News

=========================================================== Ubuntu Security Notice USN-241-1 January 12, 2006 apache2, apache vulnerabilities CVE-2005-3352, CVE-2005-3357 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: apache-common apache2-common apache2-mpm-worker The problem can be corrected by upgrading the affected package to following versions: Ubuntu 4.10: apache-common 1.3.31-6ubuntu0.9 apache2-common 2.0.50-12ubuntu4.10 apache2-mpm-worker 2.0.50-12ubuntu4.10 Ubuntu 5.04: apache-common 1.3.33-4ubuntu2 apache2-common 2.0.53-5ubuntu5.5 apache2-mpm-worker 2.0.53-5ubuntu5.5 Ubuntu 5.10: apache-common 1.3.33-8ubuntu1 apache2-common 2.0.54-5ubuntu4 apache2-mpm-worker 2.0.54-5ubuntu4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The "mod_imap" module (which provides support for image maps) did not properly escape the "referer" URL which rendered it vulnerable against a cross-site scripting attack. A malicious web page (or HTML email) could trick a user into visiting a site running the vulnerable mod_imap, and employ cross-site-scripting techniques to gather sensitive user information from that site. (CVE-2005-3352) Hartmut Keil discovered a Denial of Service vulnerability in the SSL module ("mod_ssl") that affects SSL-enabled virtual hosts with a customized error page for error 400. By sending a specially crafted request to the server, a remote attacker could crash the server. This only affects Apache 2, and only if the "worker" implementation (apache2-mpm-worker) is used. (CVE-2005-3357)