WINDOWS CENTER: ubuntu-security-announce Digest, Vol 59, Issue 4

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."

Today's Topics:

1. [USN-813-1] apr vulnerability (Jamie Strandboge)
2. [USN-813-2] Apache vulnerability (Jamie Strandboge)
3. [USN-813-3] apr-util vulnerability (Jamie Strandboge)

----------------------------------------------------------------------

Message: 1
Date: Fri, 7 Aug 2009 19:57:13 -0500
From: Jamie Strandboge <jamie@canonical.com>
Subject: [USN-813-1] apr vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20090808005713.GB2318@severus.strandboge.com>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-813-1 August 08, 2009
apr vulnerability
CVE-2009-2412
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
libapr1 1.2.11-1ubuntu0.1

Ubuntu 8.10:
libapr1 1.2.12-4ubuntu0.1

Ubuntu 9.04:
libapr1 1.2.12-5ubuntu0.1

After a standard system upgrade you need to restart any applications using
apr, such as Subversion and Apache, to effect the necessary changes.

Details follow:

Matt Lewis discovered that apr did not properly sanitize its input when
allocating memory. If an application using apr processed crafted input, a
remote attacker could cause a denial of service or potentially execute
arbitrary code as the user invoking the application.

Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.11-1ubuntu0.1.diff.gz
Size/MD5: 15611 add923c3313d739b3f20f207f71c73d8
http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.11-1ubuntu0.1.dsc
Size/MD5: 1125 80e494c58542be8b4d0294bd7e59dc13
http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.11.orig.tar.gz
Size/MD5: 1114033 afcf9541dc31551abeb6c53bb42c2596

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dbg_1.2.11-1ubuntu0.1_amd64.deb
Size/MD5: 194610 716922eb0712a07fed068fcb925772c1
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dev_1.2.11-1ubuntu0.1_amd64.deb
Size/MD5: 788200 a69f65f1e8aeb641aca3a249a842ce28
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1_1.2.11-1ubuntu0.1_amd64.deb
Size/MD5: 117152 6413342ab115ccb57a59680e4ad40d6f

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dbg_1.2.11-1ubuntu0.1_i386.deb
Size/MD5: 189048 d59218dc9160e0bb0470563333173d04
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dev_1.2.11-1ubuntu0.1_i386.deb
Size/MD5: 776116 4446e1f5e8ce9926cda8fc5c3f20e17c
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1_1.2.11-1ubuntu0.1_i386.deb
Size/MD5: 113026 67a51cd1f86be2d432f4d1a5f286eebf

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.11-1ubuntu0.1_lpia.deb
Size/MD5: 190698 52f49994e4febd9fc97e15519decea0e
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.11-1ubuntu0.1_lpia.deb
Size/MD5: 775518 0e7976961d9ce279db79ba14775107f9
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.11-1ubuntu0.1_lpia.deb
Size/MD5: 111342 74f98528ff681564b8c69beead400bd6

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.11-1ubuntu0.1_powerpc.deb
Size/MD5: 195426 d8c12007029f0cf180a86f42e79ded57
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.11-1ubuntu0.1_powerpc.deb
Size/MD5: 787514 a553507d0ed7ed8afc9d2a9fc866eb70
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.11-1ubuntu0.1_powerpc.deb
Size/MD5: 123062 9a90160cdc43792ce2bc49df4ae91865

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.11-1ubuntu0.1_sparc.deb
Size/MD5: 175976 9cc036cfae077abd1ac467af6bd790c1
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.11-1ubuntu0.1_sparc.deb
Size/MD5: 776780 5117cf23995948387b6fb14b68431ae6
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.11-1ubuntu0.1_sparc.deb
Size/MD5: 108894 a4427541fc8b13d0a9b89fbaba2a434a

Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.12-4ubuntu0.1.diff.gz
Size/MD5: 12533 057d9b6e04b87b71e9518d53de61b659
http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.12-4ubuntu0.1.dsc
Size/MD5: 1384 58b855b6bfd0504326eb02fa5dd9f6e9
http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.12.orig.tar.gz
Size/MD5: 1127522 020ea947446dca2d1210c099c7a4c837

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dbg_1.2.12-4ubuntu0.1_amd64.deb
Size/MD5: 53468 eb68dda90aed2dfd1e9c55766dd4d424
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dev_1.2.12-4ubuntu0.1_amd64.deb
Size/MD5: 785202 d7f1e3477f79d4433b9390411b814073
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1_1.2.12-4ubuntu0.1_amd64.deb
Size/MD5: 113952 92d67e89dcf26a5bc02d98bf86fc22f9

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dbg_1.2.12-4ubuntu0.1_i386.deb
Size/MD5: 53464 c3dd60a4f092291b562ba212e3f60da7
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dev_1.2.12-4ubuntu0.1_i386.deb
Size/MD5: 772414 6001d74f8ec3772706b267410321fb3d
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1_1.2.12-4ubuntu0.1_i386.deb
Size/MD5: 108752 0bfab5d3b02547e5690d766393336d1e

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.12-4ubuntu0.1_lpia.deb
Size/MD5: 53444 2b5634382952fa49c759c1a4d4073f20
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.12-4ubuntu0.1_lpia.deb
Size/MD5: 771794 f5be7e04e8e49a952f331d1c51d0dfa3
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.12-4ubuntu0.1_lpia.deb
Size/MD5: 106786 14eec6bff97d98911d5aae1f7e6b6e42

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.12-4ubuntu0.1_powerpc.deb
Size/MD5: 54804 a629d5b1784683de60bad9fd3347ec0b
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.12-4ubuntu0.1_powerpc.deb
Size/MD5: 781506 c31d8fbad695f3444247605e8735f417
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.12-4ubuntu0.1_powerpc.deb
Size/MD5: 115848 eca448cd2d24d9033052644c6e6699fd

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.12-4ubuntu0.1_sparc.deb
Size/MD5: 54124 1f20ab360c8423cc0f23e703a49258f8
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.12-4ubuntu0.1_sparc.deb
Size/MD5: 778254 592362c830dc1dbe4a11891014aa3d79
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.12-4ubuntu0.1_sparc.deb
Size/MD5: 109060 e7fe5915bedd748ea1fae929b7744ebc

Updated packages for Ubuntu 9.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.12-5ubuntu0.1.diff.gz
Size/MD5: 12392 dad717ee3cf5ee5a51f4557e107f7f0b
http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.12-5ubuntu0.1.dsc
Size/MD5: 1384 282ecf985e0843d0790a6faad28bf08e
http://security.ubuntu.com/ubuntu/pool/main/a/apr/apr_1.2.12.orig.tar.gz
Size/MD5: 1127522 020ea947446dca2d1210c099c7a4c837

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dbg_1.2.12-5ubuntu0.1_amd64.deb
Size/MD5: 53506 6614950fdda2e501f6e08cb72e1fc7f8
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dev_1.2.12-5ubuntu0.1_amd64.deb
Size/MD5: 785976 a55e34fc1c8dfdfd18c258b734562d16
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1_1.2.12-5ubuntu0.1_amd64.deb
Size/MD5: 114016 c06eaa80d78148669a99b0baba6e233a

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dbg_1.2.12-5ubuntu0.1_i386.deb
Size/MD5: 53502 9cfdb6c1d30317b66e82237f204e945b
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1-dev_1.2.12-5ubuntu0.1_i386.deb
Size/MD5: 773486 96be1dd29735870a80385217fe443363
http://security.ubuntu.com/ubuntu/pool/main/a/apr/libapr1_1.2.12-5ubuntu0.1_i386.deb
Size/MD5: 108822 5de07e4a316394e2347a3cd2b6f68cf4

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.12-5ubuntu0.1_lpia.deb
Size/MD5: 53480 5e3f7e68d7492e5b8c0821d9fc873513
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.12-5ubuntu0.1_lpia.deb
Size/MD5: 772806 fb8c2e67ac688a9ec4e3ce23874f2acd
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.12-5ubuntu0.1_lpia.deb
Size/MD5: 106850 b0e1853de388ba71b0f2a8c5539be9cf

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.12-5ubuntu0.1_powerpc.deb
Size/MD5: 54828 de1be5158a85c5e33e510329f2e571e1
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.12-5ubuntu0.1_powerpc.deb
Size/MD5: 782358 5e69131b4a32e3e5ce9abc5e8503599f
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.12-5ubuntu0.1_powerpc.deb
Size/MD5: 115900 55d92b74d725f6d80a3848e9a3b7723e

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/a/apr/libapr1-dbg_1.2.12-5ubuntu0.1_sparc.deb
Size/MD5: 54170 2d5973180a33b09b336698718be07238
http://ports.ubuntu.com/pool/main/a/apr/libapr1-dev_1.2.12-5ubuntu0.1_sparc.deb
Size/MD5: 779146 ec3ab918bbf8e8a758b95137cd371a89
http://ports.ubuntu.com/pool/main/a/apr/libapr1_1.2.12-5ubuntu0.1_sparc.deb
Size/MD5: 109082 2b5b346d2ed2237cc2f782eae01df534

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20090807/5f8406b3/attachment-0001.pgp

------------------------------

Message: 2
Date: Fri, 7 Aug 2009 20:06:16 -0500
From: Jamie Strandboge <jamie@canonical.com>
Subject: [USN-813-2] Apache vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20090808010616.GA2695@severus.strandboge.com>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-813-2 August 08, 2009
apache2 vulnerability
CVE-2009-2412
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libapr0 2.0.55-4ubuntu2.7

After a standard system upgrade you need to restart any applications using
apr, such as Subversion and Apache, to effect the necessary changes.

Details follow:

USN-813-1 fixed vulnerabilities in apr. This update provides the
corresponding updates for apr as provided by Apache on Ubuntu 6.06 LTS.

Original advisory details:

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.7.diff.gz
Size/MD5: 126010 68da83341313e1b166fe345138d1eaa5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.7.dsc
Size/MD5: 1156 0b17c48d0880ab82c769c41d1aff7002
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.7_all.deb
Size/MD5: 2125530 9356b79c2b1591ffec1a6cd1974f82fd

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

i386 architecture (x86 compatible Intel/AMD):

powerpc architecture (Apple Macintosh G3/G4/G5):

sparc architecture (Sun SPARC/UltraSPARC):

------------------------------

Message: 3
Date: Sat, 8 Aug 2009 00:56:47 -0500
From: Jamie Strandboge <jamie@canonical.com>
Subject: [USN-813-3] apr-util vulnerability
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20090808055647.GA6414@severus.strandboge.com>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-813-3 August 08, 2009
apr-util vulnerability
CVE-2009-2412
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
libaprutil1 1.2.12+dfsg-3ubuntu0.2

Ubuntu 8.10:
libaprutil1 1.2.12+dfsg-7ubuntu0.3

Ubuntu 9.04:
libaprutil1 1.2.12+dfsg-8ubuntu0.3

After a standard system upgrade you need to restart any applications using
apr-util, such as Subversion and Apache, to effect the necessary changes.

Details follow:

USN-813-1 fixed vulnerabilities in apr. This update provides the corresponding updates for apr-util.

Original advisory details:

Updated packages for Ubuntu 8.04 LTS: