News

Monday, August 20, 2007

ubuntu-security-announce Digest, Vol 35, Issue 8

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-499-1] Apache vulnerabilities (Kees Cook)
2. [USN-500-1] rsync vulnerability (Kees Cook)


----------------------------------------------------------------------

Message: 1
Date: Thu, 16 Aug 2007 21:41:48 -0700
From: Kees Cook <kees@ubuntu.com>
Subject: [USN-499-1] Apache vulnerabilities
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20070817044148.GD22619@outflux.net>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-499-1 August 16, 2007
apache2 vulnerabilities
CVE-2006-5752, CVE-2007-1863, CVE-2007-3304
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
apache2-common 2.0.55-4ubuntu2.2
apache2-mpm-prefork 2.0.55-4ubuntu2.2
apache2-mpm-worker 2.0.55-4ubuntu2.2

Ubuntu 6.10:
apache2-common 2.0.55-4ubuntu4.1
apache2-mpm-prefork 2.0.55-4ubuntu4.1
apache2-mpm-worker 2.0.55-4ubuntu4.1

Ubuntu 7.04:
apache2-mpm-prefork 2.2.3-3.2ubuntu0.1
apache2-mpm-worker 2.2.3-3.2ubuntu0.1
apache2.2-common 2.2.3-3.2ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Stefan Esser discovered that mod_status did not force a character set,
which could result in browsers becoming vulnerable to XSS attacks when
processing the output. If a user were tricked into viewing server
status output during a crafted server request, a remote attacker could
exploit this to modify the contents, or steal confidential data (such as
passwords), within the same domain. By default, mod_status is disabled
in Ubuntu. (CVE-2006-5752)

Niklas Edmundsson discovered that the mod_cache module could be made to
crash using a specially crafted request. A remote user could use this
to cause a denial of service if Apache was configured to use a threaded
worker. By default, mod_cache is disabled in Ubuntu. (CVE-2007-1863)

A flaw was discovered in the signal handling of Apache. A local
attacker could trick Apache into sending SIGUSR1 to other processes.
The vulnerable code was only present in Ubuntu Feisty. (CVE-2007-3304)


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.2.diff.gz

Size/MD5: 115882 e94e45574e3b131d3a9a0e07e193f1e5

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.2.dsc

Size/MD5: 1148 c2bc143625fbf8ca59fea300845c5a42

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz

Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.2_all.deb

Size/MD5: 2124364 9b8ca5d5757c63f5ee6bbd507f0a8357

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 833000 be4c7770c725f5f4401ca06d1347211f

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 227832 41c12dfe84f109e6544a33e4e1d791a8

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 222934 7e4d072bad27239e366a6eda94c09190

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 227576 8fc59f78a3fa0e5d6dac81e875039bda

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 171082 4318f93373b705563251f377ed398614

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 171860 257f4183d70be5a00546c39c5a18f108

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 93916 695cee55f91ceb9424abe31d8b6ee1dd

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 35902 00c1082a77ff1d863f72874c4472a26d

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 285336 0a8510634b21f56f0d9619aa6fc9cec9

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.2_amd64.deb

Size/MD5: 143952 d75f83ac219bce95a15a8f44b82b8ea7

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 786186 4e78fa0d438867194f66b11b4eb6fc2e

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 202448 74cf60884e18c1fc93f157010a15b12c

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 198456 209a0b92995fec453ed4c2c181e3e555

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 202038 6cbd437caf993fa2b2b38369cd3d5863

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 171074 0a5a26aa58af7aa2d51d1cf5d7c543d6

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 171848 af9ca78febc5bc0c7936296dab958349

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 91884 2857d60b507b28c736f83815c9f3d1b8

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 35906 202b5b233af0d26e29ca7302cf7fd04c

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 261418 c90342706ac26682d15032a5ba5cb51a

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.2_i386.deb

Size/MD5: 131850 951a4573901bc2f10d5febf940d57516

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 859126 afdd8642ca447fc9dc70dfed92be0fa6

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 219898 6d9c9f924d2356bf9d3438a280870a7d

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 215602 dd554132cdea0f860e01cf5d4e0dbc7c

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 219378 7a1f4b325dacef287c901fa66680c04e

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 171096 a0e2547d38ef1b84dc419d69e42ffa0b

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 171864 200ab662b2c13786658486df37fda881

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 103628 ae36642fbd4698bb362fa4bf9417b0e3

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 35910 358027282f2f19451d3aa784dc0474dc

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 280950 0d9b56ec076da25e2a03f6d3c6445057

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.2_powerpc.deb

Size/MD5: 141074 f5d3d5e0e5911e0c0156ae55af50f87b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 803440 d66da6a91c08956c3c5062668349ef41

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 209970 57f0a8f823a4502ee9a2608e3181cc81

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 205582 1dcfb0df796e85c409f614544ea589fe

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 209330 6bf7ae824eea35d3487febef384fce91

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 171080 1088337f4abcb6c8f65751b6120c2307

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 171868 5cda04cd73a9c6d8dfc18abd55c09ebd

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 92972 850ab3bb0904e8fe9b6255c42ba7f84c

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 35904 7af260b95c4faa17ef34810fed888caf

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 267550 08182a8a2cab00fc0e6bca2cccf5165f

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.2_sparc.deb

Size/MD5: 129760 a60606c6d2f12209b0bdae997be4a13f

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu4.1.diff.gz

Size/MD5: 116265 2732761b18dfb3c2cd1aa0b54c2cf623

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu4.1.dsc

Size/MD5: 1148 4b9c4612469c521db0c5fdbe2f6b9b25

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz

Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu4.1_all.deb

Size/MD5: 2124550 8d5c30342b35f9fd595fb09d7659b6fc

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 836342 2c4ba483b0b20fdc2d43819109177941

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 227390 e61cc1998f5b8f2c44dce587e59d288a

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 222376 6bdbff7f7f80fd464d1e3ec52d6e7171

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 226848 4356b4caf2b40f364c8893c41b9f9355

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 171304 c4395af051e876228541ef5b8037d979

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 172074 99dadc4ad0f0947f9368d89f4589d95a

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 94204 30f3bb8c72575fe93940ecc730b8e4b6

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 36152 ea3cbefcbee7e2f6e5555edb44733ad9

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 286544 d555931490d44d93bec31c4bfc19ed12

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu4.1_amd64.deb

Size/MD5: 145014 3e06ceb0a55598d82f9f781c44e210b3

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 806938 050bb7665332d3761e1a8e47939fa507

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 209556 ee530b24aba8838001ebb6c901bc90cd

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 205718 b52a17c63909eae3c49bad0ab1958f4b

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 209158 1844fa5e09224a90944f8b886ddb5a2a

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 171296 9de8aba41f7e3d60f41536ca712adebb

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 172078 01ccd554177364747b08e2933f121d2c

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 93240 4573597317416869646eb2ea42cd0945

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 36150 77666d65bade6a91bd58826c79f11dc9

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 266390 a3963d8e76f6865404f7fadb47880c87

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu4.1_i386.deb

Size/MD5: 137604 387f6bcdaa58dbbe53082241b3231844

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 865372 27d7f1de1fcb2114d3f3b0a774302488

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 221542 1ae8fa5cf4b77f3b2aa054e2886e587e

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 217044 9134983c40107f79fcac8d1eacbc7117

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 221324 b435dc09c63ecbcd564a0923a8f07350

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 171296 6d2a0abfb7a1daaeae56559eeb322dcb

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 172064 ecc2037409554ea43c5a6848aa510c76

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 104654 d0957d8df044c4a34437241792ed97d1

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 36148 34e102e1d2e1c6a6f31801dfb98cb82a

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 284548 c8f325ccc42cbe77191d4ddd9abc2a4e

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu4.1_powerpc.deb

Size/MD5: 144238 82cfbfcec5fc4931078145af8947c035

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 811594 d8548e537fd81994bbb638e105dfbf8b

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 212160 81cd0197ff89b79c967c1074ede9f8d7

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 207870 5d80ed8dc39b0d4d59fccb747624a684

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 211578 9407383d85db831dab728b39cce9acc8

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 171294 5e4d695a99bdc1fdfb0bfcef8b91d03d

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 172064 06e3e765d799e281dba7329ff9d9e138

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 93796 1048b47b289fb2047fa9ac7ebbe94a57

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 36150 0d106a177aa4271b1cfc0e96eec1a748

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 268444 3912123e7c71cc638132305ca89fe23b

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu4.1_sparc.deb

Size/MD5: 130626 f4444e0239c2da7d3c31e3486606f95a

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.3-3.2ubuntu0.1.diff.gz

Size/MD5: 112120 f7b1a17718aed7ca73da3a6d7aad06b0

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.3-3.2ubuntu0.1.dsc

Size/MD5: 1128 e82b1bee591fff50d6673ed1a443e543

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.3.orig.tar.gz

Size/MD5: 6342475 f72ffb176e2dc7b322be16508c09f63c

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.3-3.2ubuntu0.1_all.deb

Size/MD5: 2199184 c03756f87cb164213428532f70e0c198

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.3-3.2ubuntu0.1_all.deb

Size/MD5: 272064 5be351f491f8d1aae9a270d1214e93e3

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.3-3.2ubuntu0.1_all.deb

Size/MD5: 6674104 bdbabf8f478562f0e003737e977ffc7b

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.3-3.2ubuntu0.1_all.deb

Size/MD5: 38668 9f0c7c01e8441285c084002eb4619065

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.3-3.2ubuntu0.1_amd64.deb

Size/MD5: 449624 1b54a8000c40eaaa0f9e31527b9bb180

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.3-3.2ubuntu0.1_amd64.deb

Size/MD5: 445346 d15625641a3247fbf5d9d9b9aed34968

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.3-3.2ubuntu0.1_amd64.deb

Size/MD5: 449208 55f39c28a4de98d53f80231aeb7d6c59

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.3-3.2ubuntu0.1_amd64.deb

Size/MD5: 403570 0042c75be8a2d128d62b79398deaefa8

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.3-3.2ubuntu0.1_amd64.deb

Size/MD5: 404138 929772b95ea67f338ad423a65b2b7011

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.3-3.2ubuntu0.1_amd64.deb

Size/MD5: 341312 906819b0de863209575aa65d39a594a5

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.3-3.2ubuntu0.1_amd64.deb

Size/MD5: 971462 f85e32c5f6437ce149553aee97ffd934

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.3-3.2ubuntu0.1_i386.deb

Size/MD5: 432922 c1b81ac7dc7b7a0b2261fd10d9bcf5c6

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.3-3.2ubuntu0.1_i386.deb

Size/MD5: 428856 f506f2a9dd2dbd5c2d3f72a476cc3537

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.3-3.2ubuntu0.1_i386.deb

Size/MD5: 432314 a5a11947ad8cf14604efa7ddcfd20bfe

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.3-3.2ubuntu0.1_i386.deb

Size/MD5: 403574 da84a3a99276f14a11ac892ce7eee170

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.3-3.2ubuntu0.1_i386.deb

Size/MD5: 404138 0fdd43a53e6957aa3a348a7bd9c876f5

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.3-3.2ubuntu0.1_i386.deb

Size/MD5: 340396 88a0ddbc58335416d91c9f10adc9d5f5

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.3-3.2ubuntu0.1_i386.deb

Size/MD5: 929716 138d58487b882e6002e3c5e4a9489add

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.3-3.2ubuntu0.1_powerpc.deb

Size/MD5: 451530 ddc437092ef642fcd396713cd1972f4c

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.3-3.2ubuntu0.1_powerpc.deb

Size/MD5: 446960 af1b667708e062f81bca4e995355394d

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.3-3.2ubuntu0.1_powerpc.deb

Size/MD5: 450940 ed9f31ec5045a88446115987c6e97655

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.3-3.2ubuntu0.1_powerpc.deb

Size/MD5: 403574 65801ab51335a15dc370b9341a0e50dd

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.3-3.2ubuntu0.1_powerpc.deb

Size/MD5: 404146 fd35e65fadd836feb0190b209947b466

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.3-3.2ubuntu0.1_powerpc.deb

Size/MD5: 360518 b74bc9eead429cd8f0ebecd6a94e5edb

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.3-3.2ubuntu0.1_powerpc.deb

Size/MD5: 1073812 376fe5b1ee383a6d870eea5dd3c6a704

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.3-3.2ubuntu0.1_sparc.deb

Size/MD5: 434408 c70ef2e9aed191fe53886ceb3725596e

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.3-3.2ubuntu0.1_sparc.deb

Size/MD5: 430574 7b690896da23a151ee5e106d596c1143

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.3-3.2ubuntu0.1_sparc.deb

Size/MD5: 433918 cc01edfcfc673ba9a86c83fcc66e6870

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.3-3.2ubuntu0.1_sparc.deb

Size/MD5: 403568 a7660cff70394403c764cf8f30c7298a

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.3-3.2ubuntu0.1_sparc.deb

Size/MD5: 404136 b8587d5eba0be59a6576d6cf645b2122

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.3-3.2ubuntu0.1_sparc.deb

Size/MD5: 343370 1572a001a612add57d23350210ac1736

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.3-3.2ubuntu0.1_sparc.deb

Size/MD5: 938586 b74a91fcfbb0503355e94981310bd1ce

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20070816/aa298113/attachment.pgp


------------------------------

Message: 2
Date: Mon, 20 Aug 2007 15:37:44 -0700
From: Kees Cook <kees@ubuntu.com>
Subject: [USN-500-1] rsync vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20070820223744.GA22619@outflux.net>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-500-1 August 20, 2007
rsync vulnerability
CVE-2007-4091
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
rsync 2.6.6-1ubuntu2.1

Ubuntu 6.10:
rsync 2.6.8-2ubuntu3.1

Ubuntu 7.04:
rsync 2.6.9-3ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Sebastian Krahmer discovered that rsync contained an off-by-one
miscalculation when handling certain file paths. By creating a specially
crafted tree of files and tricking an rsync server into processing them,
a remote attacker could write a single NULL to stack memory, possibly
leading to arbitrary code execution.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.6-1ubuntu2.1.diff.gz

Size/MD5: 55161 6cd634cb545886794ed771279df893e9

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.6-1ubuntu2.1.dsc

Size/MD5: 561 7324148228173c642ca48092b09321ca

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.6.orig.tar.gz

Size/MD5: 690066 30c4e2849cbeae93f55548453865c2f2

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.6-1ubuntu2.1_amd64.deb

Size/MD5: 237356 3c9887ee275f3bd3a84589dc326f73f9

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.6-1ubuntu2.1_i386.deb

Size/MD5: 219748 89dfc44e3c8a5f897b3146391189de51

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.6-1ubuntu2.1_powerpc.deb

Size/MD5: 238266 3c8ffb7ddb73b7466e461bc9b3567792

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.6-1ubuntu2.1_sparc.deb

Size/MD5: 227912 b68f2d7df5958c60db8d928d82c807e4

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.8-2ubuntu3.1.diff.gz

Size/MD5: 63808 646a700128fa9b8478d34792887c4276

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.8-2ubuntu3.1.dsc

Size/MD5: 561 87b5f9f829775716738a588fe1449d0d

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.8.orig.tar.gz

Size/MD5: 772314 082a9dba1f741e6591e5cd748a1233de

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.8-2ubuntu3.1_amd64.deb

Size/MD5: 260992 67a07bb1085ea883eef3b232c65e3b50

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.8-2ubuntu3.1_i386.deb

Size/MD5: 248638 00b6f25e96fad7b0de2501ec3e8d2f6c

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.8-2ubuntu3.1_powerpc.deb

Size/MD5: 264226 9b946b0454917f152a8ecda634082216

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.8-2ubuntu3.1_sparc.deb

Size/MD5: 255870 87c614c1185a065852479535a27c978e

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.1.diff.gz

Size/MD5: 38919 44b95b6f0725b0833e335d026005f7dd

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.1.dsc

Size/MD5: 658 efdb8c45d0e7d0ec1190af90608b2e42

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9.orig.tar.gz

Size/MD5: 811841 996d8d8831dbca17910094e56dcb5942

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.1_amd64.deb

Size/MD5: 275860 b6bb111fe5c03e7dab73800360ea0787

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.1_i386.deb

Size/MD5: 261948 d4369b89eb66a7c806ccd10ae84e7d15

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.1_powerpc.deb

Size/MD5: 282332 13e0995bce9e9808f881ce9c01be5965

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/r/rsync/rsync_2.6.9-3ubuntu1.1_sparc.deb

Size/MD5: 270036 e344c2522560161406eedbd7c111d584

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20070820/aeec4251/attachment.pgp


------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 35, Issue 8
*******************************************************

No comments:

Blog Archive