===========================================================
Ubuntu Security Notice USN-575-1 February 04, 2008
apache2 vulnerabilities
CVE-2006-3918, CVE-2007-3847, CVE-2007-4465, CVE-2007-5000,
CVE-2007-6388, CVE-2007-6421, CVE-2007-6422, CVE-2008-0005
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apache2-mpm-perchild 2.0.55-4ubuntu2.3
apache2-mpm-prefork 2.0.55-4ubuntu2.3
apache2-mpm-worker 2.0.55-4ubuntu2.3
Ubuntu 6.10:
apache2-mpm-perchild 2.0.55-4ubuntu4.2
apache2-mpm-prefork 2.0.55-4ubuntu4.2
apache2-mpm-worker 2.0.55-4ubuntu4.2
Ubuntu 7.04:
apache2-mpm-event 2.2.3-3.2ubuntu2.1
apache2-mpm-perchild 2.2.3-3.2ubuntu2.1
apache2-mpm-prefork 2.2.3-3.2ubuntu2.1
apache2-mpm-worker 2.2.3-3.2ubuntu2.1
Ubuntu 7.10:
apache2-mpm-event 2.2.4-3ubuntu0.1
apache2-mpm-perchild 2.2.4-3ubuntu0.1
apache2-mpm-prefork 2.2.4-3ubuntu0.1
apache2-mpm-worker 2.2.4-3ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that Apache did not sanitize the Expect header from
an HTTP request when it is reflected back in an error message, which
could result in browsers becoming vulnerable to cross-site scripting
attacks when processing the output. With cross-site scripting
vulnerabilities, if a user were tricked into viewing server output
during a crafted server request, a remote attacker could exploit this
to modify the contents, or steal confidential data (such as passwords),
within the same domain. This was only vulnerable in Ubuntu 6.06.
(CVE-2006-3918)
It was discovered that when configured as a proxy server and using a
threaded MPM, Apache did not properly sanitize its input. A remote
attacker could send Apache crafted date headers and cause a denial of
service via application crash. By default, mod_proxy is disabled in
Ubuntu. (CVE-2007-3847)
It was discovered that mod_autoindex did not force a character set,
which could result in browsers becoming vulnerable to cross-site
scripting attacks when processing the output. (CVE-2007-4465)
It was discovered that mod_imap/mod_imagemap did not force a
character set, which could result in browsers becoming vulnerable
to cross-site scripting attacks when processing the output. By
default, mod_imap/mod_imagemap is disabled in Ubuntu. (CVE-2007-5000)
It was discovered that mod_status when status pages were available,
allowed for cross-site scripting attacks. By default, mod_status is
disabled in Ubuntu. (CVE-2007-6388)
It was discovered that mod_proxy_balancer did not sanitize its input,
which could result in browsers becoming vulnerable to cross-site
scripting attacks when processing the output. By default,
mod_proxy_balancer is disabled in Ubuntu. This was only vulnerable
in Ubuntu 7.04 and 7.10. (CVE-2007-6421)
It was discovered that mod_proxy_balancer could be made to
dereference a NULL pointer. A remote attacker could send a crafted
request and cause a denial of service via application crash. By
default, mod_proxy_balancer is disabled in Ubuntu. This was only
vulnerable in Ubuntu 7.04 and 7.10. (CVE-2007-6422)
It was discovered that mod_proxy_ftp did not force a character set,
which could result in browsers becoming vulnerable to cross-site
scripting attacks when processing the output. By default,
mod_proxy_ftp is disabled in Ubuntu. (CVE-2008-0005)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
Size/MD5: 121305 10359a467847b63f8d6603081450fece
Size/MD5: 1148 923d0e3dcb5afba32a130aed96ac7214
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622
Architecture independent packages:
Size/MD5: 2124588 2befe634f0a889cc2241772f2a7d7164
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 832842 032c077cfeb6ffbc3989c54c27cb729a
Size/MD5: 228206 771457a0b555eef325be270e1c22c0c2
Size/MD5: 223236 77988570570b779ebf92fcc3dc7dc198
Size/MD5: 227904 945d30797a27c7ac28a96d9c1793b80d
Size/MD5: 171402 3b7567107864cf36953e7911a4851738
Size/MD5: 172186 85a591ea061cbc727fc261b046781502
Size/MD5: 94240 b80027348754c493312269f7410b38fe
Size/MD5: 36228 2821ca9410c9cd287e756f05b0f6930c
Size/MD5: 285664 76f4879738a0a788414316581ac2010b
Size/MD5: 144250 3cd8327429958569a306257da57e8be0
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 786052 7bdddb451607eeb2abb9706641675397
Size/MD5: 202862 a88456a5949fe1da4ad3f6c969d3a886
Size/MD5: 198746 aa72459cae4f5765ccd1b58d275961bc
Size/MD5: 202338 13bbe75f89aeedb6dec9be929528df48
Size/MD5: 171408 34209e19f6ef01cb08aa75c1b3045495
Size/MD5: 172176 4521336ea6f4d87391ee96d70b79f887
Size/MD5: 92182 d8a3310073c017cdc7d3ffd1046a50cf
Size/MD5: 36220 0ae71bd4efdd0fb325864f46ba4f16e7
Size/MD5: 261736 476e8d909e279fac698baf9cf0d62300
Size/MD5: 132160 3efb3c11dd844fbc429eff5818dcdae2
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 859014 a8c42d748bfd616f6a6f1bbbf2224205
Size/MD5: 220254 84f7c2678fbab6b303361d32f1a741a8
Size/MD5: 215932 bee4a6e00371117203647fd3a311658a
Size/MD5: 219800 aaf4968deba24912e4981f35a367a086
Size/MD5: 171410 a15c13c0a2ec49e805f9ae83e5db4ae7
Size/MD5: 172198 4e411b4b16daab9a0ddc9ea3651f448d
Size/MD5: 103940 dca02b7f5bc6848fa1dc8aa530f04910
Size/MD5: 36222 619ee3ea1064d11a02de092690bfb1e1
Size/MD5: 281280 9325dbc26f57d76254ceca78bee4cff2
Size/MD5: 141398 668d7fb9dd196e82601ca6d43a326813
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 803242 120feec10c0dcc370894e2a3bdcd399b
Size/MD5: 210668 062841f2fd30c07ff1f5b101a7c1e196
Size/MD5: 206266 35b3b9d4b34844b01576ca7963b5edda
Size/MD5: 209954 4f99e4d02fc93222cb541edb09358b79
Size/MD5: 171404 bd728a86c1a8984d60caeee35da0c451
Size/MD5: 172184 1794886b8aca59cf28cbe28d853f42ae
Size/MD5: 93282 1ae6def788c74750d79055784c0d8006
Size/MD5: 36230 5f1d8e4d19324674a1f5748601431758
Size/MD5: 267832 96c149638daeb993250b18c9f4285abf
Size/MD5: 130082 7a62f71e679a233ca118cb9813ffd3e3
Updated packages for Ubuntu 6.10:
Source archives:
Size/MD5: 121671 775c3b2d53630ddfb4386cbfdb954861
Size/MD5: 1148 a5dd357e0bef2dc308656c6c0af5ca1c
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622
Architecture independent packages:
Size/MD5: 2124902 baf4147b4e4d939a08f20c8ac987abf7
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 836086 e04fced4fc1efd4a192a4016f679bc38
Size/MD5: 227790 27c558402837f9d4c85315dcdde2f4e1
Size/MD5: 222698 a33ef1566dcd4793b0aa633435e8ee44
Size/MD5: 227296 4b3c5e771574d858dd655a9e0a7a5d8c
Size/MD5: 171640 bd8fbcd40f5431e6688156ba4b17e960
Size/MD5: 172412 0520836bca78eb64bc97d4a8cc481487
Size/MD5: 94518 8b35759996e50046eca8154ebc63fc1f
Size/MD5: 36530 1b08b4418ff0f7ba90940433116cf6d8
Size/MD5: 286876 1426b92819b56ff892483acedfdea4c6
Size/MD5: 145340 109c93408c5197be50960cce80c23b7c
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 806640 81e91910683454a4b2444e0ce8e929bc
Size/MD5: 209996 27440ecbe836673f63ae1773e238eb65
Size/MD5: 206098 e77a4b69c1c456f4ca6c03d9105d8552
Size/MD5: 209552 8a23207211e54b138d5a87c15c097908
Size/MD5: 171636 07616e459905bad152a8669c8f670436
Size/MD5: 172408 69300678b2f8b908f90a91de325c7ee2
Size/MD5: 93558 d47cdad1593a7332507c7d0388effbf4
Size/MD5: 36532 47800e58ec26a1389005b8120ad3ca3e
Size/MD5: 266728 65cd78808f959d9e73a4d5e348bf3e20
Size/MD5: 137934 1493ea26165b34a841da777ed801ca7a
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 865216 a635390e5772dd30dac70f7aba5e620d
Size/MD5: 222022 e37ef7d710800e568d838242d3129725
Size/MD5: 217630 53127602a5df28a5d66fdd11e396c346
Size/MD5: 221782 d3e43cef5b90a7e3aa405a5d167ddfb6
Size/MD5: 171632 d9f1c242ffeab1b90850a6ffc78f0148
Size/MD5: 172404 51b40f3e6a486ce372844ad24b83ecf5
Size/MD5: 104970 0f281f65023f52f0bea2dc54136b6c57
Size/MD5: 36530 c8c4a7e645fe938da23737602589d08c
Size/MD5: 284866 ba3e1b09a14d8e5485561118f6eeefb7
Size/MD5: 144554 66d17552fd2385cfdf44c5d55ea583c9
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 811380 c2578ed2a96363e7c5fb268933487ccb
Size/MD5: 212602 aab797ade503fec11a36dbf640e1ef08
Size/MD5: 208354 0a571678c269d1da06787dac56567f1c
Size/MD5: 212052 90754ccdcd95e652413426376078d223
Size/MD5: 171634 00fbac613f13f1d1e20470ce42703018
Size/MD5: 172414 65e31d4a009a9663212f8cfcfa492c53
Size/MD5: 94100 95bd6b71a6bc1fceeccbc51d2b913bd2
Size/MD5: 36532 b4a7ccf0ba37c70b78a950bacbc4a650
Size/MD5: 268776 5b157a4dd55f533a610bc6c111e9d414
Size/MD5: 131000 dda2d34f2e90e0468b02e261ae2c6afe
Updated packages for Ubuntu 7.04:
Source archives:
Size/MD5: 115896 cbb8201fa61844fe02dcc7c2e1e35cf5
Size/MD5: 1128 77143d282e5fc16d3f1dc327b7a4fd87
Size/MD5: 6342475 f72ffb176e2dc7b322be16508c09f63c
Architecture independent packages:
Size/MD5: 2199570 be1a62334680ed00d5f5a4c74113d524
Size/MD5: 272460 eb0d9dce34ef9dd4b940fb98c38e529c
Size/MD5: 6672646 b3d11c9f4451f75e4ff17e663999a579
Size/MD5: 39090 d2db3ef69d13b4ed76493e189174c304
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 450016 f2726571f028c6f228a73faa1b620f63
Size/MD5: 445732 2f791f5e207e2ed047c4ed36572cea6d
Size/MD5: 449602 a67b291ea2270e9c46f8eaecef65f7c6
Size/MD5: 403950 bc7a8419daa6c451decbb5640241df32
Size/MD5: 404518 099bb7f53ae885bd7e8157c781c5b50b
Size/MD5: 341726 0aed173b3eb2db83ddd6ddb49bab7c4e
Size/MD5: 971426 30db1106dfea5106da54d2287c02a380
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 433320 03d3aa003bf777f1f1ae9d8f814caac1
Size/MD5: 429248 e49f5accb8764204a2a759ea8b2dea55
Size/MD5: 432706 a3c32680004d3e0b460513d426006bb0
Size/MD5: 403964 63c77d5009e715094d21c273b57c04d0
Size/MD5: 404530 f4b9eb26fa058eaec8f75ae956cbc852
Size/MD5: 340810 e5d63edb8c0f2baccf9a2b072d1c3d74
Size/MD5: 929546 828b8224e2540d7bc4e462d5b2b1f8af
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 451914 b1057076382cb22727fa0bcd202c57dd
Size/MD5: 447340 44e26684bd3a09f2ed6969d2c540f5ae
Size/MD5: 451324 2c029a48b2242e1fdf137a6cec3af09d
Size/MD5: 403974 65a11cfaee921517445cf74ed04df701
Size/MD5: 404538 d27226fdeac7d193651a2cb2bd4b61e8
Size/MD5: 360936 058bbb5e05afc0ca08805ca71a713a42
Size/MD5: 1073822 0f9dda867e9131cc5418dd40ec579d38
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 434804 ff6361811108a9be8b45dd255b84c376
Size/MD5: 430968 367e708f82317b657439fc9e70dfb3eb
Size/MD5: 434308 2073137bb138dc52bbace666714f4e14
Size/MD5: 403952 f0ed9c92b917d1749825e64be61d8822
Size/MD5: 404520 fa7ce800de2eb5719c479a7506798b88
Size/MD5: 343774 880faca3543426734431c29de77c3048
Size/MD5: 938534 3e9075d30b9cedd73a936a14b8b84374
Updated packages for Ubuntu 7.10:
Source archives:
Size/MD5: 121669 dd7399c1dacd25d2153af25d3e9c3ea5
Size/MD5: 1241 9b9bd27a1cfe3fc33d63b0b13d345e98
Size/MD5: 6365535 3add41e0b924d4bb53c2dee55a38c09e
Architecture independent packages:
Size/MD5: 2211118 6da81663b251e862bb665d9627271b9f
Size/MD5: 278032 4f8270cff0a532bd059741b366047da9
Size/MD5: 6700348 b133a1244f39b3f64fdd47cdd4a64480
Size/MD5: 42192 3f0351337b9c5d21ceea4b92a3911040
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 456628 d85a3cbc0eef82e845a8327180136469
Size/MD5: 452408 8dd9341af4b538e6c9f8f70faf5fd2f2
Size/MD5: 456134 f6bcb10663b0c13cdf68c6d0e83c6342
Size/MD5: 410020 036c44117688999e0eaa7a6cfc1b5a11
Size/MD5: 410604 cbb1e906a74fb2a34f41a3243ffa8010
Size/MD5: 347444 63413a914cb4546704032ab8f7f16a80
Size/MD5: 989366 b0c2d84f421fcb331efcec2a7b0711d1
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 439730 46888aaf742cdcc30bcf7983d31c0158
Size/MD5: 435354 f3557e1a87154424e9144cf672110e93
Size/MD5: 439062 3469e523d93cfc20b71271b1f24daea1
Size/MD5: 410026 fafeb6f9433f595e1a634505f78d2bd1
Size/MD5: 410606 29b01db3883e5d12a5992c22cadfbe7a
Size/MD5: 346490 6581362eebd73d91d1f74ebd9941c890
Size/MD5: 944816 a1f598ad168bf49f12f8b0cf08ab7908
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 458126 f08b8b1f2673fdfcbd849bc913006408
Size/MD5: 453546 f52c55b92d5b1c42cb4cfcfee774b1bd
Size/MD5: 457466 f7b948be666100a7f5631cbafe2255dd
Size/MD5: 410024 3bba352e3a2d8730a23d04fdcea5abd9
Size/MD5: 410606 b95af66f260d1291e92986790b7d2f0f
Size/MD5: 366550 c2f8906ce78396a240e37c08aa2cc197
Size/MD5: 1091688 f214016a736f7743a28dfd03e09753e2
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 440954 f1a98acdf576d3e7c9576501f7886d30
Size/MD5: 437166 36b4878e0e9593b5d28c743eb093784a
Size/MD5: 440446 46d56f1a8d1b10cc937c8252648a583e
Size/MD5: 410028 0c28e9654530a4ecf363d998b78e1fd5
Size/MD5: 410608 8e22b403b2315b190263f8ba2c8f98dd
Size/MD5: 349678 fe7ce515de30be0ef1ddf865cae5dd49
Size/MD5: 956316 009e48ea5e94d39830b3e9ba21aa55c8
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
