USN-241-1: Apache vulnerabilities

13 January 2006

apache2, apache vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.10
  • Ubuntu 5.04
  • Ubuntu 4.10

Software Description

Details

The “mod_imap” module (which provides support for image maps) did not properly escape the “referer” URL which rendered it vulnerable against a cross-site scripting attack. A malicious web page (or HTML email) could trick a user into visiting a site running the vulnerable mod_imap, and employ cross-site-scripting techniques to gather sensitive user information from that site. (CVE-2005-3352)

Hartmut Keil discovered a Denial of Service vulnerability in the SSL module (“mod_ssl”) that affects SSL-enabled virtual hosts with a customized error page for error 400. By sending a specially crafted request to the server, a remote attacker could crash the server. This only affects Apache 2, and only if the “worker” implementation (apache2-mpm-worker) is used. (CVE-2005-3357)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
apache-common
apache2-common
apache2-mpm-worker
Ubuntu 5.04
apache-common
apache2-common
apache2-mpm-worker
Ubuntu 4.10
apache-common
apache2-common
apache2-mpm-worker

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References