Ubuntu Security Notice USN-241-1
12th January, 2006
apache2, apache vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 5.10
- Ubuntu 5.04
- Ubuntu 4.10
Details
The "mod_imap" module (which provides support for image maps) did not
properly escape the "referer" URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable mod_imap,
and employ cross-site-scripting techniques to gather sensitive user
information from that site. (CVE-2005-3352)
Hartmut Keil discovered a Denial of Service vulnerability in the SSL
module ("mod_ssl") that affects SSL-enabled virtual hosts with a
customized error page for error 400. By sending a specially crafted
request to the server, a remote attacker could crash the server. This
only affects Apache 2, and only if the "worker" implementation
(apache2-mpm-worker) is used. (CVE-2005-3357)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 5.10:
- apache2-mpm-worker
- apache-common
- apache2-common
- Ubuntu 5.04:
- apache2-mpm-worker
- apache-common
- apache2-common
- Ubuntu 4.10:
- apache2-mpm-worker
- apache-common
- apache2-common
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
None