Ubuntu 1368-1: Apache HTTP Server vulnerabilities

    Date16 Feb 2012
    CategoryUbuntu
    49
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in the Apache HTTP Server.
    ==========================================================================
    Ubuntu Security Notice USN-1368-1
    February 16, 2012
    
    apache2 vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 11.10
    - Ubuntu 11.04
    - Ubuntu 10.10
    - Ubuntu 10.04 LTS
    - Ubuntu 8.04 LTS
    
    Summary:
    
    Several security issues were fixed in the Apache HTTP Server.
    
    Software Description:
    - apache2: Apache HTTP server
    
    Details:
    
    It was discovered that the Apache HTTP Server incorrectly handled the
    SetEnvIf .htaccess file directive. An attacker having write access to a
    .htaccess file may exploit this to possibly execute arbitrary code.
    (CVE-2011-3607)
    
    Prutha Parikh discovered that the mod_proxy module did not properly
    interact with the RewriteRule and ProxyPassMatch pattern matches in the
    configuration of a reverse proxy. This could allow remote attackers to
    contact internal webservers behind the proxy that were not intended for
    external exposure. (CVE-2011-4317)
    
    Rainer Canavan discovered that the mod_log_config module incorrectly
    handled a certain format string when used with a threaded MPM. A remote
    attacker could exploit this to cause a denial of service via a specially-
    crafted cookie. This issue only affected Ubuntu 11.04 and 11.10.
    (CVE-2012-0021)
    
    It was discovered that the Apache HTTP Server incorrectly handled certain
    type fields within a scoreboard shared memory segment. A local attacker
    could exploit this to to cause a denial of service. (CVE-2012-0031)
    
    Norman Hippert discovered that the Apache HTTP Server incorrecly handled
    header information when returning a Bad Request (400) error page. A remote
    attacker could exploit this to obtain the values of certain HTTPOnly
    cookies. (CVE-2012-0053)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 11.10:
      apache2.2-common                2.2.20-1ubuntu1.2
    
    Ubuntu 11.04:
      apache2.2-common                2.2.17-1ubuntu1.5
    
    Ubuntu 10.10:
      apache2.2-common                2.2.16-1ubuntu3.5
    
    Ubuntu 10.04 LTS:
      apache2.2-common                2.2.14-5ubuntu8.8
    
    Ubuntu 8.04 LTS:
      apache2.2-common                2.2.8-1ubuntu0.23
    
    In general, a standard system update will make all the necessary changes.
    
    References:
      http://www.ubuntu.com/usn/usn-1368-1
      CVE-2011-3607, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031,
      CVE-2012-0053
    
    Package Information:
      https://launchpad.net/ubuntu/+source/apache2/2.2.20-1ubuntu1.2
      https://launchpad.net/ubuntu/+source/apache2/2.2.17-1ubuntu1.5
      https://launchpad.net/ubuntu/+source/apache2/2.2.16-1ubuntu3.5
      https://launchpad.net/ubuntu/+source/apache2/2.2.14-5ubuntu8.8
      https://launchpad.net/ubuntu/+source/apache2/2.2.8-1ubuntu0.23
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.