USN-241-1: Apache vulnerabilities
13 January 2006
Apache vulnerabilities
Releases
Details
The "mod_imap" module (which provides support for image maps) did not
properly escape the "referer" URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable mod_imap,
and employ cross-site-scripting techniques to gather sensitive user
information from that site. (CVE-2005-3352)
Hartmut Keil discovered a Denial of Service vulnerability in the SSL
module ("mod_ssl") that affects SSL-enabled virtual hosts with a
customized error page for error 400. By sending a specially crafted
request to the server, a remote attacker could crash the server. This
only affects Apache 2, and only if the "worker" implementation
(apache2-mpm-worker) is used. (CVE-2005-3357)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 5.10
-
apache2-mpm-worker
-
-
apache-common
-
-
apache2-common
-
Ubuntu 5.04
-
apache2-mpm-worker
-
-
apache-common
-
-
apache2-common
-
Ubuntu 4.10
-
apache2-mpm-worker
-
-
apache-common
-
-
apache2-common
-
In general, a standard system update will make all the necessary changes.