USN-241-1: Apache vulnerabilities

Ubuntu Security Notice USN-241-1

12th January, 2006

apache2, apache vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.10
  • Ubuntu 5.04
  • Ubuntu 4.10

Details

The "mod_imap" module (which provides support for image maps) did not
properly escape the "referer" URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable mod_imap,
and employ cross-site-scripting techniques to gather sensitive user
information from that site. (CVE-2005-3352)

Hartmut Keil discovered a Denial of Service vulnerability in the SSL
module ("mod_ssl") that affects SSL-enabled virtual hosts with a
customized error page for error 400. By sending a specially crafted
request to the server, a remote attacker could crash the server. This
only affects Apache 2, and only if the "worker" implementation
(apache2-mpm-worker) is used. (CVE-2005-3357)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 5.10:
apache2-mpm-worker
apache-common
apache2-common
Ubuntu 5.04:
apache2-mpm-worker
apache-common
apache2-common
Ubuntu 4.10:
apache2-mpm-worker
apache-common
apache2-common

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

None

References

CVE-2005-3352, CVE-2005-3357