News

=========================================================== Ubuntu Security Notice USN-328-1 July 27, 2006 apache2 vulnerability CVE-2006-3747 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 Ubuntu 5.10 Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.04: apache2-mpm-perchild 2.0.53-5ubuntu5.6 apache2-mpm-prefork 2.0.53-5ubuntu5.6 apache2-mpm-threadpool 2.0.53-5ubuntu5.6 apache2-mpm-worker 2.0.53-5ubuntu5.6 Ubuntu 5.10: apache2-mpm-perchild 2.0.54-5ubuntu4.1 apache2-mpm-prefork 2.0.54-5ubuntu4.1 apache2-mpm-threadpool 2.0.54-5ubuntu4.1 apache2-mpm-worker 2.0.54-5ubuntu4.1 Ubuntu 6.06 LTS: apache2-mpm-perchild 2.0.55-4ubuntu2.1 apache2-mpm-prefork 2.0.55-4ubuntu2.1 apache2-mpm-worker 2.0.55-4ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite module's ldap scheme handling. On systems which activate "RewriteEngine on", a remote attacker could exploit certain rewrite rules to crash Apache, or potentially even execute arbitrary code (this has not been verified). "RewriteEngine on" is disabled by default. Systems which have this directive disabled are not affected at all.