USN-1134-1: APR vulnerabilities

24 May 2011

A denial of service issue exists that affects the Apache web server.

Releases

Packages

  • apache2 - a scalable, extensible web server
  • apr - The Apache Portable Runtime Library

Details

Maksymilian Arciemowicz reported that a flaw in the fnmatch()
implementation in the Apache Portable Runtime (APR) library could allow
an attacker to cause a denial of service. This can be demonstrated
in a remote denial of service attack against mod_autoindex in the
Apache web server. (CVE-2011-0419)

Is was discovered that the fix for CVE-2011-0419 introduced a different
flaw in the fnmatch() implementation that could also result in a
denial of service. (CVE-2011-1928)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.04
Ubuntu 6.06
Ubuntu 11.04
Ubuntu 10.10
Ubuntu 10.04

After a standard system update you need to restart the Apache web
server or any other service that depends on the APR library to make
all the necessary changes.