerifyClient optional". This allowed clients to bypass
client certificate validation on servers with the above configuration.
(CAN-2005-2700)

Filip Sneppe discovered a Denial of Service vulnerability in the byte
range filter handler. By requesting certain large byte ranges, a
remote attacker could cause memory exhaustion in the server.
(CAN-2005-2728)

The updated libapache-mod-ssl also fixes two older Denial of Service
vulnerabilities: A format string error in the ssl_log() function which
could be exploited to crash the server (CAN-2004-0700), and a flaw in
the SSL cipher negotiation which could be exploited to terminate a
session (CAN-2004-0885). Please note that Apache 1.3 and
libapache-mod-ssl are not officially supported (they are in the
"universe" component of the Ubuntu archive).


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8.diff.gz
      Size/MD5:   101542 107c0d44c3668596c431b922cef7108e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8.dsc
      Size/MD5:     1152 e46ab252f55b3cddca6eff7411e6310c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz
      Size/MD5:  6321209 9d0767f8a1344229569fcd8272156f8b
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1.diff.gz
      Size/MD5:    31850 278b1fcaebc9890ac6a667c5fe59adf2
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1.dsc
      Size/MD5:      779 007a277c901888314ed8e4990ff2af2d
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18.orig.tar.gz
      Size/MD5:   754214 4e966d62bb9304fef153b03868756543

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.50-12ubuntu4.8_all.deb
      Size/MD5:  3178708 565d44192bafdd109d63118e1d6d5b7a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.50-12ubuntu4.8_all.deb
      Size/MD5:   164190 0ec49ffa716a6445fabac9bc9d06a489
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.50-12ubuntu4.8_all.deb
      Size/MD5:   164948 b6a7d940115538ad527c550ae4ce8657
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.18-1ubuntu1_all.deb
      Size/MD5:   241864 0c99f46f47f35727dd196ea9eb05d321

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   865078 4add6aaacd6cb4017181c8021c2cfa0f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   230852 11820237e93e180e9f4e5c0e57ee6f2a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   225986 7726092ac1240af2ecb41f9cc48f9705
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   229380 697a89ca93a06638eef0b750f06f36fa
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   229972 17ba241c871bc17def12e3ad8eb810c1
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:    30422 ef1853a71c3388dc0cac851973054327
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1_amd64.deb
      Size/MD5:   270432 170f9d455846b887004e2c64d87a992c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   275918 7dd8c94be42b83dbdcbe9ead03920785
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.8_amd64.deb
      Size/MD5:   133872 c9cd10aa94e7e1e4d742b8f770a33957

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   826546 a6c92d2edd9aaafa1b96e8f35a8d82e5
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   209822 25d102841a8494ccf421b0472bdf8d53
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   206050 5d7950b25e7ab9c0852fcc467bffc74e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   208668 354af55e832a285b487772b291800488
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   209090 9ab76bcb30f1c443a3bcea970050e281
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:    30420 4637c7201b4b408f71892aba01008cf6
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1_i386.deb
      Size/MD5:   264636 b99ac93cf8ff93e62938e61a5ccb5af9
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   253894 b964f6601460e231a5c5dd230c83c089
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.8_i386.deb
      Size/MD5:   124582 b66c3aea329c2b6dc025127f86059583

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   904286 5c5789d62a13d3c1e24975e87b88b07a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   223468 d6ef031ea962f5c085c4bd36c1c37614
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   218452 a84a424566e61ceeb781f67a92375733
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   221620 74362295b70416d0423ede1516eabeb6
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   222266 ad439ebd9f706b371efd97c9960a96b0
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:    30420 fc36959ab3f88cb8717baa471eb1bb0a
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1_powerpc.deb
      Size/MD5:   265958 49f7f02d9394fd118a38af9d0bc1d83c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   269696 ddfbfc9fc83e1aeba16c964d21d7537a
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.8_powerpc.deb
      Size/MD5:   131190 3d7fd0e28009a1e2ebd7ac2c89e681da

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3.diff.gz
      Size/MD5:   108139 d03a3b3df92bd7492384468dd85c5507
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3.dsc
      Size/MD5:     1159 9cdcd80b25f4fa25ef5bd14197f273ff
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53.orig.tar.gz
      Size/MD5:  6925351 40507bf19919334f07355eda2df017e5
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1.diff.gz
      Size/MD5:    30251 693e83c3a2524250bdf3dc6ab85d4e1d
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1.dsc
      Size/MD5:      779 53fb3e656c367b4d6e2271604acf92e5
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22.orig.tar.gz
      Size/MD5:   754606 cdfdf1f576f77768c90825b43b462405

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.53-5ubuntu5.3_all.deb
      Size/MD5:  3578466 c24a5911a13e99450e3fc7486547c0a8
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.53-5ubuntu5.3_all.deb
      Size/MD5:    33994 cae1dd595b93a1bd3b319a96eb2e11bd
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.22-1ubuntu1_all.deb
      Size/MD5:   242090 c9c3cf415c3749209fc502fb5097b3e6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   826284 9650bd1a22f98f1b1d4af14688ea3e76
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   221240 8a3cfa2b21fc4c9d1b96c81c67431783
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   216848 bdec5002d94f62d2a4c93f9a648cea36
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   220154 a480c0bd2c251cdc25eda4fbe8a0c9bb
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   167632 3444694d537aa13cd4649606fe81679c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   168424 fb844405e54d417c9affcb28d7f8faff
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:    93100 7c672ca16d9c391ec162f59514c5dd40
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:    33924 536d5c36d3442a7f5a7cec88b27ccfb0
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1_amd64.deb
      Size/MD5:   270652 da0946f35ebbc03417ca82e2ac0ca91b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   279284 414825aa0c9d5b589bd3b992a8627f96
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.3_amd64.deb
      Size/MD5:   137782 69207c4f0ae64ba5e2a62b1c843061d2

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   789218 74e54616f41a62f493de7b2e22369d53
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   201476 fa27b66ff83ae2605eab28f1a586f158
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   197270 436e4305f8049145ed211ca76a30fb42
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   200786 e3b4add317694211d3e80d8e9f998834
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   167650 b9f859657ccd36041db0977b3db0524f
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   168432 1aba6200de75acd2c28e39b269d8f818
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:    90826 36aa38206b2baa7c22dac4f34f86ed2b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:    33926 c1c4a38d7617152d9182ec001323f552
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1_i386.deb
      Size/MD5:   264862 ef4af4c79aa84b8a82ba67ecddfbbba9
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   257212 360c94079c15d1153d1b84a953c1ba83
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.3_i386.deb
      Size/MD5:   128458 e3545f4a18f2075c7eaed563b6eb0a23

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   855598 8a9bd931ea0a916a12fa39056b24155b
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   214500 ce9445f7ed32874512310a4dcb7fc123
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   209610 09e02ae4aaf35bae60ecc434f6ec17ef
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   213582 06ab4351176e2f5b694f1802d79a6bac
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   167640 cd141d1be3b94959b5f431cf522d23bf
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   168432 8963433136779a45cffeb80ec709b39e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   102532 3cfb0c483d3d17b5478aad6eda621848
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:    33928 6f6bb36cc446bcec882617bed9084a4a
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.22-1ubuntu1_powerpc.deb
      Size/MD5:   266154 219ff4adadb5d02899628360ba993c4c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   272508 d1074f544adf38457bd1ee45076a12a4
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.3_powerpc.deb
      Size/MD5:   134814 1e07eeb86b32019796f14182db0f0965
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close