--6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline =========================================================== Ubuntu Security Notice USN-160-1 August 04, 2005 apache2 vulnerabilities CAN-2005-1268, CAN-2005-2088 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: apache2-mpm-perchild apache2-mpm-prefork apache2-mpm-threadpool apache2-mpm-worker The problem can be corrected by upgrading the affected package to version 2.0.50-12ubuntu4.3 (for Ubuntu 4.10), or 2.0.53-5ubuntu5.2 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Marc Stern discovered a buffer overflow in the SSL module's certificate revocation list (CRL) handler. If Apache is configured to use a malicious CRL, this could possibly lead to a server crash or arbitrary code execution with the privileges of the Apache web server. (CAN-2005-1268) Watchfire discovered that Apache insufficiently verified the "Transfer-Encoding" and "Content-Length" headers when acting as an HTTP proxy. By sending a specially crafted HTTP request, a remote attacker who is authorized to use the proxy could exploit this to bypass web application firewalls, poison the HTTP proxy cache, and conduct cross-site scripting attacks against other proxy users. (CAN-2005-2088) Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3.diff.gz Size/MD5: 99222 a380f023e1e5afc50b8b92ba5c6489b9 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3.dsc Size/MD5: 1151 69c9462592c46b43a4ec8166aab6209a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz Size/MD5: 6321209 9d0767f8a1344229569fcd8272156f8b Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.50-12ubuntu4.3_all.deb Size/MD5: 3178388 566b8b373c0318b7d3f34692b30509ac http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.50-12ubuntu4.3_all.deb Size/MD5: 163770 00c36a85687974f4eb90b5d8c13476e4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.50-12ubuntu4.3_all.deb Size/MD5: 164524 6050010e24b4f5e4a9cb2cdd9686c6c0 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 864704 574b8e5c64df9913c8b66ccd107c60f0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 230390 e38acb634e12c57ed669aa568cc67d06 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 225610 a3bdfb1af745c6930136212c6fa33591 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 228988 94ff614ff1caa04fe845c8204c5bb91b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 229582 7b3a84aad84baaa7338ebff74f36d86c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 30006 3167fcb1062d529a724f5d4dbacb9a9c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 275506 bc6da6c57c8faf19d1f55108a4c2e98b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.3_amd64.deb Size/MD5: 133452 e7b61a6aa6fec0146790b56ae41131d8 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 826108 01ed4c55e535c4f8a8e9fa62b03d2d6f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 209418 f4daec8b0b1a16a9c1056ea80a18818d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 205626 7b4216e725476c616d15ba87b35ab3aa http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 208278 49de9f647e784fae7883c24741ab7b63 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 208698 092149b5d65d608ff023f74fad4419b3 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 30008 0629ba1a00d24318da20620f904adf53 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 253472 f7fa9e49a15f97cc6f6b3487dad9f59b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.3_i386.deb Size/MD5: 124174 e9a3bb0757ac735b5be257899dc7dccb powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 903886 c79d8200dafe755df9b4353a461431f8 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 223044 668546270ebbb3fc0722bb4e9e15c551 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 218040 8a720021cb2ad66178fa7338c321d9b9 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 221164 d79bb29298a9e3b404f75feac66a4f0e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 221810 065beb73cd4d89f58b2937eb8f40f2e1 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 30008 2df17775733e03d4b7a24f30db85abc0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 269302 d78bb039553b55d88fd7b0482b0fa45e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.3_powerpc.deb Size/MD5: 130790 19af1dc64928adca136c3cd4a5d43368 Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2.diff.gz Size/MD5: 106802 52ae05de8e2234de5379947bc97e6b6f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2.dsc Size/MD5: 1159 e21eb214e35d20449d52ea8e6c4a1256 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53.orig.tar.gz Size/MD5: 6925351 40507bf19919334f07355eda2df017e5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.53-5ubuntu5.2_all.deb Size/MD5: 3578208 08bca5aab442a3483739f3b753f2b3a3 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.53-5ubuntu5.2_all.deb Size/MD5: 33806 47590c2159403038c34e51651b9b3ffe amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 826094 8b1404e64736660a2958992d3bc525f1 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 221110 e3aa00811f28469bfbb8ef22ecd145d2 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 216690 00e809503238ca2e73c42fc52f3016db http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 220032 10d8a9fce44a4096d31ade012a28079e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 167464 6c91ab0c339f3a74535ed36172ada81c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 168258 c4afd1d5a85633e95c2fe835def03ad7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 92934 26ccc095b0f9c15224bd054f758109a0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 33732 498cf774f6197fc10292365422739196 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 279090 536b2c9b9fa300090d53b48e746a9378 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.2_amd64.deb Size/MD5: 137596 5559d096c8cf747ce5d7f68e672c73eb i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 789008 09bbc361b3aaa028014a19d58f2186f5 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 201274 cc9c15af3dbbcc5213eeb49cdef69f31 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 197146 26bc333b69cc2a58b2fe41c610c41927 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 200568 6c1189649fb0a3a04205f2528b0e1b5a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 167466 66b4c17f7b92ce69dc983b79d8beafa7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 168248 624c88d5d611211be441e5179489f134 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 90654 ff649857f12acf7164b78665a3df1340 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 33734 dc48007f8db1e2d870da4c69cb056bcf http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 257040 f38390e08a7f1fb35a3bab2fe0aa43e4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.2_i386.deb Size/MD5: 128270 d5e2e3bd12723420a852eab1e606cb2f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 855412 fc8f89f45ed5fe9323228db12d5e6af4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 214298 abf499003a7cd1fb01908508375b9b0a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 209416 e67390ec75e08bd176093b44cd6a29e7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 213410 56548f06302e1e30c72d1e14568ef042 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 167472 0137079f14ad6afbbeafbe9c222e3099 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 168252 f595e5e6a871ce89a52494db766be9ed http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 102328 eccac03681d081ed37f2393196714edb http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 33744 b5c4d07b3e4a5b5945ad4670a52b818d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 272312 9ad600dd8a99577138bdc3d7081c490e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.53-5ubuntu5.2_powerpc.deb Size/MD5: 134578 c0d2e7a4a29d9cf05cf99d3aa9b71621 --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC8ihpDecnbV4Fd/IRAnpLAJ9MPFT7NVASClcTcAysa4hRIgmM+wCfdmXf FsYs27LyPO00zX/W1vJzmSg= =JHPN -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0--