VARIoT IoT vulnerabilities database

VAR-200909-0399 | CVE-2009-3095 | Apache mod_proxy_ftp remote command injection vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. Apache HTTP Server is an open source web server from the American Apache Software (Apache) Foundation. The server is fast, reliable and scalable via a simple API. The Apache mod_proxy_ftp module is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
Attackers can exploit this issue to execute arbitrary commands within the context of the affected application. one. ===========================================================
Ubuntu Security Notice USN-860-1 November 19, 2009
apache2 vulnerabilities
CVE-2009-3094, CVE-2009-3095, CVE-2009-3555
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apache2-common 2.0.55-4ubuntu2.9
Ubuntu 8.04 LTS:
apache2.2-common 2.2.8-1ubuntu0.14
Ubuntu 8.10:
apache2.2-common 2.2.9-7ubuntu3.5
Ubuntu 9.04:
apache2.2-common 2.2.11-2ubuntu2.5
Ubuntu 9.10:
apache2.2-common 2.2.12-1ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3
protocols. If an attacker could perform a man in the middle attack at the
start of a TLS connection, the attacker could inject arbitrary content at
the beginning of the user's session. The flaw is with TLS renegotiation and
potentially affects any software that supports this feature. Attacks
against the HTTPS protocol are known, with the severity of the issue
depending on the safeguards used in the web application. Until the TLS
protocol and underlying libraries are adjusted to defend against this
vulnerability, a partial, temporary workaround has been applied to Apache
that disables client initiated TLS renegotiation. This update does not
protect against server initiated TLS renegotiation when using
SSLVerifyClient and SSLCipherSuite on a per Directory or Location basis. (CVE-2009-3555)
It was discovered that mod_proxy_ftp in Apache did not properly sanitize
its input when processing replies to EPASV and PASV commands.
(CVE-2009-3094)
Another flaw was discovered in mod_proxy_ftp.
(CVE-2009-3095)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9.diff.gz
Size/MD5: 130638 5d172b0ca228238e211940fad6b0935d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9.dsc
Size/MD5: 1156 a6d575c4c0ef0ef9c4c77e7f6ddfb02d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.9_all.deb
Size/MD5: 2125884 643115e9135b9bf626f3a65cfc5f2ed3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 834492 818915da9848657833480b1ead6b4a12
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 229578 9086ac3033e0425ecd150b31b377ee76
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 224594 85a4480344a072868758c466f6a98747
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 229128 446b52088b9744fb776e53155403a474
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 172850 17e4cd95ecb9d0390274fca9625c2e5e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 173636 b501407d01fa07e5807c28cd1db16cd7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 95454 a06ee30ec14b35003ebcb821624bc2af
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 37510 4c063b1b8d831ea8a02d5ec691995dec
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 287048 9cdc7502ebc526d4bc7df9b59a9d8925
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 145624 4b613a57da2ca57678e8c8f0c1628556
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 787870 67b1855dc984e5296ac9580e2a2f0a0c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 204122 edf40b0ff5c1824b2d6232da247ce480
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 200060 6267a56fcef78f6300372810ce36ea41
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 203580 c487929bbf45b5a4dc3d035d86f7b3a0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 172876 bae257127c3d137e407a7db744f3d57a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 173660 9dd0e108ab4d3382799b29d901bf4502
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 93410 d5d602c75a28873f1cd7523857e0dd80
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 37508 22049e1ea8ea88259ff3f6e94482cfb3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 263066 43fa2ae3b43c4743c98c45ac22fb0250
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 133484 e70b7f81859cb92e0c50084e92216526
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 860622 6d386da8da90d363414846dbc7fa7f08
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 221470 8c207b379f7ba646c94759d3e9079dd4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 217132 069cab77278b101c3c4a5b172f36ba9b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 220968 2f6ba65769fc964eb6dfec8a842f7621
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 172874 89137c84b5a33f526daf3f8b4c047a7e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 173662 23e576721faccb4aef732cf98e2358d4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 105198 44f9e698567784555db7d7d971b9fce2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 37518 fe7caa2a3cf6d4227ac34692de30635e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 282644 ec0306c04778cf8c8edd622aabb0363c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 142730 d43356422176ca29440f3e0572678093
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 805078 0f1f6a9b04ad5ce4ea29fd0e44bf18a4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 211674 eb19532b9b759c806e9a95a4ffbfad9b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 207344 9e5770a4c94cbc4f9bc8cc11a6a038f1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 210948 6d1d2357cec5b88c1c2269e5c16724bc
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 172882 d04dd123def1bc4cfbf2ac0095432eea
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 173662 6be46bbb9e92224020da49d657cb4cd4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 94510 9df6ae07a9218d6159b1eebde5d58606
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 37506 89856bb1433e67fb23c8d34423d3e0a5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 269070 bf585dec777b0306cd80663c11b020df
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 131466 340eaf2d2c1f129c7676a152776cfcf3
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14.diff.gz
Size/MD5: 141838 37d5c93b425758839cbef5afea5353a2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14.dsc
Size/MD5: 1381 78c9a13cc2af0dbf3958a3fc98aeea84
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz
Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 1929318 d4faaf64c2c0af807848ea171a4efa90
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 72920 065d63c19b22f0f7a8f7c28952b0b408
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 6258048 33c48a093bbb868ea108a50c051437cf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 45850 07a9463a8e4fdf1a48766d5ad08b9a3c
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 253080 3c6467ee604002a5b8ebffff8554c568
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 248676 3c83ce9eb0a27f18b9c3a8c3e651cafa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 252490 cf379a515d967d89d2009be9e06d4833
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 205592 af6cb62114d2e70bf859c32008a66433
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 206350 9c3d5ef8e55eee98cc3e75f2ed9ffaff
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 141660 958585d6391847cd5a618464054f7d37
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 803974 76d23bd94465a2f96711dc1c41b31af0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 236060 ad4c00dc10b406cc312982b7113fa468
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 231580 07ae6a192e6c859e49d48f2b2158df40
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 235308 18a44bbffcebde8f2d66fe3a6bdbab6d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 205594 73ec71599d4c8a42a69ac3099b9d50cf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 206374 c1524e4fa8265e7eaac046b114b8c463
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 140644 379a125b8b5b51ff8033449755ab87b8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 755574 9de96c8719740c2525e3c0cf7836d60b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 235578 0265d4f6ccee2d7b5ee10cfff48fed08
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 231234 611499fb33808ecdd232e2c5350f6838
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 234738 d7757d2da2e542ce0fdad5994be1d8bd
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 205592 c10ac9eb401184c379b7993b6a62cde3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 206358 fc91c0159b096e744c42014e6e5f8909
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 141212 f87d5f443e5d8e1c3eda6f976b3ceb06
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 749716 86ae389b81b057288ff3c0b69ef68656
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 254134 4337f858972022fa196c9a1f9bb724fb
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 249596 44a6e21ff8fa81d09dab19cab4caffdb
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 253698 f101a1709f21320716d4c9afb356f24f
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 205604 3f4d4f6733257a7037e35101ef792352
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 206386 06402188459de8dab5279b5bfef768fa
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 158390 0acffbdb7e5602b434c4f2805f8dc4d0
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 906022 28c3e8b63d123a4ca0632b3fed6720b5
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 237422 5651f53b09c0f36e1333c569980a0eb0
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 233152 1165607c64c57c84212b6b106254e885
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 236606 bbe00d0707c279a16eca35258dd8f13a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 205598 76afcd4085fa6f39055a5a3f1ef34a43
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 206372 5c67270e0a19d1558cf17cb21a114833
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 143838 28e9c3811feeac70b846279e82c23430
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 765398 92c5b054b80b6258a1c4caac8248a40a
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5.diff.gz
Size/MD5: 137715 0e8a6128ff37a1c064d4ce881b5d3df9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5.dsc
Size/MD5: 1788 5e3c3d53b68ea3053bcca3a5e19f5911
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9.orig.tar.gz
Size/MD5: 6396996 80d3754fc278338033296f0d41ef2c04
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 2041786 cd1e98fb2064bad51f7845f203a07d79
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 6538578 32e07db65f1e7b3002aedc3afce1748c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 45474 0f1b4fb499af61a596241bd4f0f4d35d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 254968 f2004f847cc5cbc730599352ad1f7dc6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 249196 fb001fc4f192e9b8ae1bb7161925413c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 254360 419b942bad4cf4d959afcfa3ce4314e2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 208524 0d87bf6acbf1ab5dc48c68debe7c0d26
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 84490 2a4df4b619debe549f48ac3e9e764305
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 82838 215665711684d5b5dd04cdfa23d36462
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 209550 496d387e315370c0cd83489db663a356
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 147762 48061b9015c78b39b7afd834f4c81ae0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 820242 3497441009bc9db76a87fd2447ba433c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 241376 488812d1a311fd67dafd5b18b6813920
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 236082 9256681808703f40e822c81b53f4ce3e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 240668 2b6b7c11a88ed5a280f603305bee880e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 208532 e0eccceba6cae5fb12f431ff0283a23e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 83922 ea5f69f36e344e493cce5d9c0bc69c46
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 82320 0d9b2f9afff4b9efe924b59e9bb039ea
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 209554 f4e53148ae30d5c4f060d455e4f11f95
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 146596 5ed6a4af9378bacfb7d4a034d9923915
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 778564 ffd7752394933004094c13b00113b263
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 238358 4955c7d577496ea4f3573345fad028a4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 232964 76aecf38baba17a8a968329b818ec74a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 237626 83f32bd08e2e206bbdb9f92cfb1a37e5
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 208528 6672fb116e108687669c89197732fbb0
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 83870 b8f875f197017aec0fe8203c203065d7
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 82296 d6724391ed540b351e2b660ba98af1ca
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 209550 263b43fb11c6d954d5a4bf7839e720a4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 146282 a225b8d0f48e141eea28b2369d4595c0
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 766494 454c737e191429c43ad3f28c9e0294a0
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 261510 d3e1155682726cc28859156e647d97b3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 256082 e49d894a6e9ab612a3cbd2f189ca3d8d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 260850 bc3cd7677cd630ac00424e73a3a6b343
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 208542 ae1cc6b1323832528ad8f0e7130ec87d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 84558 68452b686e89320007e9c5367ce36345
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 82908 2b8c5fc4bdec1017735dc16eba41d0a6
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 209562 a8da7487e3dcd1bdff008956728b8dd3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 161030 a5ffe07d5e3050c8a54c4fccd3732263
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 926240 8282583e86e84bd256959540f39a515d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 246720 e54b4b9b354001a910ec9027dc90b0d2
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 241280 1eea25472875056e34cd2c3283c60171
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 246024 5709e7421814ecfb83fff5804d429971
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 208528 25cdfd0177da7e5484d3d44f93257863
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 84096 3ffbacffcc23ffc640a2ce05d35437bf
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 82470 17d1ca84f9455c492013f4f754a1d365
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 209546 696ef3652703523aea6208a4e51e48f1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 150932 44c89e0249c85eed09b6f3a6a23db59d
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 783902 773a80d7a85a452016da3b10b1f3ae43
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5.diff.gz
Size/MD5: 141023 50d6737005a6d4fe601e223a39293f99
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5.dsc
Size/MD5: 1795 59720f4d7ad291c986d92ec120750c3d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11.orig.tar.gz
Size/MD5: 6806786 03e0a99a5de0f3f568a0087fb9993af9
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 2219326 d29c903489b894ddf88b23a0fec23e5c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 46636 ee03585b00f277ed98c0de07a683317a
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-src_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 6948222 a3505a83c13cf36c86248079127dd84d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 259028 5e9bddefad4c58c3ef9fd15d7a06988d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 253218 ee1bfbb759ffade3a52a6782e2f4b66d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 258414 8ef063026de9790bac1965427ce1b584
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 213294 09701d434bd102e4205e551b4525afd1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 214258 e98de48ea01e1132c5f1248a9a018745
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 151140 2f7c7f14b843b2c24de8c67356406449
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 826834 28abdf1c7be886e9be2825d351abaec7
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 87818 670c62615e107920c45893b3377ab2a0
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 86094 5a7c68fd37066287b4819cba4cfed1f2
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 245538 952540b7679ebc8d3ffc953f32d3be0f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 240048 08a7fd4888ffd9188890e57c613c4be7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 244914 955bb5121da808d44aa994386d90723f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 213308 dd16143608ff8c41cb2d5cd27212a57e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 214280 1e1f5d6feef40413f823a19126a018e3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 150046 0769d86d26282d1d31615050ae5b8915
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 784198 8760e9c37147d0472dbbfe941c058829
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 87182 21980cb1035d05f69b857870bbcbc085
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 85572 6a1b8a5e4cb19e815e88335757b06cf3
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 242386 859ad63822b7e82c81cd6dcaca088c4a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 236924 200538ce94218c9d8af8532636bfd40a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 241822 3a3183ea4ee77d2677919d3b698f92a1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 213286 bf81273b1db0a4a621085171c2b2b421
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 214264 ed278dab71289d2baae2ea409382fbf8
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 149758 75f6e2d7bd1cdfe5b1806062c3c859df
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 773424 c7cdc26051bd9443ae25b73776537fb5
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 87132 32e7ea89c96a0afce7ce1da457d947fb
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 85550 1d9b5963aa6ea5c01492ec417ab8510a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 265476 5d03fe6b2da8de98c876941ff78b066f
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 260478 3e3aeaaf496cc86c62a831c59994c1f2
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 265154 5eae30e7a33c09b37483f3aab595d0e9
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 213314 879534ebabbb8be86b606e1800dc9cf8
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 214286 922033231a6aa67ecca1c400d47f09c1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 164444 74faf68f0baeffcd011155ca9b201039
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 932416 2911758e4ad1b3b401369621301ea76f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 87876 1d45c033ec5498c092f30188cf1d481e
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 86154 52c1d8806d52fef6f43ab53662953953
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 250786 4e8e98dcba5543394ed5f07d141ce408
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 245094 a82bf04fc92b8c275b0c0f25cc81ff91
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 250110 092cf734813ae1d127d7b4f498f936c1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 213312 98d7062a6bdb58637f7e850b76bfbc80
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 214286 a378e2e0418631cec0f398379a446172
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 154284 ce8b7bbccd359675b70426df15becfed
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 789298 11f088b18425b97367d5bc141da2ef2f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 87384 477b6594866c8c73a8a3603e7e646c68
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 85686 5562ea5a0e6f01ba12adda3afb65c1b0
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1.diff.gz
Size/MD5: 185244 1ef59f9642bd9efa35e0808ea804cd0b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1.dsc
Size/MD5: 1888 d3bfdecefdd8b1adec8ab35dcf85d2b3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12.orig.tar.gz
Size/MD5: 6678149 17f017b571f88aa60abebfe2945d7caf
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2246560 be12bcc117bf165ffd3401486186762e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2336 009d381342b0be5280835a46c91f01d9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2374 7545a3750acea08e95bee86f6a3247e2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2314 17719223d92d46821098ce178b5947d6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 284782 4321e3201d8e8d1a9e3c6fbe6864102b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 1424 7b4d96008368549d5600a8c1f64a7559
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-mpm-itk_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2366 46add3d428c97fa69a8848a3e4025bb0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 137080 91e4f72d0f1f0abe91555e1497558fc2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 138176 5fd6a5ed536306528f9f2c1a0281ad70
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 156646 cfa55666363303b3f44a24fa2929bf01
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 1399630 82b36d57faa29a646e72a1125600c11c
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 92488 ddebef9d1a537520380f85b63c512bef
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 90880 c6d163edf145da8ff6d102dc0dd1f8d7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 137102 69dcd0519ca612e02102f52dcb50bf7f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 138200 17221b53903d664823a55faa1ec4d9a9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 155166 4347806710edff47fc051b4a68d5b448
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 1309136 d9a7df212b315fc6f77fc87fa8eb4a04
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 91876 289bf732dd4750a2ce61ab121b04b079
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 90316 add7f446f6b524343c0066a486dd299a
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 137088 571e9f0370b5687acff25f71c4efe33e
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 138192 816a6e033f02114553bbb3627b9c6f9c
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 155090 af8272dc794250c30cd2f66b82486dc2
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 1290606 4c51de07f5a6fe9612de45369e6f35a5
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 91830 06866386df811127f4fd71d6fb2a9e2a
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 90312 9e68bd8111503135a4eae7265b0084ae
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 137096 61b24dbeb12d7998e5d7014c26410a99
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 138202 599898ff374bde8bfa388e2615064c5a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 161058 fea8f5b9a80bef9c4cb3405bc37160af
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 1390150 fb1a244728a509586b77d02930fcf10f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 92400 572c3b0aa5ab717e8c4e4e8248aff1ff
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 90774 82011ebc757d31e690698cf9913e3adc
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 137098 7f566dfade1678c72eac7dd923ab5987
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 138202 09fbc3145d768cf1f204d47b50e21528
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 159488 7cb6c81588adaee162b8c85a1f69e7a7
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 1297936 106b0b71f5e928c1d543973b5b1f015b
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 92166 28899fe31226880dfa961d8b05e8fa43
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 90554 f207de0099ed259e2af736e8c82f91c2
. Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the
mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c
in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions,
allows remote attackers to inject arbitrary web script or HTML via
wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this
security issue was initially addressed with MDVSA-2008:195 but the
patch fixing the issue was added but not applied in 2009.0.
The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not
properly handle Options=IncludesNOEXEC in the AllowOverride directive,
which allows local users to gain privileges by configuring (1) Options
Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a
.htaccess file, and then inserting an exec element in a .shtml file
(CVE-2009-1195).
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891). NOTE: as of 20090903,
this disclosure has no actionable information. However, because the
VulnDisco Pack author is a reliable researcher, the issue is being
assigned a CVE identifier for tracking purposes (CVE-2009-3095).
Apache is affected by SSL injection or man-in-the-middle attacks
due to a design flaw in the SSL and/or TLS protocols. A short term
solution was released Sat Nov 07 2009 by the ASF team to mitigate
these problems. Apache will now reject in-session renegotiation
(CVE-2009-3555).
Packages for 2008.0 are being provided due to extended support for
Corporate products.
This update provides a solution to these vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
dd2bebdd6726d2d865331d37068a90b7 2008.0/i586/apache-base-2.2.6-8.3mdv2008.0.i586.rpm
6de9d36a91b125cc03bafe911b7a38a2 2008.0/i586/apache-devel-2.2.6-8.3mdv2008.0.i586.rpm
ab7963efad1b7951c94a24075a2070e7 2008.0/i586/apache-htcacheclean-2.2.6-8.3mdv2008.0.i586.rpm
42a53b597d5547fb88b7427cacd617a1 2008.0/i586/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.i586.rpm
1dff9d313e93c94e907d8c72348ed2e0 2008.0/i586/apache-mod_cache-2.2.6-8.3mdv2008.0.i586.rpm
b575ede2978ad47e41d355bd8b192725 2008.0/i586/apache-mod_dav-2.2.6-8.3mdv2008.0.i586.rpm
8ff3dee24d2d2d9a8d13e567cf1eaced 2008.0/i586/apache-mod_dbd-2.2.6-8.3mdv2008.0.i586.rpm
7bae541dfec14b21700878514750de83 2008.0/i586/apache-mod_deflate-2.2.6-8.3mdv2008.0.i586.rpm
19cab766a26ce53bd7e7973ed92f0db4 2008.0/i586/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.i586.rpm
a1336e4ab4f282c388d7565bde4557fd 2008.0/i586/apache-mod_file_cache-2.2.6-8.3mdv2008.0.i586.rpm
6b2f2eb949977349390fa3b06cf257e7 2008.0/i586/apache-mod_ldap-2.2.6-8.3mdv2008.0.i586.rpm
3640bbef5262ec0407126e31dd5ddde3 2008.0/i586/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.i586.rpm
98793747365606baabc08f22e36a0a04 2008.0/i586/apache-mod_proxy-2.2.6-8.3mdv2008.0.i586.rpm
d7fe4d88f25d2a01b0809ab5292b0999 2008.0/i586/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.i586.rpm
4c9f48adbd0b1d45a874f06b9275ebe3 2008.0/i586/apache-mod_ssl-2.2.6-8.3mdv2008.0.i586.rpm
e5a1d9476316ccc9f183cb1ae5bbcf31 2008.0/i586/apache-modules-2.2.6-8.3mdv2008.0.i586.rpm
44f7810695a40519c68930695829f124 2008.0/i586/apache-mod_userdir-2.2.6-8.3mdv2008.0.i586.rpm
d6f666e9954422664d1f029fc147b591 2008.0/i586/apache-mpm-event-2.2.6-8.3mdv2008.0.i586.rpm
75e205ddbc9313b8d02519e57919923a 2008.0/i586/apache-mpm-itk-2.2.6-8.3mdv2008.0.i586.rpm
6d68e8fa7baccc2ad090c703fb33458e 2008.0/i586/apache-mpm-prefork-2.2.6-8.3mdv2008.0.i586.rpm
331f18ce48403472fc7f8af6d5daee8e 2008.0/i586/apache-mpm-worker-2.2.6-8.3mdv2008.0.i586.rpm
c75e69bcabc104938cb9033e591d1de8 2008.0/i586/apache-source-2.2.6-8.3mdv2008.0.i586.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
3d4afe3f8da8369d80b6c195e132c5c0 2008.0/x86_64/apache-base-2.2.6-8.3mdv2008.0.x86_64.rpm
37034ee7c7eb813de2a00a6945a10248 2008.0/x86_64/apache-devel-2.2.6-8.3mdv2008.0.x86_64.rpm
ba296f9aa229a616a2c406d1a16912c3 2008.0/x86_64/apache-htcacheclean-2.2.6-8.3mdv2008.0.x86_64.rpm
77fa75d36e7a4bbe154c846e3271e7a3 2008.0/x86_64/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
ca29e2db08b29e319f2392b46ea4c3fe 2008.0/x86_64/apache-mod_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
3fbf5a0276adaa2d887a92482d81313f 2008.0/x86_64/apache-mod_dav-2.2.6-8.3mdv2008.0.x86_64.rpm
9c66e471c2d2d3e43462302d0cc6f1c9 2008.0/x86_64/apache-mod_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
05020102a26a28b96319b23e3b6e43d6 2008.0/x86_64/apache-mod_deflate-2.2.6-8.3mdv2008.0.x86_64.rpm
7191542417b30ed77334f1b8366628aa 2008.0/x86_64/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
f4177dbdcfd2e3dc8e66be731ad731c4 2008.0/x86_64/apache-mod_file_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
fea417664f0a2689fa12308bd80c2fe4 2008.0/x86_64/apache-mod_ldap-2.2.6-8.3mdv2008.0.x86_64.rpm
9cf956fa426e6bdf6497337b6e26a2ab 2008.0/x86_64/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
0d9d04ca878bb3f19f4764152da42d82 2008.0/x86_64/apache-mod_proxy-2.2.6-8.3mdv2008.0.x86_64.rpm
dbbcd75dd83779f54f98fa3e16b59f13 2008.0/x86_64/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.x86_64.rpm
dce8db6742ba28a71e18b86bb38688c8 2008.0/x86_64/apache-mod_ssl-2.2.6-8.3mdv2008.0.x86_64.rpm
2ff69d6e9c2cd3250f6746d4a7d921fd 2008.0/x86_64/apache-modules-2.2.6-8.3mdv2008.0.x86_64.rpm
f298827d4dfa631a77907f7f5733fa29 2008.0/x86_64/apache-mod_userdir-2.2.6-8.3mdv2008.0.x86_64.rpm
6f02fb080e308ca0826fdb1ef00a1489 2008.0/x86_64/apache-mpm-event-2.2.6-8.3mdv2008.0.x86_64.rpm
b886d30d73c60a515b3ed36d7f186378 2008.0/x86_64/apache-mpm-itk-2.2.6-8.3mdv2008.0.x86_64.rpm
62d7754a5aa7af596cc06cd540d4025f 2008.0/x86_64/apache-mpm-prefork-2.2.6-8.3mdv2008.0.x86_64.rpm
d3438e0967978e580be896bd85f1d953 2008.0/x86_64/apache-mpm-worker-2.2.6-8.3mdv2008.0.x86_64.rpm
e72af335ec7c3c02b5a494fbd6e99e0e 2008.0/x86_64/apache-source-2.2.6-8.3mdv2008.0.x86_64.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLHQcamqjQ0CJFipgRAsJgAKDf5oc5UbEz3j+qsMn3tL6F8cujygCfY+cu
MUj4lK2Wsb+qzbv2V+Ih30U=
=VdZS
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1934-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
November 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : apache2
Vulnerability : multiple issues
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3094 CVE-2009-3095 CVE-2009-3555
A design flaw has been found in the TLS and SSL protocol that allows
an attacker to inject arbitrary content at the beginning of a TLS/SSL
connection. The attack is related to the way how TLS and SSL handle
session renegotiations. CVE-2009-3555 has been assigned to this
vulnerability.
As a partial mitigation against this attack, this apache2 update
disables client-initiated renegotiations. This should fix the
vulnerability for the majority of Apache configurations in use.
NOTE: This is not a complete fix for the problem. The attack is
still possible in configurations where the server initiates the
renegotiation. This is the case for the following configurations
(the information in the changelog of the updated packages is
slightly inaccurate):
- - The "SSLVerifyClient" directive is used in a Directory or Location
context.
- - The "SSLCipherSuite" directive is used in a Directory or Location
context.
As a workaround, you may rearrange your configuration in a way that
SSLVerifyClient and SSLCipherSuite are only used on the server or
virtual host level.
A complete fix for the problem will require a protocol change. Further
information will be included in a separate announcement about this
issue.
In addition, this update fixes the following issues in Apache's
mod_proxy_ftp:
CVE-2009-3094: Insufficient input validation in the mod_proxy_ftp
module allowed remote FTP servers to cause a denial of service (NULL
pointer dereference and child process crash) via a malformed reply to
an EPSV command.
For the stable distribution (lenny), these problems have been fixed in
version 2.2.9-10+lenny6. This version also includes some non-security
bug fixes that were scheduled for inclusion in the next stable point
release (Debian 5.0.4).
The oldstable distribution (etch), these problems have been fixed in
version 2.2.3-4+etch11.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed in version 2.2.14-2.
This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages.
Updated apache2-mpm-itk packages for the armel architecture are not
included yet. They will be released as soon as they become available.
We recommend that you upgrade your apache2 and apache2-mpm-itk packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch (oldstable)
- -------------------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.dsc
Size/MD5 checksum: 1071 dff8f31d88ede35bb87f92743d2db202
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3.orig.tar.gz
Size/MD5 checksum: 6342475 f72ffb176e2dc7b322be16508c09f63c
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.diff.gz
Size/MD5 checksum: 124890 c9b197b2a4bade4e92f3c65b88eea614
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 2247064 357f2daba8360eaf00b0157326c4d258
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 6668542 043a6a14dc48aae5fa8101715f4ddf81
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 41626 27661a99c55641d534a5ffe4ea828c4b
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 275872 8ff0ac120a46e235a9253df6be09e4d5
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 346016 02b337e48ef627e13d79ad3919bc380d
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407682 f01d7e23f206baed1e42c60e15fe240f
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 1017408 1c8dccbed0a309ed0b74b83667f1d587
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 449704 b227ff8c9bceaa81488fec48b81f18f6
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 450266 766ba095925ee31c175716084f41b3cf
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 444898 3b1d9a9531c82872d36ce295d6cba581
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407030 eedabbc4930b3c14012f57ec7956847b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_alpha.deb
Size/MD5 checksum: 184920 2d152290678598aeacd32564c2ec37c2
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 409010 15d5dda7eb1e9e8d406cd9ff4b25e60f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 408330 0bf271280295146f4ded8c02335e8fc1
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 1000068 f92b3deafb9ce263d0d66b753231a003
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 436268 9ef6b02f0ecf9905c14114a464c86f80
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 432320 b734b0c2f1d2177a828cff7d8e34d17c
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 342152 ef061f914027b41b788a31758d7c4e96
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 436766 deb97a3637ae8be3e016e37c038bc470
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_amd64.deb
Size/MD5 checksum: 172802 0550f661c804ef0c0ec31e1928f5f97d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 421056 b55b215aee8398e6388a73b421229db7
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 408940 8782732ef6487ef268abf2856ec5e2c0
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 408140 f3627e52eaf7a011a5a624ea25fa058b
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 968448 ac1354c562e7969e47561f4cba3a859b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 346166 a8729d03737330075908c2b8b2f5ce0b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_arm.deb
Size/MD5 checksum: 157634 53c277ca7e52e7e60a523183e87beec3
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 421782 b17f7ce0bfd6fee4877d9bccaf82770e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 417026 03b845039bf49fba64f064acda350f43
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 444058 16fb9ac5807fcf161321ffc8467e963d
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_hppa.deb
Size/MD5 checksum: 179532 b1f7b89ac1e830b72e30c9476b813263
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 352116 f34f19a1bf40a37695ac0aeb3f5b6d10
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 443324 e7106e9195fcd9f34ced7bccb009cbb7
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 1078948 29a60062b3f7676f768dda1d4cdb78fd
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 439968 6ff5b95ba06596c04f2fc7dc3adac7ac
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 410880 28ce1d24c4e152624c38330d34781636
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 409994 2ce21d9fc51fbbeb5e05ac7c418d7e11
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 409776 04bafa059e90c14851f290c02fc7a29e
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 963818 f2755fd250837dd878a24ffc8527855d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 425034 fc0b075a77853494886719b1bf4d7092
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 421206 d2758678dc6dcfb2298a5e69dbd199d0
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 425510 5df035120241567d62ba4154a7ade25f
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_i386.deb
Size/MD5 checksum: 161256 614f006996e6309829bf7c80bb95e3ed
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 410518 833b5256083de5f76d83354f63916af2
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 343876 435638e472ccb187c7713f96840cf156
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 407664 9929d570df08ea81c10235d8cfad8cec
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_ia64.deb
Size/MD5 checksum: 231808 505ed0109a851680126951f228f4ed40
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 491120 d1ef23e9bbd457b1c30d50234050b112
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 498202 f430c9b4231122f996799b45d68596a3
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 407018 f721b04b90b8b2b5ec76916488395bdd
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 360664 08763e41786b3c5b28cf3e27d234419d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 497388 6ef80d442fbf5046e78b9b2a0637adb9
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 1204566 d1cc5f38e5683c539db6673611585b67
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 430112 01c3cf5fc888bff3967c95736b3caf40
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 407674 688656128f0f46e8b35da61d731e244f
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 434122 791a223b58a6a3a00fdd5517decc6ff2
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 951736 68a93c433a24dd42b461907c2b61c6d2
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 407022 10cf7a6fa3ad60183a80b7fddc08ed98
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 350066 ab3498abf9ddc41f0665be9c2912beab
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 434784 2d07f9376a7c7eb6229e0c5238e604fc
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_mips.deb
Size/MD5 checksum: 169932 db0ecd6b89594ecbff3bacd9d184f808
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 428958 3c7b9e69ccbeb0db17d437ece3717b65
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 407040 61a67a76dd0acfaeb747d5ee745cb3fa
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 433736 74adf126949edfd4b1af734b3a8255f8
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 951730 3c9d5a12163e7d1c939d26829a4454f1
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 407694 0297490b8b4aff5e1a4527a9c897fbee
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 350302 843a3c227ba43dc4b882c96cad62a6eb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 434220 b18b6688a18a11d7bfa20d486c13ae64
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_mipsel.deb
Size/MD5 checksum: 168814 6eedc4fb9e8027cf6d11c427a1cc4f8c
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 1061292 0a43b7054755c361229d5e14db9c3156
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 432806 ebe9b3113da3361dabf67acd291f9d93
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_powerpc.deb
Size/MD5 checksum: 168374 ab7eb4de4a4c224a94698ebb67f627ea
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 433416 0c53941e7e8765780e4e4a71f81a592b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 354920 0682a419e0d59ff5a2af1f322991b157
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 410150 69ddc8b0b8ec235e65eabde0adbc1db7
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 428826 f556fd9726b4c66bbe6fdc05b84d9918
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 409396 d4b779470977873916bff7353829f172
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 437364 0d844765789f2fcc4cf0c24e755b4c3d
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 994710 63d476187cc9eed384ff792ce8b6f471
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 443278 114375b6439d8a9cf344dd4829c7b6d2
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 407682 e0db3031b4bb381a0f3178569d4c514a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 442268 219d9f7f67d2a53a3c3e700c68a6d682
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 348624 ac97c9840e0cb11a1cf1e44fd1875015
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 407026 6233c65e8860b416d7a6265ae2c2eda4
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_s390.deb
Size/MD5 checksum: 177986 634687237fd58d539bc9492415a94b77
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 418896 96bdf44ad9d8c1d86ee3aaf383c9dcce
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 412078 c9aab17ccba1846ea02df78f636a28a6
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 342696 7dd353d553f6a495c506b22f60ff2a0d
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_sparc.deb
Size/MD5 checksum: 158054 60de9a240c905bdb6ffa0ab6c032096d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 422966 edb7194c73d08c0bdb1eed6bd19ceb53
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 422444 ad0a85ada33d687e1fc67b0fa3c40244
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 960150 0dae013a3e07502409918ff649cb1375
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 411290 88e769a08329b6728c6fd0770d241874
Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9.orig.tar.gz
Size/MD5 checksum: 6396996 80d3754fc278338033296f0d41ef2c04
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6.dsc
Size/MD5 checksum: 1673 f6846ac2d9cbd7887629a9c503154310
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6.diff.gz
Size/MD5 checksum: 145719 fd456ef168b7f1ca1055ffbca1df53db
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 2060318 c2499fa1040a9ace89c1a969de4db870
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 6736558 e09131a305cf2e51d3c14ed7c1beaf5d
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 45238 922ce7e9d14885bab9c9cbbfab99fbd3
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 209720 29861b61a3ae0912a7eb1ba2096b0421
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 84444 af60f321516a06fc9588433ba2c1a88e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 256598 730d50c0f57ba7aad84e6897217bf42d
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 2402082 b932e642a152e30f948437d7313d2dcf
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 82728 bb04bbeae7865acad1ae89e943702623
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_alpha.deb
Size/MD5 checksum: 198236 61b2f1529a056145d9ea8a87c5c5e8c0
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 208690 f6d15e0b6fa15a3738e9130b4044ce37
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 849014 dddd323a55b010c29a8626194b71a7a1
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 147844 40f11b60e0f5154680f16c1c67943101
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 261662 7b88269d9ce2877809a0f47daa4e756d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 262336 eced46181f89a7f8ee636c0dce4789f7
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 210246 bb629f54f383bfcce66a6bf0bc1a2b6d
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 825462 051201fb8baa9a7a961961dd5082929a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 257694 3b8c5bff06a870ccd062ce53771a43a4
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 211268 5e07756440fecd3a3ee3815a6cff3ff5
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 258424 92c5467fbef1d4da6803507b679df099
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 82532 40718aa8ebb6532404fad4b5ee2a1e09
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 84140 743b1e0fd988539a7346bddbcd573767
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 253708 bcc5c9f767c1e62913af45827f04b83f
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_amd64.deb
Size/MD5 checksum: 195214 42f4650b895a51b853c253bbbd1e2cc0
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 2455308 9b8792a5defa5193d825d31dc47b43f2
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 144980 240232c2f4932579c60ecee786c0af26
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 224760 9615e8207a01d2759de57b58cd885286
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 83230 c840cb7342a3a83e0587fd3baacce760
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 2327178 39819fd5f56728620aaefdbe10887c2b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 147202 f7ebf064272389cf2dd7db7bfe3ff267
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_arm.deb
Size/MD5 checksum: 161596 b7a2763998f12394ecae68df6ec73fbb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 223898 fbd3f6bc3340643f55862e5b14947345
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 786918 a142a6fbee216aaa87378bdc53773eb2
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 209812 2e4b61b494abdd8e52b219456a82e499
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 219946 4ac3564788d25b492a833e2df463b41e
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 81412 abe1efff8619aac89534c3f4d57c5356
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 211008 865b518f1a18de1020feb2212b137a6c
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 212612 2b8654bdda7346a2a7804800e9a11d8e
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 802766 535b466511548a5264b0da3a3a348381
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 226068 8921ab3294cf45178f3b90fd51fbafc3
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 213694 38498cbd15341da4279e4193a4708c6c
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 226354 57f22f55c3ca485b5974e1f2a4ef1414
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 83934 6a6a2de840f638874d8ae05611f142b9
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 82284 b225eb7806650013baccae619ad08f2b
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 2340926 83bb45aa97542f6f796780c8a2d24c8b
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 221894 872e3f1df2080a84cca36f48e6c8e575
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 151226 3172e8ba667991da2881ea6a7b2781cc
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 84022 f603a1c369bbc7d05efe1ad99325e020
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 153048 0568fcb47c9cad398c7fd7abe2276828
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 82214 f27d31e710ba6640471c47a6fc240aad
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 246406 f18257777ba62d65ceb3aa4842415c74
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 241578 e71e710d7889e79b85e4c20b539a4d26
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 211730 a9913999aac5559db1e75835d87a2efd
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 896810 e8e2d9459750e5d9be76c00923a25696
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 245816 6a876fb502903c7bfcb5a4b8dad71a7a
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 213028 f072f0ca44edc122c1b3e1da847f1c8c
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_hppa.deb
Size/MD5 checksum: 183316 41a32b0fd061c4f2afbd740af5e8325a
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 2385020 366e6e9bd1dec0ba6a784813785f13d3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 82366 ab10d1ab26c914777c5296fe9ccfe027
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 241326 2ee9101bf92fcac69249094b3ca11e2a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 240776 43a654cf0439fc97997a57baec5e2995
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 84104 f73a1bff0a8a4426e63803c4e5c67c60
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 783440 053ba7ef4fbb56547200c32c35ac8a0e
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 143414 c20c10a3eadac1c494a5750888875800
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 237396 06841f14531fab0adb92177af849c8be
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 211420 69c67bd0052c70322924b901ba5f5428
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 2324892 87c51cc1fb8ae2532adcfa601a7b5af4
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 212726 11b86a68880fa98a130e449dec0fbbcc
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_i386.deb
Size/MD5 checksum: 179396 4ae5716372fe19991b0d8a4cc751d45f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 162732 0a9a153e3703f9dbd33e325d67373bce
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_ia64.deb
Size/MD5 checksum: 247068 39445ee73d2076bfa589a5840a3d6024
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 1036624 80b366704dc888c2bea8d84c316faf33
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 208668 c2b06d3c767fa737fbf5e1c3d50d001c
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 311692 77ff8879c2853c4b33903299ec3120c8
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 312616 1c20b667ebbd43b0ee1b01cd1cdd991d
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 83920 a383c7aef1758f963c019793af7b5f92
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 2317952 803f0b941814cbbc49f4e37bc3b9ca95
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 209700 59ab45d2c7c2168a941ff2fc842268e1
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 304670 067ece69f8b9518f9b18cd948c4df971
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 85802 9294d252435e8026d6135bf8efdfaf46
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 2465158 a36366e07810785cd1f2dc3b020d3486
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 780460 a5daeb91029f3b027a810ee22456ebd3
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 233408 ec9001ee4c996d0b14a9e67d9ce380ec
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 82082 1fc55f0526e3bf90c2156364055a1627
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_mips.deb
Size/MD5 checksum: 171444 789208a77578e49ebca9be904c99aff3
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 83688 8612d0c31dee19c557723b08354c20d7
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 149712 ac8ddf3ab4a3b0fb255adbc588e57305
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 209718 8af3815f7794f4e60d72ba52d3bd19c4
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 229494 c2ef345862009f2a2b979205fec22567
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 208698 246c0001aaa98be577f6c5f004330285
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 233980 ce7b3760443a98b0ddc0607a7a9842bf
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 228110 e45b1c3294102e26eee671b860f4aabc
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 208710 1403636fff03ab43353cdffdef62ffd7
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 83708 9b1c257025920f6dd0a7a2b231c97141
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 209740 546504d6f0a2a449e9bcd618f4700ce5
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 82128 31209b35ecb423f2d88347df6c08eddb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 2420074 b57ff2a01ee7f29d0dcba4214dc7fc21
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 232140 3dfff4c54077cb221e19533f19538834
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 778974 d9d0084ea48aaa56d2f99c632711d084
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_mipsel.deb
Size/MD5 checksum: 169470 f04a239ba4f1d6ae4ff8ce0960f784fd
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 232796 8ced513dc28d7165fd76076803b98188
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 150024 c2a66c2c63eeb66df98b136cceadc780
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 84570 b43f074242385089dda2aae2e9ae1595
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 915976 723f3349b829894595b913099f06ecc2
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 257408 c4bab781417526a0dfdb2240ab2fef07
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 2495210 6fb817120bcb095006fd09d2318f28ee
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_powerpc.deb
Size/MD5 checksum: 195192 6b4d950e48c6cdfd00d403e42b719b40
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 208684 ece82cc979cff6832d51a6caf51f38b5
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 82908 c54a24103b503b5de1b27993ee33610f
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 160960 361e2bae65d5f1303073d8e4d88ccdb7
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 209714 81fbc6671b2d4137dc52232e9d572ea9
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 258234 6dbd57dc907e93b5e9dcd3058e99b30f
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 253294 696e2e9219d6e029c0c6f024045a4d5f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 82544 4e332ccedffd13b1e7b866fe71cf8a9b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_s390.deb
Size/MD5 checksum: 197642 e32a924a47b90452356956e3fe39d34e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 255970 197eea5c422ecf37ec592bf9612c3b2f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 208694 33dddaec24eb4475411eb55abb5d5e71
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 150912 2aa00b2fb3b84a536030f5b5635115bc
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 209726 cf54089c8a33087820f8c9359e461625
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 2409108 1b6e40f5d2772a0a1f26424f4b470136
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 824586 ff52926d953f8b5cbde82ac31176dedb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 259924 655aca8f56383ebd106ded50d8f557ea
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 260610 12751082d3f1466735d1b3d395d63690
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 84310 9aa451ccb1513c05f4ccc0319124181e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 2231018 fcdbb08c45ff474592590fac0aa78dac
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 84568 6dcf4195e216a22ef2919806d55d5098
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 237224 9bf96cc5f932643b1c55c6a9fa238af1
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 241474 ed8557af547d9d55a075fca5cf88488d
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 82888 bde0baf83e2e972b398be6a500f77125
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_sparc.deb
Size/MD5 checksum: 177562 09cbb49296407c83ef1575b003dfb129
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 241014 2c10b920cdfec918af3eb148e29fca0f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 212798 28edff7612bb824fc20d88c29b8b7e1f
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 781748 63e7003956d73b1a04e544c00eaa7728
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 213976 b7e758d0a2e6574944d27e2d6e40f60c
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 146596 c37cea33bed94a68326b511a66bf050e
These files will probably be moved into the stable distribution on
its next update.
Kit Name
Location
HP SWS V2.2 for OpenVMS Alpha and OpenVMS Integrity servers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02160663
Version: 1
HPSBUX02531 SSRT100108 rev.1 - HP-UX Running Apache-based Web Server, Remote Denial of Service (DoS), Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-06-02
Last Updated: 2010-06-02
- -----------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS), unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS) or unauthorized access.
References: CVE-2009-3094, CVE-2009-3095, CVE-2010-0408, CVE-2010-0740, CVE-2010-0433, CVE-2010-0434
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before v2.2.8.09
HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server versions before v2.0.59.15
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-3094 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 5.4
CVE-2009-3095 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-0408 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0740 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0433 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2010-0434 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
Note: CVE-2009-3094, CVE-2009-3095 and 2010-0740 affect only HP-UX Web Server Suite v2.30;
CVE-2010-0408, CVE-2010-0433 and CVE-2010-0434 affect only HP-UX Web Server Suite v3.09.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For Web Server Suite before v3.09
HP-UX B.11.23
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
action: install revision B.2.2.8.09 or subsequent
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
action: install revision B.2.2.8.09 or subsequent
For Web Server Suite before v2.30
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.23
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.31
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 June 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwG2+IACgkQ4B86/C0qfVm3LACfZ2twc1MNibwpLscDC7giyJJv
nksAnR0xfycsdI9Z5RyDC/o+Dnt4Q100
=/Gfl
-----END PGP SIGNATURE-----
.
BAC v8.07 supplies Apache 2.2.17. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com
VAR-200909-0801 | CVE-2009-3094 | Apache HTTP Server of ap_proxy_ftp_handler Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. The Apache 'mod_proxy_ftp' module is prone to a denial-of-service vulnerability because of a NULL-pointer dereference.
Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. ===========================================================
Ubuntu Security Notice USN-860-1 November 19, 2009
apache2 vulnerabilities
CVE-2009-3094, CVE-2009-3095, CVE-2009-3555
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apache2-common 2.0.55-4ubuntu2.9
Ubuntu 8.04 LTS:
apache2.2-common 2.2.8-1ubuntu0.14
Ubuntu 8.10:
apache2.2-common 2.2.9-7ubuntu3.5
Ubuntu 9.04:
apache2.2-common 2.2.11-2ubuntu2.5
Ubuntu 9.10:
apache2.2-common 2.2.12-1ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3
protocols. If an attacker could perform a man in the middle attack at the
start of a TLS connection, the attacker could inject arbitrary content at
the beginning of the user's session. The flaw is with TLS renegotiation and
potentially affects any software that supports this feature. Attacks
against the HTTPS protocol are known, with the severity of the issue
depending on the safeguards used in the web application. Until the TLS
protocol and underlying libraries are adjusted to defend against this
vulnerability, a partial, temporary workaround has been applied to Apache
that disables client initiated TLS renegotiation. This update does not
protect against server initiated TLS renegotiation when using
SSLVerifyClient and SSLCipherSuite on a per Directory or Location basis. (CVE-2009-3555)
It was discovered that mod_proxy_ftp in Apache did not properly sanitize
its input when processing replies to EPASV and PASV commands.
(CVE-2009-3094)
Another flaw was discovered in mod_proxy_ftp.
(CVE-2009-3095)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9.diff.gz
Size/MD5: 130638 5d172b0ca228238e211940fad6b0935d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9.dsc
Size/MD5: 1156 a6d575c4c0ef0ef9c4c77e7f6ddfb02d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.9_all.deb
Size/MD5: 2125884 643115e9135b9bf626f3a65cfc5f2ed3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 834492 818915da9848657833480b1ead6b4a12
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 229578 9086ac3033e0425ecd150b31b377ee76
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 224594 85a4480344a072868758c466f6a98747
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 229128 446b52088b9744fb776e53155403a474
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 172850 17e4cd95ecb9d0390274fca9625c2e5e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 173636 b501407d01fa07e5807c28cd1db16cd7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 95454 a06ee30ec14b35003ebcb821624bc2af
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 37510 4c063b1b8d831ea8a02d5ec691995dec
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 287048 9cdc7502ebc526d4bc7df9b59a9d8925
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 145624 4b613a57da2ca57678e8c8f0c1628556
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 787870 67b1855dc984e5296ac9580e2a2f0a0c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 204122 edf40b0ff5c1824b2d6232da247ce480
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 200060 6267a56fcef78f6300372810ce36ea41
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 203580 c487929bbf45b5a4dc3d035d86f7b3a0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 172876 bae257127c3d137e407a7db744f3d57a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 173660 9dd0e108ab4d3382799b29d901bf4502
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 93410 d5d602c75a28873f1cd7523857e0dd80
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 37508 22049e1ea8ea88259ff3f6e94482cfb3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 263066 43fa2ae3b43c4743c98c45ac22fb0250
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 133484 e70b7f81859cb92e0c50084e92216526
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 860622 6d386da8da90d363414846dbc7fa7f08
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 221470 8c207b379f7ba646c94759d3e9079dd4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 217132 069cab77278b101c3c4a5b172f36ba9b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 220968 2f6ba65769fc964eb6dfec8a842f7621
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 172874 89137c84b5a33f526daf3f8b4c047a7e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 173662 23e576721faccb4aef732cf98e2358d4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 105198 44f9e698567784555db7d7d971b9fce2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 37518 fe7caa2a3cf6d4227ac34692de30635e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 282644 ec0306c04778cf8c8edd622aabb0363c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 142730 d43356422176ca29440f3e0572678093
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 805078 0f1f6a9b04ad5ce4ea29fd0e44bf18a4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 211674 eb19532b9b759c806e9a95a4ffbfad9b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 207344 9e5770a4c94cbc4f9bc8cc11a6a038f1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 210948 6d1d2357cec5b88c1c2269e5c16724bc
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 172882 d04dd123def1bc4cfbf2ac0095432eea
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 173662 6be46bbb9e92224020da49d657cb4cd4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 94510 9df6ae07a9218d6159b1eebde5d58606
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 37506 89856bb1433e67fb23c8d34423d3e0a5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 269070 bf585dec777b0306cd80663c11b020df
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 131466 340eaf2d2c1f129c7676a152776cfcf3
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14.diff.gz
Size/MD5: 141838 37d5c93b425758839cbef5afea5353a2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14.dsc
Size/MD5: 1381 78c9a13cc2af0dbf3958a3fc98aeea84
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz
Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 1929318 d4faaf64c2c0af807848ea171a4efa90
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 72920 065d63c19b22f0f7a8f7c28952b0b408
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 6258048 33c48a093bbb868ea108a50c051437cf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 45850 07a9463a8e4fdf1a48766d5ad08b9a3c
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 253080 3c6467ee604002a5b8ebffff8554c568
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 248676 3c83ce9eb0a27f18b9c3a8c3e651cafa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 252490 cf379a515d967d89d2009be9e06d4833
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 205592 af6cb62114d2e70bf859c32008a66433
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 206350 9c3d5ef8e55eee98cc3e75f2ed9ffaff
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 141660 958585d6391847cd5a618464054f7d37
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 803974 76d23bd94465a2f96711dc1c41b31af0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 236060 ad4c00dc10b406cc312982b7113fa468
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 231580 07ae6a192e6c859e49d48f2b2158df40
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 235308 18a44bbffcebde8f2d66fe3a6bdbab6d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 205594 73ec71599d4c8a42a69ac3099b9d50cf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 206374 c1524e4fa8265e7eaac046b114b8c463
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 140644 379a125b8b5b51ff8033449755ab87b8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 755574 9de96c8719740c2525e3c0cf7836d60b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 235578 0265d4f6ccee2d7b5ee10cfff48fed08
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 231234 611499fb33808ecdd232e2c5350f6838
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 234738 d7757d2da2e542ce0fdad5994be1d8bd
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 205592 c10ac9eb401184c379b7993b6a62cde3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 206358 fc91c0159b096e744c42014e6e5f8909
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 141212 f87d5f443e5d8e1c3eda6f976b3ceb06
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 749716 86ae389b81b057288ff3c0b69ef68656
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 254134 4337f858972022fa196c9a1f9bb724fb
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 249596 44a6e21ff8fa81d09dab19cab4caffdb
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 253698 f101a1709f21320716d4c9afb356f24f
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 205604 3f4d4f6733257a7037e35101ef792352
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 206386 06402188459de8dab5279b5bfef768fa
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 158390 0acffbdb7e5602b434c4f2805f8dc4d0
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 906022 28c3e8b63d123a4ca0632b3fed6720b5
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 237422 5651f53b09c0f36e1333c569980a0eb0
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 233152 1165607c64c57c84212b6b106254e885
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 236606 bbe00d0707c279a16eca35258dd8f13a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 205598 76afcd4085fa6f39055a5a3f1ef34a43
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 206372 5c67270e0a19d1558cf17cb21a114833
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 143838 28e9c3811feeac70b846279e82c23430
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 765398 92c5b054b80b6258a1c4caac8248a40a
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5.diff.gz
Size/MD5: 137715 0e8a6128ff37a1c064d4ce881b5d3df9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5.dsc
Size/MD5: 1788 5e3c3d53b68ea3053bcca3a5e19f5911
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9.orig.tar.gz
Size/MD5: 6396996 80d3754fc278338033296f0d41ef2c04
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 2041786 cd1e98fb2064bad51f7845f203a07d79
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 6538578 32e07db65f1e7b3002aedc3afce1748c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 45474 0f1b4fb499af61a596241bd4f0f4d35d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 254968 f2004f847cc5cbc730599352ad1f7dc6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 249196 fb001fc4f192e9b8ae1bb7161925413c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 254360 419b942bad4cf4d959afcfa3ce4314e2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 208524 0d87bf6acbf1ab5dc48c68debe7c0d26
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 84490 2a4df4b619debe549f48ac3e9e764305
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 82838 215665711684d5b5dd04cdfa23d36462
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 209550 496d387e315370c0cd83489db663a356
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 147762 48061b9015c78b39b7afd834f4c81ae0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 820242 3497441009bc9db76a87fd2447ba433c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 241376 488812d1a311fd67dafd5b18b6813920
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 236082 9256681808703f40e822c81b53f4ce3e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 240668 2b6b7c11a88ed5a280f603305bee880e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 208532 e0eccceba6cae5fb12f431ff0283a23e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 83922 ea5f69f36e344e493cce5d9c0bc69c46
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 82320 0d9b2f9afff4b9efe924b59e9bb039ea
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 209554 f4e53148ae30d5c4f060d455e4f11f95
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 146596 5ed6a4af9378bacfb7d4a034d9923915
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 778564 ffd7752394933004094c13b00113b263
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 238358 4955c7d577496ea4f3573345fad028a4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 232964 76aecf38baba17a8a968329b818ec74a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 237626 83f32bd08e2e206bbdb9f92cfb1a37e5
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 208528 6672fb116e108687669c89197732fbb0
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 83870 b8f875f197017aec0fe8203c203065d7
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 82296 d6724391ed540b351e2b660ba98af1ca
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 209550 263b43fb11c6d954d5a4bf7839e720a4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 146282 a225b8d0f48e141eea28b2369d4595c0
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 766494 454c737e191429c43ad3f28c9e0294a0
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 261510 d3e1155682726cc28859156e647d97b3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 256082 e49d894a6e9ab612a3cbd2f189ca3d8d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 260850 bc3cd7677cd630ac00424e73a3a6b343
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 208542 ae1cc6b1323832528ad8f0e7130ec87d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 84558 68452b686e89320007e9c5367ce36345
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 82908 2b8c5fc4bdec1017735dc16eba41d0a6
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 209562 a8da7487e3dcd1bdff008956728b8dd3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 161030 a5ffe07d5e3050c8a54c4fccd3732263
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 926240 8282583e86e84bd256959540f39a515d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 246720 e54b4b9b354001a910ec9027dc90b0d2
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 241280 1eea25472875056e34cd2c3283c60171
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 246024 5709e7421814ecfb83fff5804d429971
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 208528 25cdfd0177da7e5484d3d44f93257863
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 84096 3ffbacffcc23ffc640a2ce05d35437bf
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 82470 17d1ca84f9455c492013f4f754a1d365
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 209546 696ef3652703523aea6208a4e51e48f1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 150932 44c89e0249c85eed09b6f3a6a23db59d
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 783902 773a80d7a85a452016da3b10b1f3ae43
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5.diff.gz
Size/MD5: 141023 50d6737005a6d4fe601e223a39293f99
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5.dsc
Size/MD5: 1795 59720f4d7ad291c986d92ec120750c3d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11.orig.tar.gz
Size/MD5: 6806786 03e0a99a5de0f3f568a0087fb9993af9
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 2219326 d29c903489b894ddf88b23a0fec23e5c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 46636 ee03585b00f277ed98c0de07a683317a
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-src_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 6948222 a3505a83c13cf36c86248079127dd84d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 259028 5e9bddefad4c58c3ef9fd15d7a06988d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 253218 ee1bfbb759ffade3a52a6782e2f4b66d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 258414 8ef063026de9790bac1965427ce1b584
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 213294 09701d434bd102e4205e551b4525afd1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 214258 e98de48ea01e1132c5f1248a9a018745
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 151140 2f7c7f14b843b2c24de8c67356406449
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 826834 28abdf1c7be886e9be2825d351abaec7
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 87818 670c62615e107920c45893b3377ab2a0
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 86094 5a7c68fd37066287b4819cba4cfed1f2
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 245538 952540b7679ebc8d3ffc953f32d3be0f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 240048 08a7fd4888ffd9188890e57c613c4be7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 244914 955bb5121da808d44aa994386d90723f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 213308 dd16143608ff8c41cb2d5cd27212a57e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 214280 1e1f5d6feef40413f823a19126a018e3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 150046 0769d86d26282d1d31615050ae5b8915
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 784198 8760e9c37147d0472dbbfe941c058829
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 87182 21980cb1035d05f69b857870bbcbc085
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 85572 6a1b8a5e4cb19e815e88335757b06cf3
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 242386 859ad63822b7e82c81cd6dcaca088c4a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 236924 200538ce94218c9d8af8532636bfd40a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 241822 3a3183ea4ee77d2677919d3b698f92a1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 213286 bf81273b1db0a4a621085171c2b2b421
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 214264 ed278dab71289d2baae2ea409382fbf8
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 149758 75f6e2d7bd1cdfe5b1806062c3c859df
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 773424 c7cdc26051bd9443ae25b73776537fb5
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 87132 32e7ea89c96a0afce7ce1da457d947fb
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 85550 1d9b5963aa6ea5c01492ec417ab8510a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 265476 5d03fe6b2da8de98c876941ff78b066f
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 260478 3e3aeaaf496cc86c62a831c59994c1f2
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 265154 5eae30e7a33c09b37483f3aab595d0e9
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 213314 879534ebabbb8be86b606e1800dc9cf8
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 214286 922033231a6aa67ecca1c400d47f09c1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 164444 74faf68f0baeffcd011155ca9b201039
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 932416 2911758e4ad1b3b401369621301ea76f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 87876 1d45c033ec5498c092f30188cf1d481e
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 86154 52c1d8806d52fef6f43ab53662953953
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 250786 4e8e98dcba5543394ed5f07d141ce408
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 245094 a82bf04fc92b8c275b0c0f25cc81ff91
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 250110 092cf734813ae1d127d7b4f498f936c1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 213312 98d7062a6bdb58637f7e850b76bfbc80
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 214286 a378e2e0418631cec0f398379a446172
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 154284 ce8b7bbccd359675b70426df15becfed
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 789298 11f088b18425b97367d5bc141da2ef2f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 87384 477b6594866c8c73a8a3603e7e646c68
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 85686 5562ea5a0e6f01ba12adda3afb65c1b0
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1.diff.gz
Size/MD5: 185244 1ef59f9642bd9efa35e0808ea804cd0b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1.dsc
Size/MD5: 1888 d3bfdecefdd8b1adec8ab35dcf85d2b3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12.orig.tar.gz
Size/MD5: 6678149 17f017b571f88aa60abebfe2945d7caf
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2246560 be12bcc117bf165ffd3401486186762e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2336 009d381342b0be5280835a46c91f01d9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2374 7545a3750acea08e95bee86f6a3247e2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2314 17719223d92d46821098ce178b5947d6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 284782 4321e3201d8e8d1a9e3c6fbe6864102b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 1424 7b4d96008368549d5600a8c1f64a7559
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-mpm-itk_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2366 46add3d428c97fa69a8848a3e4025bb0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 137080 91e4f72d0f1f0abe91555e1497558fc2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 138176 5fd6a5ed536306528f9f2c1a0281ad70
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 156646 cfa55666363303b3f44a24fa2929bf01
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 1399630 82b36d57faa29a646e72a1125600c11c
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 92488 ddebef9d1a537520380f85b63c512bef
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 90880 c6d163edf145da8ff6d102dc0dd1f8d7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 137102 69dcd0519ca612e02102f52dcb50bf7f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 138200 17221b53903d664823a55faa1ec4d9a9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 155166 4347806710edff47fc051b4a68d5b448
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 1309136 d9a7df212b315fc6f77fc87fa8eb4a04
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 91876 289bf732dd4750a2ce61ab121b04b079
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 90316 add7f446f6b524343c0066a486dd299a
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 137088 571e9f0370b5687acff25f71c4efe33e
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 138192 816a6e033f02114553bbb3627b9c6f9c
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 155090 af8272dc794250c30cd2f66b82486dc2
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 1290606 4c51de07f5a6fe9612de45369e6f35a5
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 91830 06866386df811127f4fd71d6fb2a9e2a
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 90312 9e68bd8111503135a4eae7265b0084ae
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 137096 61b24dbeb12d7998e5d7014c26410a99
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 138202 599898ff374bde8bfa388e2615064c5a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 161058 fea8f5b9a80bef9c4cb3405bc37160af
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 1390150 fb1a244728a509586b77d02930fcf10f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 92400 572c3b0aa5ab717e8c4e4e8248aff1ff
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 90774 82011ebc757d31e690698cf9913e3adc
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 137098 7f566dfade1678c72eac7dd923ab5987
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 138202 09fbc3145d768cf1f204d47b50e21528
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 159488 7cb6c81588adaee162b8c85a1f69e7a7
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 1297936 106b0b71f5e928c1d543973b5b1f015b
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 92166 28899fe31226880dfa961d8b05e8fa43
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 90554 f207de0099ed259e2af736e8c82f91c2
. Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the
mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c
in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions,
allows remote attackers to inject arbitrary web script or HTML via
wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this
security issue was initially addressed with MDVSA-2008:195 but the
patch fixing the issue was added but not applied in 2009.0.
The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not
properly handle Options=IncludesNOEXEC in the AllowOverride directive,
which allows local users to gain privileges by configuring (1) Options
Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a
.htaccess file, and then inserting an exec element in a .shtml file
(CVE-2009-1195).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891). NOTE: as of 20090903,
this disclosure has no actionable information. However, because the
VulnDisco Pack author is a reliable researcher, the issue is being
assigned a CVE identifier for tracking purposes (CVE-2009-3095).
Apache is affected by SSL injection or man-in-the-middle attacks
due to a design flaw in the SSL and/or TLS protocols. A short term
solution was released Sat Nov 07 2009 by the ASF team to mitigate
these problems. Apache will now reject in-session renegotiation
(CVE-2009-3555).
Packages for 2008.0 are being provided due to extended support for
Corporate products.
This update provides a solution to these vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
dd2bebdd6726d2d865331d37068a90b7 2008.0/i586/apache-base-2.2.6-8.3mdv2008.0.i586.rpm
6de9d36a91b125cc03bafe911b7a38a2 2008.0/i586/apache-devel-2.2.6-8.3mdv2008.0.i586.rpm
ab7963efad1b7951c94a24075a2070e7 2008.0/i586/apache-htcacheclean-2.2.6-8.3mdv2008.0.i586.rpm
42a53b597d5547fb88b7427cacd617a1 2008.0/i586/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.i586.rpm
1dff9d313e93c94e907d8c72348ed2e0 2008.0/i586/apache-mod_cache-2.2.6-8.3mdv2008.0.i586.rpm
b575ede2978ad47e41d355bd8b192725 2008.0/i586/apache-mod_dav-2.2.6-8.3mdv2008.0.i586.rpm
8ff3dee24d2d2d9a8d13e567cf1eaced 2008.0/i586/apache-mod_dbd-2.2.6-8.3mdv2008.0.i586.rpm
7bae541dfec14b21700878514750de83 2008.0/i586/apache-mod_deflate-2.2.6-8.3mdv2008.0.i586.rpm
19cab766a26ce53bd7e7973ed92f0db4 2008.0/i586/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.i586.rpm
a1336e4ab4f282c388d7565bde4557fd 2008.0/i586/apache-mod_file_cache-2.2.6-8.3mdv2008.0.i586.rpm
6b2f2eb949977349390fa3b06cf257e7 2008.0/i586/apache-mod_ldap-2.2.6-8.3mdv2008.0.i586.rpm
3640bbef5262ec0407126e31dd5ddde3 2008.0/i586/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.i586.rpm
98793747365606baabc08f22e36a0a04 2008.0/i586/apache-mod_proxy-2.2.6-8.3mdv2008.0.i586.rpm
d7fe4d88f25d2a01b0809ab5292b0999 2008.0/i586/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.i586.rpm
4c9f48adbd0b1d45a874f06b9275ebe3 2008.0/i586/apache-mod_ssl-2.2.6-8.3mdv2008.0.i586.rpm
e5a1d9476316ccc9f183cb1ae5bbcf31 2008.0/i586/apache-modules-2.2.6-8.3mdv2008.0.i586.rpm
44f7810695a40519c68930695829f124 2008.0/i586/apache-mod_userdir-2.2.6-8.3mdv2008.0.i586.rpm
d6f666e9954422664d1f029fc147b591 2008.0/i586/apache-mpm-event-2.2.6-8.3mdv2008.0.i586.rpm
75e205ddbc9313b8d02519e57919923a 2008.0/i586/apache-mpm-itk-2.2.6-8.3mdv2008.0.i586.rpm
6d68e8fa7baccc2ad090c703fb33458e 2008.0/i586/apache-mpm-prefork-2.2.6-8.3mdv2008.0.i586.rpm
331f18ce48403472fc7f8af6d5daee8e 2008.0/i586/apache-mpm-worker-2.2.6-8.3mdv2008.0.i586.rpm
c75e69bcabc104938cb9033e591d1de8 2008.0/i586/apache-source-2.2.6-8.3mdv2008.0.i586.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
3d4afe3f8da8369d80b6c195e132c5c0 2008.0/x86_64/apache-base-2.2.6-8.3mdv2008.0.x86_64.rpm
37034ee7c7eb813de2a00a6945a10248 2008.0/x86_64/apache-devel-2.2.6-8.3mdv2008.0.x86_64.rpm
ba296f9aa229a616a2c406d1a16912c3 2008.0/x86_64/apache-htcacheclean-2.2.6-8.3mdv2008.0.x86_64.rpm
77fa75d36e7a4bbe154c846e3271e7a3 2008.0/x86_64/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
ca29e2db08b29e319f2392b46ea4c3fe 2008.0/x86_64/apache-mod_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
3fbf5a0276adaa2d887a92482d81313f 2008.0/x86_64/apache-mod_dav-2.2.6-8.3mdv2008.0.x86_64.rpm
9c66e471c2d2d3e43462302d0cc6f1c9 2008.0/x86_64/apache-mod_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
05020102a26a28b96319b23e3b6e43d6 2008.0/x86_64/apache-mod_deflate-2.2.6-8.3mdv2008.0.x86_64.rpm
7191542417b30ed77334f1b8366628aa 2008.0/x86_64/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
f4177dbdcfd2e3dc8e66be731ad731c4 2008.0/x86_64/apache-mod_file_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
fea417664f0a2689fa12308bd80c2fe4 2008.0/x86_64/apache-mod_ldap-2.2.6-8.3mdv2008.0.x86_64.rpm
9cf956fa426e6bdf6497337b6e26a2ab 2008.0/x86_64/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
0d9d04ca878bb3f19f4764152da42d82 2008.0/x86_64/apache-mod_proxy-2.2.6-8.3mdv2008.0.x86_64.rpm
dbbcd75dd83779f54f98fa3e16b59f13 2008.0/x86_64/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.x86_64.rpm
dce8db6742ba28a71e18b86bb38688c8 2008.0/x86_64/apache-mod_ssl-2.2.6-8.3mdv2008.0.x86_64.rpm
2ff69d6e9c2cd3250f6746d4a7d921fd 2008.0/x86_64/apache-modules-2.2.6-8.3mdv2008.0.x86_64.rpm
f298827d4dfa631a77907f7f5733fa29 2008.0/x86_64/apache-mod_userdir-2.2.6-8.3mdv2008.0.x86_64.rpm
6f02fb080e308ca0826fdb1ef00a1489 2008.0/x86_64/apache-mpm-event-2.2.6-8.3mdv2008.0.x86_64.rpm
b886d30d73c60a515b3ed36d7f186378 2008.0/x86_64/apache-mpm-itk-2.2.6-8.3mdv2008.0.x86_64.rpm
62d7754a5aa7af596cc06cd540d4025f 2008.0/x86_64/apache-mpm-prefork-2.2.6-8.3mdv2008.0.x86_64.rpm
d3438e0967978e580be896bd85f1d953 2008.0/x86_64/apache-mpm-worker-2.2.6-8.3mdv2008.0.x86_64.rpm
e72af335ec7c3c02b5a494fbd6e99e0e 2008.0/x86_64/apache-source-2.2.6-8.3mdv2008.0.x86_64.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLHQcamqjQ0CJFipgRAsJgAKDf5oc5UbEz3j+qsMn3tL6F8cujygCfY+cu
MUj4lK2Wsb+qzbv2V+Ih30U=
=VdZS
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1934-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
November 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : apache2
Vulnerability : multiple issues
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3094 CVE-2009-3095 CVE-2009-3555
A design flaw has been found in the TLS and SSL protocol that allows
an attacker to inject arbitrary content at the beginning of a TLS/SSL
connection. The attack is related to the way how TLS and SSL handle
session renegotiations. CVE-2009-3555 has been assigned to this
vulnerability.
As a partial mitigation against this attack, this apache2 update
disables client-initiated renegotiations. This should fix the
vulnerability for the majority of Apache configurations in use.
NOTE: This is not a complete fix for the problem. The attack is
still possible in configurations where the server initiates the
renegotiation. This is the case for the following configurations
(the information in the changelog of the updated packages is
slightly inaccurate):
- - The "SSLVerifyClient" directive is used in a Directory or Location
context.
- - The "SSLCipherSuite" directive is used in a Directory or Location
context.
As a workaround, you may rearrange your configuration in a way that
SSLVerifyClient and SSLCipherSuite are only used on the server or
virtual host level.
A complete fix for the problem will require a protocol change. Further
information will be included in a separate announcement about this
issue.
CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp
module allowed remote authenticated attackers to bypass intended access
restrictions and send arbitrary FTP commands to an FTP server.
For the stable distribution (lenny), these problems have been fixed in
version 2.2.9-10+lenny6. This version also includes some non-security
bug fixes that were scheduled for inclusion in the next stable point
release (Debian 5.0.4).
The oldstable distribution (etch), these problems have been fixed in
version 2.2.3-4+etch11.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed in version 2.2.14-2.
This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages.
Updated apache2-mpm-itk packages for the armel architecture are not
included yet. They will be released as soon as they become available.
We recommend that you upgrade your apache2 and apache2-mpm-itk packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch (oldstable)
- -------------------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.dsc
Size/MD5 checksum: 1071 dff8f31d88ede35bb87f92743d2db202
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3.orig.tar.gz
Size/MD5 checksum: 6342475 f72ffb176e2dc7b322be16508c09f63c
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.diff.gz
Size/MD5 checksum: 124890 c9b197b2a4bade4e92f3c65b88eea614
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 2247064 357f2daba8360eaf00b0157326c4d258
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 6668542 043a6a14dc48aae5fa8101715f4ddf81
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 41626 27661a99c55641d534a5ffe4ea828c4b
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 275872 8ff0ac120a46e235a9253df6be09e4d5
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 346016 02b337e48ef627e13d79ad3919bc380d
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407682 f01d7e23f206baed1e42c60e15fe240f
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 1017408 1c8dccbed0a309ed0b74b83667f1d587
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 449704 b227ff8c9bceaa81488fec48b81f18f6
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 450266 766ba095925ee31c175716084f41b3cf
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 444898 3b1d9a9531c82872d36ce295d6cba581
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407030 eedabbc4930b3c14012f57ec7956847b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_alpha.deb
Size/MD5 checksum: 184920 2d152290678598aeacd32564c2ec37c2
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 409010 15d5dda7eb1e9e8d406cd9ff4b25e60f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 408330 0bf271280295146f4ded8c02335e8fc1
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 1000068 f92b3deafb9ce263d0d66b753231a003
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 436268 9ef6b02f0ecf9905c14114a464c86f80
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 432320 b734b0c2f1d2177a828cff7d8e34d17c
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 342152 ef061f914027b41b788a31758d7c4e96
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 436766 deb97a3637ae8be3e016e37c038bc470
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_amd64.deb
Size/MD5 checksum: 172802 0550f661c804ef0c0ec31e1928f5f97d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 421056 b55b215aee8398e6388a73b421229db7
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 408940 8782732ef6487ef268abf2856ec5e2c0
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 408140 f3627e52eaf7a011a5a624ea25fa058b
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 968448 ac1354c562e7969e47561f4cba3a859b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 346166 a8729d03737330075908c2b8b2f5ce0b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_arm.deb
Size/MD5 checksum: 157634 53c277ca7e52e7e60a523183e87beec3
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 421782 b17f7ce0bfd6fee4877d9bccaf82770e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 417026 03b845039bf49fba64f064acda350f43
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 444058 16fb9ac5807fcf161321ffc8467e963d
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_hppa.deb
Size/MD5 checksum: 179532 b1f7b89ac1e830b72e30c9476b813263
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 352116 f34f19a1bf40a37695ac0aeb3f5b6d10
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 443324 e7106e9195fcd9f34ced7bccb009cbb7
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 1078948 29a60062b3f7676f768dda1d4cdb78fd
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 439968 6ff5b95ba06596c04f2fc7dc3adac7ac
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 410880 28ce1d24c4e152624c38330d34781636
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 409994 2ce21d9fc51fbbeb5e05ac7c418d7e11
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 409776 04bafa059e90c14851f290c02fc7a29e
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 963818 f2755fd250837dd878a24ffc8527855d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 425034 fc0b075a77853494886719b1bf4d7092
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 421206 d2758678dc6dcfb2298a5e69dbd199d0
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 425510 5df035120241567d62ba4154a7ade25f
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_i386.deb
Size/MD5 checksum: 161256 614f006996e6309829bf7c80bb95e3ed
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 410518 833b5256083de5f76d83354f63916af2
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 343876 435638e472ccb187c7713f96840cf156
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 407664 9929d570df08ea81c10235d8cfad8cec
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_ia64.deb
Size/MD5 checksum: 231808 505ed0109a851680126951f228f4ed40
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 491120 d1ef23e9bbd457b1c30d50234050b112
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 498202 f430c9b4231122f996799b45d68596a3
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 407018 f721b04b90b8b2b5ec76916488395bdd
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 360664 08763e41786b3c5b28cf3e27d234419d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 497388 6ef80d442fbf5046e78b9b2a0637adb9
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 1204566 d1cc5f38e5683c539db6673611585b67
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 430112 01c3cf5fc888bff3967c95736b3caf40
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 407674 688656128f0f46e8b35da61d731e244f
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 434122 791a223b58a6a3a00fdd5517decc6ff2
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 951736 68a93c433a24dd42b461907c2b61c6d2
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 407022 10cf7a6fa3ad60183a80b7fddc08ed98
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 350066 ab3498abf9ddc41f0665be9c2912beab
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 434784 2d07f9376a7c7eb6229e0c5238e604fc
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_mips.deb
Size/MD5 checksum: 169932 db0ecd6b89594ecbff3bacd9d184f808
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 428958 3c7b9e69ccbeb0db17d437ece3717b65
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 407040 61a67a76dd0acfaeb747d5ee745cb3fa
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 433736 74adf126949edfd4b1af734b3a8255f8
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 951730 3c9d5a12163e7d1c939d26829a4454f1
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 407694 0297490b8b4aff5e1a4527a9c897fbee
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 350302 843a3c227ba43dc4b882c96cad62a6eb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 434220 b18b6688a18a11d7bfa20d486c13ae64
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_mipsel.deb
Size/MD5 checksum: 168814 6eedc4fb9e8027cf6d11c427a1cc4f8c
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 1061292 0a43b7054755c361229d5e14db9c3156
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 432806 ebe9b3113da3361dabf67acd291f9d93
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_powerpc.deb
Size/MD5 checksum: 168374 ab7eb4de4a4c224a94698ebb67f627ea
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 433416 0c53941e7e8765780e4e4a71f81a592b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 354920 0682a419e0d59ff5a2af1f322991b157
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 410150 69ddc8b0b8ec235e65eabde0adbc1db7
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 428826 f556fd9726b4c66bbe6fdc05b84d9918
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 409396 d4b779470977873916bff7353829f172
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 437364 0d844765789f2fcc4cf0c24e755b4c3d
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 994710 63d476187cc9eed384ff792ce8b6f471
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 443278 114375b6439d8a9cf344dd4829c7b6d2
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 407682 e0db3031b4bb381a0f3178569d4c514a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 442268 219d9f7f67d2a53a3c3e700c68a6d682
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 348624 ac97c9840e0cb11a1cf1e44fd1875015
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 407026 6233c65e8860b416d7a6265ae2c2eda4
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_s390.deb
Size/MD5 checksum: 177986 634687237fd58d539bc9492415a94b77
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 418896 96bdf44ad9d8c1d86ee3aaf383c9dcce
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 412078 c9aab17ccba1846ea02df78f636a28a6
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 342696 7dd353d553f6a495c506b22f60ff2a0d
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_sparc.deb
Size/MD5 checksum: 158054 60de9a240c905bdb6ffa0ab6c032096d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 422966 edb7194c73d08c0bdb1eed6bd19ceb53
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 422444 ad0a85ada33d687e1fc67b0fa3c40244
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 960150 0dae013a3e07502409918ff649cb1375
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 411290 88e769a08329b6728c6fd0770d241874
Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9.orig.tar.gz
Size/MD5 checksum: 6396996 80d3754fc278338033296f0d41ef2c04
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6.dsc
Size/MD5 checksum: 1673 f6846ac2d9cbd7887629a9c503154310
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6.diff.gz
Size/MD5 checksum: 145719 fd456ef168b7f1ca1055ffbca1df53db
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 2060318 c2499fa1040a9ace89c1a969de4db870
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 6736558 e09131a305cf2e51d3c14ed7c1beaf5d
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 45238 922ce7e9d14885bab9c9cbbfab99fbd3
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 209720 29861b61a3ae0912a7eb1ba2096b0421
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 84444 af60f321516a06fc9588433ba2c1a88e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 256598 730d50c0f57ba7aad84e6897217bf42d
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 2402082 b932e642a152e30f948437d7313d2dcf
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 82728 bb04bbeae7865acad1ae89e943702623
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_alpha.deb
Size/MD5 checksum: 198236 61b2f1529a056145d9ea8a87c5c5e8c0
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 208690 f6d15e0b6fa15a3738e9130b4044ce37
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 849014 dddd323a55b010c29a8626194b71a7a1
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 147844 40f11b60e0f5154680f16c1c67943101
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 261662 7b88269d9ce2877809a0f47daa4e756d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 262336 eced46181f89a7f8ee636c0dce4789f7
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 210246 bb629f54f383bfcce66a6bf0bc1a2b6d
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 825462 051201fb8baa9a7a961961dd5082929a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 257694 3b8c5bff06a870ccd062ce53771a43a4
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 211268 5e07756440fecd3a3ee3815a6cff3ff5
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 258424 92c5467fbef1d4da6803507b679df099
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 82532 40718aa8ebb6532404fad4b5ee2a1e09
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 84140 743b1e0fd988539a7346bddbcd573767
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 253708 bcc5c9f767c1e62913af45827f04b83f
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_amd64.deb
Size/MD5 checksum: 195214 42f4650b895a51b853c253bbbd1e2cc0
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 2455308 9b8792a5defa5193d825d31dc47b43f2
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 144980 240232c2f4932579c60ecee786c0af26
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 224760 9615e8207a01d2759de57b58cd885286
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 83230 c840cb7342a3a83e0587fd3baacce760
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 2327178 39819fd5f56728620aaefdbe10887c2b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 147202 f7ebf064272389cf2dd7db7bfe3ff267
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_arm.deb
Size/MD5 checksum: 161596 b7a2763998f12394ecae68df6ec73fbb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 223898 fbd3f6bc3340643f55862e5b14947345
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 786918 a142a6fbee216aaa87378bdc53773eb2
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 209812 2e4b61b494abdd8e52b219456a82e499
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 219946 4ac3564788d25b492a833e2df463b41e
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 81412 abe1efff8619aac89534c3f4d57c5356
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 211008 865b518f1a18de1020feb2212b137a6c
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 212612 2b8654bdda7346a2a7804800e9a11d8e
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 802766 535b466511548a5264b0da3a3a348381
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 226068 8921ab3294cf45178f3b90fd51fbafc3
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 213694 38498cbd15341da4279e4193a4708c6c
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 226354 57f22f55c3ca485b5974e1f2a4ef1414
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 83934 6a6a2de840f638874d8ae05611f142b9
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 82284 b225eb7806650013baccae619ad08f2b
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 2340926 83bb45aa97542f6f796780c8a2d24c8b
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 221894 872e3f1df2080a84cca36f48e6c8e575
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 151226 3172e8ba667991da2881ea6a7b2781cc
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 84022 f603a1c369bbc7d05efe1ad99325e020
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 153048 0568fcb47c9cad398c7fd7abe2276828
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 82214 f27d31e710ba6640471c47a6fc240aad
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 246406 f18257777ba62d65ceb3aa4842415c74
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 241578 e71e710d7889e79b85e4c20b539a4d26
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 211730 a9913999aac5559db1e75835d87a2efd
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 896810 e8e2d9459750e5d9be76c00923a25696
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 245816 6a876fb502903c7bfcb5a4b8dad71a7a
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 213028 f072f0ca44edc122c1b3e1da847f1c8c
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_hppa.deb
Size/MD5 checksum: 183316 41a32b0fd061c4f2afbd740af5e8325a
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 2385020 366e6e9bd1dec0ba6a784813785f13d3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 82366 ab10d1ab26c914777c5296fe9ccfe027
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 241326 2ee9101bf92fcac69249094b3ca11e2a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 240776 43a654cf0439fc97997a57baec5e2995
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 84104 f73a1bff0a8a4426e63803c4e5c67c60
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 783440 053ba7ef4fbb56547200c32c35ac8a0e
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 143414 c20c10a3eadac1c494a5750888875800
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 237396 06841f14531fab0adb92177af849c8be
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 211420 69c67bd0052c70322924b901ba5f5428
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 2324892 87c51cc1fb8ae2532adcfa601a7b5af4
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 212726 11b86a68880fa98a130e449dec0fbbcc
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_i386.deb
Size/MD5 checksum: 179396 4ae5716372fe19991b0d8a4cc751d45f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 162732 0a9a153e3703f9dbd33e325d67373bce
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_ia64.deb
Size/MD5 checksum: 247068 39445ee73d2076bfa589a5840a3d6024
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 1036624 80b366704dc888c2bea8d84c316faf33
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 208668 c2b06d3c767fa737fbf5e1c3d50d001c
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 311692 77ff8879c2853c4b33903299ec3120c8
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 312616 1c20b667ebbd43b0ee1b01cd1cdd991d
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 83920 a383c7aef1758f963c019793af7b5f92
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 2317952 803f0b941814cbbc49f4e37bc3b9ca95
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 209700 59ab45d2c7c2168a941ff2fc842268e1
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 304670 067ece69f8b9518f9b18cd948c4df971
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 85802 9294d252435e8026d6135bf8efdfaf46
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 2465158 a36366e07810785cd1f2dc3b020d3486
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 780460 a5daeb91029f3b027a810ee22456ebd3
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 233408 ec9001ee4c996d0b14a9e67d9ce380ec
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 82082 1fc55f0526e3bf90c2156364055a1627
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_mips.deb
Size/MD5 checksum: 171444 789208a77578e49ebca9be904c99aff3
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 83688 8612d0c31dee19c557723b08354c20d7
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 149712 ac8ddf3ab4a3b0fb255adbc588e57305
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 209718 8af3815f7794f4e60d72ba52d3bd19c4
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 229494 c2ef345862009f2a2b979205fec22567
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 208698 246c0001aaa98be577f6c5f004330285
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 233980 ce7b3760443a98b0ddc0607a7a9842bf
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 228110 e45b1c3294102e26eee671b860f4aabc
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 208710 1403636fff03ab43353cdffdef62ffd7
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 83708 9b1c257025920f6dd0a7a2b231c97141
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 209740 546504d6f0a2a449e9bcd618f4700ce5
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 82128 31209b35ecb423f2d88347df6c08eddb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 2420074 b57ff2a01ee7f29d0dcba4214dc7fc21
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 232140 3dfff4c54077cb221e19533f19538834
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 778974 d9d0084ea48aaa56d2f99c632711d084
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_mipsel.deb
Size/MD5 checksum: 169470 f04a239ba4f1d6ae4ff8ce0960f784fd
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 232796 8ced513dc28d7165fd76076803b98188
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 150024 c2a66c2c63eeb66df98b136cceadc780
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 84570 b43f074242385089dda2aae2e9ae1595
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 915976 723f3349b829894595b913099f06ecc2
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 257408 c4bab781417526a0dfdb2240ab2fef07
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 2495210 6fb817120bcb095006fd09d2318f28ee
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_powerpc.deb
Size/MD5 checksum: 195192 6b4d950e48c6cdfd00d403e42b719b40
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 208684 ece82cc979cff6832d51a6caf51f38b5
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 82908 c54a24103b503b5de1b27993ee33610f
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 160960 361e2bae65d5f1303073d8e4d88ccdb7
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 209714 81fbc6671b2d4137dc52232e9d572ea9
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 258234 6dbd57dc907e93b5e9dcd3058e99b30f
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 253294 696e2e9219d6e029c0c6f024045a4d5f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 82544 4e332ccedffd13b1e7b866fe71cf8a9b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_s390.deb
Size/MD5 checksum: 197642 e32a924a47b90452356956e3fe39d34e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 255970 197eea5c422ecf37ec592bf9612c3b2f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 208694 33dddaec24eb4475411eb55abb5d5e71
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 150912 2aa00b2fb3b84a536030f5b5635115bc
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 209726 cf54089c8a33087820f8c9359e461625
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 2409108 1b6e40f5d2772a0a1f26424f4b470136
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 824586 ff52926d953f8b5cbde82ac31176dedb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 259924 655aca8f56383ebd106ded50d8f557ea
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 260610 12751082d3f1466735d1b3d395d63690
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 84310 9aa451ccb1513c05f4ccc0319124181e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 2231018 fcdbb08c45ff474592590fac0aa78dac
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 84568 6dcf4195e216a22ef2919806d55d5098
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 237224 9bf96cc5f932643b1c55c6a9fa238af1
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 241474 ed8557af547d9d55a075fca5cf88488d
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 82888 bde0baf83e2e972b398be6a500f77125
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_sparc.deb
Size/MD5 checksum: 177562 09cbb49296407c83ef1575b003dfb129
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 241014 2c10b920cdfec918af3eb148e29fca0f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 212798 28edff7612bb824fc20d88c29b8b7e1f
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 781748 63e7003956d73b1a04e544c00eaa7728
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 213976 b7e758d0a2e6574944d27e2d6e40f60c
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 146596 c37cea33bed94a68326b511a66bf050e
These files will probably be moved into the stable distribution on
its next update. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02160663
Version: 1
HPSBUX02531 SSRT100108 rev.1 - HP-UX Running Apache-based Web Server, Remote Denial of Service (DoS), Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-06-02
Last Updated: 2010-06-02
- -----------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS), unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS) or unauthorized access. Apache-based Web Server is contained in the Apache Web Server Suite.
References: CVE-2009-3094, CVE-2009-3095, CVE-2010-0408, CVE-2010-0740, CVE-2010-0433, CVE-2010-0434
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before v2.2.8.09
HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server versions before v2.0.59.15
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-3094 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 5.4
CVE-2009-3095 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-0408 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0740 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0433 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2010-0434 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
Note: CVE-2009-3094, CVE-2009-3095 and 2010-0740 affect only HP-UX Web Server Suite v2.30;
CVE-2010-0408, CVE-2010-0433 and CVE-2010-0434 affect only HP-UX Web Server Suite v3.09.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL http://software.hp.com
Note: HP-UX Web Server Suite v3.09 contains HP-UX Apache-based Web Server v2.2.8.09
Note: HP-UX Web Server Suite v2.30 contains HP-UX Apache-based Web Server v2.0.59.15
Web Server Suite Version / HP-UX Release / Depot name
Web Server v3.09 / B.11.23 and B.11.31 PA-32 / HPUXWS22ATW-B309-32.depot
Web Server v3.09 / B.11.23 and B.11.31 IA-64 / HPUXWS22ATW-B309-64.depot
Web Server v2.30 / B.11.11 PA-32 / HPUXWSATW-B230-1111.depot
Web Server v2.30 / B.11.23 PA-32 / HPUXWSATW-B230-32.depot
Web Server v2.30 / B.11.23 IA-64 / HPUXWSATW-B230-64.depot
Web Server v2.30 / B.11.31 IA-32 / HPUXWSATW-B230-32-1131.depot
Web Server v2.30 / B.11.31 IA-64 / HPUXWSATW-B230-64-1131.depot
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server from the Apache Web Server Suite v2.30 or subsequent
or
Install Apache-based Web Server from the Apache Web Server Suite v3.09 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For Web Server Suite before v3.09
HP-UX B.11.23
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
action: install revision B.2.2.8.09 or subsequent
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
action: install revision B.2.2.8.09 or subsequent
For Web Server Suite before v2.30
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.23
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.31
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 June 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwG2+IACgkQ4B86/C0qfVm3LACfZ2twc1MNibwpLscDC7giyJJv
nksAnR0xfycsdI9Z5RyDC/o+Dnt4Q100
=/Gfl
-----END PGP SIGNATURE-----
.
BAC v8.07 supplies Apache 2.2.17. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com
VAR-200908-0535 | No CVE | Issue of Access Control Failure in Hitachi Device Manager Server |
CVSS V2: 6.8 CVSS V3: - Severity: Medium |
Hitachi Device Manager servers contain a vulnerability in which access control settings would be rendered invalid in the following cases: - IPv6 format is used for communications between a Hitachi Device Manager server and its clients. - Access controls for Hitachi Device Manager clients are set by the range of IP addresses written in the CIDR format.An unauthorized client may gain access to the Hitachi Device Manager server.
Very few technical details are available. We will update this BID when more information emerges. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Hitachi Device Manager Server IPv6 Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA36526
VERIFY ADVISORY:
http://secunia.com/advisories/36526/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi products, which
can be exploited by malicious people to bypass certain security
restrictions.
Successful exploitation requires that the application is running in
an IPv6 environment and that the CIDR format is used in rules
restricting network access.
SOLUTION:
Apply vendor patches (please see vendor advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS09-013/index.html
OTHER REFERENCES:
JVN:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-001931.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200908-0332 | CVE-2009-3016 | Apple Safari Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari 4.0.3 does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. Safari is prone to a cross-site scripting vulnerability
VAR-200909-0349 | CVE-2009-2957 | dnsmasq of tftp_request Vulnerability in arbitrary code execution in function |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request. Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.
Remote attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer.
Versions *prior to* Dnsmasq 2.50 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1876-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
September 01, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : dnsmasq
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2957 CVE-2009-2958
Several remote vulnerabilities have been discovered in the TFTP
component of dnsmasq.
CVE-2009-2958
Malicious TFTP clients may crash dnsmasq, leading to denial of
service.
The old stable distribution is not affected by these problems.
For the stable distribution (lenny), these problems have been fixed in
version 2.45-1+lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 2.50-1.
We recommend that you upgrade your dnsmasq packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45.orig.tar.gz
Size/MD5 checksum: 377466 59106495260bb2d0f184f0d4ae88d740
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.diff.gz
Size/MD5 checksum: 14514 c841708d86ea6a13f4f168d311638ff5
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.dsc
Size/MD5 checksum: 1006 377658fb3cb46cc670a86e475ff70533
Architecture independent packages:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1_all.deb
Size/MD5 checksum: 12110 716c6f4f6e478f5a0f248725e4544dda
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_alpha.deb
Size/MD5 checksum: 267294 d7ba6bd2b7363246587cf4ab8b78f721
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_amd64.deb
Size/MD5 checksum: 258118 3b5fc290f6bfacd7450fbc138e63bcb7
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_arm.deb
Size/MD5 checksum: 250676 0011c21826ab5f3b9c64444113acc97f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_armel.deb
Size/MD5 checksum: 252830 5999eff243a849fe31fba765e92228d0
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_hppa.deb
Size/MD5 checksum: 258292 cadea4880ef01292affd271cde276226
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_i386.deb
Size/MD5 checksum: 251182 cdad8cd873dc28fd69fdd7ca2e59cec1
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_ia64.deb
Size/MD5 checksum: 301522 2723ddacd61bf4378115a1701848fa2c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mips.deb
Size/MD5 checksum: 256426 0873691aa0b37c2873e93e1132d0db95
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mipsel.deb
Size/MD5 checksum: 257982 dd6342a053fc0bb9a3be6ec5b4aa3b2f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_powerpc.deb
Size/MD5 checksum: 257426 58e705f584e41b2598a6d62bfc7e2671
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_s390.deb
Size/MD5 checksum: 255328 3abfb764f944344064aed16352156b04
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_sparc.deb
Size/MD5 checksum: 252234 4a6db5969b47698346b59828928dc0b5
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKnXmhAAoJEL97/wQC1SS+BPQIAK1x7nctuD1BkdIVjSt5BXRG
cBlfdwgsyjXLoLocyN6A1lsHwcAcFPZI189aqLD2MU8MBJmugDdgReF4d6GTLI/T
zv2G0fkj9rggJXAeqpFOlMK/nhUNxRDAn8h/ZgXcFuTkY0zm1M2D1qhqKpvOjByC
U7im5+V/rp9VAFOaTdMnnvnBJX2nRnXULj85eIAaJYZSahX544UfKi6GLkjN0wji
b/FJvtn9yOT6Rkzgs528icZ3ZoDslTV8xQhuBgILhCcP5Dmp7JokbdzZ7h3zH1YV
8b0WwxEIF/mhmhlNVYDP6n2k2jLw+zLBF2c5jSIlHa67vChsLGeU3auqXAHMpq0=
=h2eE
-----END PGP SIGNATURE-----
. ===========================================================
Ubuntu Security Notice USN-827-1 September 01, 2009
dnsmasq vulnerabilities
CVE-2009-2957, CVE-2009-2958
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
dnsmasq-base 2.41-2ubuntu2.2
Ubuntu 8.10:
dnsmasq-base 2.45-1ubuntu1.1
Ubuntu 9.04:
dnsmasq-base 2.47-3ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartA\xadn Coco,
Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not
properly validate its input when processing TFTP requests for files with
long names. Dnsmasq runs as the 'dnsmasq' user by
default on Ubuntu. (CVE-2009-2957)
Steve Grubb discovered that Dnsmasq could be made to dereference a NULL
pointer when processing certain TFTP requests. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Ubuntu update for dnsmasq
SECUNIA ADVISORY ID:
SA36563
VERIFY ADVISORY:
http://secunia.com/advisories/36563/
DESCRIPTION:
Ubuntu has issued an update for dnsmasq. This fixes two
vulnerabilities, which can be exploited by malicious people to cause
a DoS (Denial of Service) and potentially compromise a vulnerable
system.
For more information:
SA36394
SOLUTION:
Apply updated packages.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Dnsmasq: Multiple vulnerabilities
Date: September 20, 2009
Bugs: #282653
ID: 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Dnsmasq might result in the remote
execution of arbitrary code, or a Denial of Service.
Background
==========
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It includes support for Trivial FTP (TFTP).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/dnsmasq < 2.5.0 >= 2.5.0
Description
===========
Multiple vulnerabilities have been reported in the TFTP functionality
included in Dnsmasq:
* Pablo Jorge and Alberto Solino discovered a heap-based buffer
overflow (CVE-2009-2957).
* An anonymous researcher reported a NULL pointer reference
(CVE-2009-2958).
Impact
======
A remote attacker in the local network could exploit these
vulnerabilities by sending specially crafted TFTP requests to a machine
running Dnsmasq, possibly resulting in the remote execution of
arbitrary code with the privileges of the user running the daemon, or a
Denial of Service. NOTE: The TFTP server is not enabled by default.
Workaround
==========
You can disable the TFTP server either at buildtime by not enabling the
"tftp" USE flag, or at runtime. Make sure "--enable-tftp" is not set in
the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and
"enable-tftp" is not set in /etc/dnsmasq.conf, either of which would
enable TFTP support if it is compiled in.
Resolution
==========
All Dnsmasq users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =net-dns/dnsmasq-2.5.0
References
==========
[ 1 ] CVE-2009-2957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957
[ 2 ] CVE-2009-2958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200909-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-200909-0342 | CVE-2009-2958 | dnsmasq of tftp_request Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option. dnsmasq of tftp_request Functions include --enable-tftp If you use blksize Service operation disruption due to incomplete processing of requests with options (DoS) There is a vulnerability that becomes a condition.Service operation disruption to a third party (DoS) There is a possibility of being put into a state. Dnsmasq is prone to a NULL-pointer dereference vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
NOTE: The TFTP service must be enabled for this issue to be exploitable; this is not the default.
Versions *prior to* Dnsmasq 2.50 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1876-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
September 01, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : dnsmasq
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2957 CVE-2009-2958
Several remote vulnerabilities have been discovered in the TFTP
component of dnsmasq. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-2957
A buffer overflow in TFTP processing may enable arbitrary code
execution to attackers which are permitted to use the TFTP service.
CVE-2009-2958
Malicious TFTP clients may crash dnsmasq, leading to denial of
service.
The old stable distribution is not affected by these problems.
For the stable distribution (lenny), these problems have been fixed in
version 2.45-1+lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 2.50-1.
We recommend that you upgrade your dnsmasq packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45.orig.tar.gz
Size/MD5 checksum: 377466 59106495260bb2d0f184f0d4ae88d740
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.diff.gz
Size/MD5 checksum: 14514 c841708d86ea6a13f4f168d311638ff5
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.dsc
Size/MD5 checksum: 1006 377658fb3cb46cc670a86e475ff70533
Architecture independent packages:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1_all.deb
Size/MD5 checksum: 12110 716c6f4f6e478f5a0f248725e4544dda
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_alpha.deb
Size/MD5 checksum: 267294 d7ba6bd2b7363246587cf4ab8b78f721
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_amd64.deb
Size/MD5 checksum: 258118 3b5fc290f6bfacd7450fbc138e63bcb7
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_arm.deb
Size/MD5 checksum: 250676 0011c21826ab5f3b9c64444113acc97f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_armel.deb
Size/MD5 checksum: 252830 5999eff243a849fe31fba765e92228d0
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_hppa.deb
Size/MD5 checksum: 258292 cadea4880ef01292affd271cde276226
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_i386.deb
Size/MD5 checksum: 251182 cdad8cd873dc28fd69fdd7ca2e59cec1
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_ia64.deb
Size/MD5 checksum: 301522 2723ddacd61bf4378115a1701848fa2c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mips.deb
Size/MD5 checksum: 256426 0873691aa0b37c2873e93e1132d0db95
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mipsel.deb
Size/MD5 checksum: 257982 dd6342a053fc0bb9a3be6ec5b4aa3b2f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_powerpc.deb
Size/MD5 checksum: 257426 58e705f584e41b2598a6d62bfc7e2671
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_s390.deb
Size/MD5 checksum: 255328 3abfb764f944344064aed16352156b04
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_sparc.deb
Size/MD5 checksum: 252234 4a6db5969b47698346b59828928dc0b5
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKnXmhAAoJEL97/wQC1SS+BPQIAK1x7nctuD1BkdIVjSt5BXRG
cBlfdwgsyjXLoLocyN6A1lsHwcAcFPZI189aqLD2MU8MBJmugDdgReF4d6GTLI/T
zv2G0fkj9rggJXAeqpFOlMK/nhUNxRDAn8h/ZgXcFuTkY0zm1M2D1qhqKpvOjByC
U7im5+V/rp9VAFOaTdMnnvnBJX2nRnXULj85eIAaJYZSahX544UfKi6GLkjN0wji
b/FJvtn9yOT6Rkzgs528icZ3ZoDslTV8xQhuBgILhCcP5Dmp7JokbdzZ7h3zH1YV
8b0WwxEIF/mhmhlNVYDP6n2k2jLw+zLBF2c5jSIlHa67vChsLGeU3auqXAHMpq0=
=h2eE
-----END PGP SIGNATURE-----
. ===========================================================
Ubuntu Security Notice USN-827-1 September 01, 2009
dnsmasq vulnerabilities
CVE-2009-2957, CVE-2009-2958
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
dnsmasq-base 2.41-2ubuntu2.2
Ubuntu 8.10:
dnsmasq-base 2.45-1ubuntu1.1
Ubuntu 9.04:
dnsmasq-base 2.47-3ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartA\xadn Coco,
Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not
properly validate its input when processing TFTP requests for files with
long names. Dnsmasq runs as the 'dnsmasq' user by
default on Ubuntu. (CVE-2009-2957)
Steve Grubb discovered that Dnsmasq could be made to dereference a NULL
pointer when processing certain TFTP requests. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Ubuntu update for dnsmasq
SECUNIA ADVISORY ID:
SA36563
VERIFY ADVISORY:
http://secunia.com/advisories/36563/
DESCRIPTION:
Ubuntu has issued an update for dnsmasq. This fixes two
vulnerabilities, which can be exploited by malicious people to cause
a DoS (Denial of Service) and potentially compromise a vulnerable
system.
For more information:
SA36394
SOLUTION:
Apply updated packages.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Dnsmasq: Multiple vulnerabilities
Date: September 20, 2009
Bugs: #282653
ID: 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Dnsmasq might result in the remote
execution of arbitrary code, or a Denial of Service.
Background
==========
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It includes support for Trivial FTP (TFTP).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/dnsmasq < 2.5.0 >= 2.5.0
Description
===========
Multiple vulnerabilities have been reported in the TFTP functionality
included in Dnsmasq:
* Pablo Jorge and Alberto Solino discovered a heap-based buffer
overflow (CVE-2009-2957).
* An anonymous researcher reported a NULL pointer reference
(CVE-2009-2958).
Impact
======
A remote attacker in the local network could exploit these
vulnerabilities by sending specially crafted TFTP requests to a machine
running Dnsmasq, possibly resulting in the remote execution of
arbitrary code with the privileges of the user running the daemon, or a
Denial of Service.
Workaround
==========
You can disable the TFTP server either at buildtime by not enabling the
"tftp" USE flag, or at runtime. Make sure "--enable-tftp" is not set in
the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and
"enable-tftp" is not set in /etc/dnsmasq.conf, either of which would
enable TFTP support if it is compiled in.
Resolution
==========
All Dnsmasq users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =net-dns/dnsmasq-2.5.0
References
==========
[ 1 ] CVE-2009-2957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957
[ 2 ] CVE-2009-2958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200909-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-200908-0339 | CVE-2009-3023 | Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability.".
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects the following:
IIS 5.0
IIS 5.1
IIS 6.0 (denial of service only)
IIS 7.0 (denial of service only)
Note that Microsoft IIS 7.0 with FTP Service 7.5 is not affected.
Other versions may also be affected.
NOTE: This issue cannot be exploited to execute arbitrary code on IIS 6.0 or 7.0.
NOTE (September 1, 2009): This issue can be exploited to execute arbitrary code with SYSTEM-level privileges on IIS 5.0.
UPDATE (September 8, 2009); This issue may be related to a vulnerability reported in 1999 affecting IIS 3 and IIS 4. We will update this BID as more details emerge. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
The vulnerability is caused due to a boundary error in the FTP server
when processing NLST commands. This can be exploited to cause a
stack-based buffer overflow by issuing a specially crafted NLST
command.
The vulnerability is confirmed as a DoS in IIS 5.1 for Windows XP SP3
and in IIS 6.0 for Windows Server 2003, and reported as code execution
in IIS 5.0 for Windows 2000 SP4.
SOLUTION:
Restrict access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Kingcope
ORIGINAL ADVISORY:
http://milw0rm.com/exploits/9541
OTHER REFERENCES:
VU#276653:
http://www.kb.cert.org/vuls/id/276653
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-286A
Microsoft Updates for Multiple Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows and Windows Server
* Microsoft Internet Explorer
* Microsoft Office
* Microsoft .NET Framework
* Microsoft Silverlight
* Microsoft SQL Server
* Microsoft Developer Tools
* Microsoft Forefront
Overview
Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Windows Server, Internet Explorer, Office,
.NET Framework, Silverlight, SQL Server, Developer Tools, and
Forefront.
I. Description
Microsoft has released multiple security bulletins for critical
vulnerabilities in Microsoft Windows and Windows Server, Internet
Explorer, Office, .NET Framework, Silverlight, SQL Server,
Developer Tools, and Forefront. These bulletins are described in
the Microsoft Security Bulletin Summary for October 2009.
II.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the
Microsoft Security Bulletin Summary for October 2009. The security
bulletin describes any known issues related to the updates.
Administrators are encouraged to note these issues and test for any
potentially adverse effects. Administrators should consider using
an automated update distribution system such as Windows Server
Update Services (WSUS).
IV. References
* Microsoft Security Bulletin Summary for October 2009 -
<http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx>
* Microsoft Windows Server Update Services -
<http://technet.microsoft.com/en-us/wsus/default.aspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-286A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-286A Feedback VU#788021" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBStTKrtucaIvSvh1ZAQL82wf+PgEKeQvhJ5HQGJ3S0/VzCP7/PzauiWrW
Zm/l1mlzOpp6F81G35xHfnOXJ9pY5/rv5Ez80ME8mQrYi8K0IHiA24mHBXu9vFSk
crtGkpGGqvrPRxJbuC+otsy8wtYzAu6fa6np3FF+fGFCvhAuf5kzfEMHR79BNC4A
04Lz7zJvO+7w+y4mt4lbfc7FJnoPm5kIFu3hQV2KmsnATipYUB8gVVqb6mpkCsbR
aIbgKdyXFWeLiQVPN3bwUt4yE0FnpWT89eZCANdFtOSHVl2ff3cumR9YB1mHDUbQ
8qomBgx1goC2DlRRcX0EpyJp1+4fLl1pnuHD1Qtt1LTYyZ+sTq566g==
=sbjN
-----END PGP SIGNATURE-----
VAR-200909-0359 | CVE-2009-2521 | Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Stack consumption vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a .. (dot dot), aka "IIS FTP Service DoS Vulnerability.". The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.
An attacker can exploit this issue to terminate the affected application, denying service to legitimate users.
This issue affects the following:
IIS 5.0
IIS 5.1
IIS 6.0
IIS 7.0
NOTE: Microsoft IIS 7.0 with FTP Service 7.5 is not affected by this issue. Other versions may also be affected. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
The vulnerability is caused due to an error when processing recursive
directory listing requests. This can be exploited to cause a stack
overflow and crash the FTP service via a specially crafted request
containing wildcard characters (e.g.
Successful exploitation requires that at least one directory is
placed under the FTP root.
The vulnerability is confirmed in IIS 5.1 for Windows XP SP3 and in
IIS 6.0 for Windows Server 2003, and additionally reported in IIS 5.0
and 7.0.
SOLUTION:
Restrict access to trusted users only.
Users of IIS 7.0 can optionally upgrade the FTP service to version
7.5.
Microsoft FTP Service 7.5 for IIS 7.0 (x86):
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b7f5b652-8c5c-447a-88b8-8cfc5c13f571
Microsoft FTP Service 7.5 for IIS 7.0 (x64):
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ffb7c167-279e-48d3-8169-dea85784c4d1
PROVIDED AND/OR DISCOVERED BY:
Kingcope
ORIGINAL ADVISORY:
Kingcope:
http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html
Microsoft:
http://www.microsoft.com/technet/security/advisory/975191.mspx
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-286A
Microsoft Updates for Multiple Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows and Windows Server
* Microsoft Internet Explorer
* Microsoft Office
* Microsoft .NET Framework
* Microsoft Silverlight
* Microsoft SQL Server
* Microsoft Developer Tools
* Microsoft Forefront
Overview
Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Windows Server, Internet Explorer, Office,
.NET Framework, Silverlight, SQL Server, Developer Tools, and
Forefront.
I. Description
Microsoft has released multiple security bulletins for critical
vulnerabilities in Microsoft Windows and Windows Server, Internet
Explorer, Office, .NET Framework, Silverlight, SQL Server,
Developer Tools, and Forefront. These bulletins are described in
the Microsoft Security Bulletin Summary for October 2009.
II.
III. Solution
Apply updates from Microsoft
Microsoft has provided updates for these vulnerabilities in the
Microsoft Security Bulletin Summary for October 2009. The security
bulletin describes any known issues related to the updates.
Administrators are encouraged to note these issues and test for any
potentially adverse effects. Administrators should consider using
an automated update distribution system such as Windows Server
Update Services (WSUS).
IV. References
* Microsoft Security Bulletin Summary for October 2009 -
<http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx>
* Microsoft Windows Server Update Services -
<http://technet.microsoft.com/en-us/wsus/default.aspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-286A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-286A Feedback VU#788021" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBStTKrtucaIvSvh1ZAQL82wf+PgEKeQvhJ5HQGJ3S0/VzCP7/PzauiWrW
Zm/l1mlzOpp6F81G35xHfnOXJ9pY5/rv5Ez80ME8mQrYi8K0IHiA24mHBXu9vFSk
crtGkpGGqvrPRxJbuC+otsy8wtYzAu6fa6np3FF+fGFCvhAuf5kzfEMHR79BNC4A
04Lz7zJvO+7w+y4mt4lbfc7FJnoPm5kIFu3hQV2KmsnATipYUB8gVVqb6mpkCsbR
aIbgKdyXFWeLiQVPN3bwUt4yE0FnpWT89eZCANdFtOSHVl2ff3cumR9YB1mHDUbQ
8qomBgx1goC2DlRRcX0EpyJp1+4fLl1pnuHD1Qtt1LTYyZ+sTq566g==
=sbjN
-----END PGP SIGNATURE-----
VAR-200908-0530 | CVE-2009-2861 | Cisco Aironet Lightweight Access Point Such as OTAP Service disruption in functionality (DoS) Vulnerabilities |
CVSS V2: 7.3 CVSS V3: - Severity: HIGH |
The Over-the-Air Provisioning (OTAP) functionality on Cisco Aironet Lightweight Access Point 1100 and 1200 devices does not properly implement access-point association, which allows remote attackers to spoof a controller and cause a denial of service (service outage) via crafted remote radio management (RRM) packets, aka "SkyJack" or Bug ID CSCtb56664. Aironet 1200 is prone to a denial-of-service vulnerability. Cisco Aironet wireless access points (APs) are very popular wireless access network devices. Aironet wireless AP devices send the content of some multicast data frames in plain text, and remote attackers can obtain sensitive information such as the MAC address, IP address, and AP configuration of the wireless LAN controller by sniffing the wireless network. This paper associates devices with malicious controllers so that wireless clients cannot access legitimate network resources. This is a denial of service
VAR-200908-0255 | CVE-2009-2050 |
Cisco Unified Communications Manager Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200908-1143 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (aka CUCM, formerly CallManager) before 6.1(1) allows remote attackers to cause a denial of service (voice-services outage) via a malformed header in a SIP message, aka Bug ID CSCsi46466. Cisco Unified Communications Manager There is a service disruption (DoS) There is a vulnerability that becomes a condition.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCsi46466
CSCsz40392
CSCsq22534
CSCsx32236
CSCsx23689. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
SOLUTION:
Contact the vendor for more information (see vendor advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The Session Initiation
Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are
affected by these vulnerabilities.
There are no workarounds for these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, VoIP gateways, and multimedia
applications. Each vulnerability is
triggered by a malformed SIP message that could cause a critical
process to fail, resulting in the disruption of voice services. All
SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by
these vulnerabilities. To mitigate against
this vulnerability, administrators are advised to restrict access to
TCP and UDP port 5060 on vulnerable Cisco Unified Communications
Manager 4.x systems that are configured to use SIP trunks with
screening devices to valid SIP trunk end points.
The second SIP DoS vulnerability is documented in Cisco Bug ID
CSCsz40392 and has been assigned the CVE identifier CVE-2009-2051. By establishing many TCP connections with
a vulnerable system, an attacker could overwhelm the operating system
table that is used to track network connections and prevent new
connections from being established to system services. Any service
that listens to a TCP port on a vulnerable system could be affected
by this vulnerability, including SIP and SCCP. By flooding a
vulnerable system with many TCP packets, an attacker could exhaust
operating system file descriptors that cause the SIP port (TCP 5060
and 5061) and SCCP port (TCP 2000 and 2443) to close. This action
could prevent new connections from being established to the SIP and
SCCP services. SIP UDP (5060 and 5061) ports are not affected.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsi46466 - CM 6.1 SDL router services dead when receiving abnormal
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsz40392 - CCM: Coredump in sipSafeStrlen from malicious INVITE
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq22534 - IP_Conntrack Fills Up During TCP Flood Attack
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx32236 - SCCP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx23689 - SIP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Administrators can mitigate the SCCP- and SIP-related vulnerabilities
by implementing filtering on screening devices to permit access to
TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only
from networks that need SCCP and SIP access to Cisco Unified
Communications Manager servers.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090826-cucm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates for select Cisco Unified
Communications Manager versions that address these vulnerabilities.
Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers who are concerned about the availability of fixed software
for this vulnerability in these releases should contact the following
email address:
cucm-august26-inquiry@cisco.com
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. The
vulnerabilities were discovered by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-August-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFKlVmL86n/Gc8U/uARAv5YAJ9Qo8XGM9LvJWJ6AvVGQ0DvQ1v1KQCgg8vf
x3d5mwP1SWPEvIGzoXffuBc=
=oqg/
-----END PGP SIGNATURE-----
.
For more information:
SA36495
SA36498
SOLUTION:
Update to version 6.1(4) or 7.1(2a)SU1
VAR-200908-0256 | CVE-2009-2051 |
plural Cisco Service disruption in products (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200908-1143 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco IOS 12.2 through 12.4 and 15.0 through 15.1, Cisco IOS XE 2.5.x and 2.6.x before 2.6.1, and Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x, 5.x before 5.1(3g), 6.x before 6.1(4), and 7.x before 7.1(2) allow remote attackers to cause a denial of service (device reload or voice-services outage) via a malformed SIP INVITE message that triggers an improper call to the sipSafeStrlen function, aka Bug IDs CSCsz40392 and CSCsz43987. plural Cisco The product includes SIP Service operation is interrupted due to incomplete processing (DoS) There is a vulnerability that becomes a condition. The problem is Bug IDs CSCsz40392 and CSCsz43987 It is a problem.Unauthorized by a third party SIP INVITE Via message sipSafeStrlen Inappropriate call to function is triggered, causing service disruption (DoS) There is a possibility of being put into a state. Cisco Unified Communications Manager is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCsi46466
CSCsz40392
CSCsq22534
CSCsx32236
CSCsx23689. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
SOLUTION:
Update to version 5.1(3g) (reportedly available in early September
2009).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Session Initiation
Protocol Denial of Service Vulnerabilities
Advisory ID: cisco-sa-20100922-sip
http://www.cisco.com/warp/public/707/cisco-sa-20100922-sip.shtml
Revision 1.0
For Public Release 2010 September 22 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist in the Session Initiation Protocol
(SIP) implementation in Cisco IOS^ Software that could allow an
unauthenticated, remote attacker to cause a reload of an affected
device when SIP operation is enabled.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for devices that must run
SIP; however, mitigations are available to limit exposure to the
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20100922-sip.shtml
Note: The September 22, 2010, Cisco IOS Software Security Advisory
bundled publication includes six Cisco Security Advisories. Each advisory lists the releases that correct the
vulnerability or vulnerabilities detailed in the advisory. The table
at the following URL lists releases that correct all Cisco IOS
Software vulnerabilities that have been published on September 22,
2010, or earlier:
http://www.cisco.com/warp/public/707/cisco-sa-20100922-bundle.shtml
Individual publication links are in "Cisco Event Response: Semiannual
Cisco IOS Software Security Advisory Bundled Publication" at the
following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
Cisco Unified Communications Manager (CUCM) is affected by the
vulnerabilities described in this advisory.
Vulnerable Products
+------------------
Cisco devices are affected when they are running affected Cisco IOS
Software versions that are configured to process SIP messages.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by issuing the dial-peer voice command
will start the SIP processes, causing the Cisco IOS device to process
SIP messages. In addition, several features within Cisco Unified
Communications Manager Express, such as ePhones, will also
automatically start the SIP process when they are configured, causing
the device to start processing SIP messages. An example of an
affected configuration follows:
dial-peer voice <Voice dial-peer tag> voip
...
!
In addition to inspecting the Cisco IOS device configuration for a
dial-peer command that causes the device to process SIP messages,
administrators can also use the show processes | include SIP command
to determine whether Cisco IOS Software is running the processes that
handle SIP messages. In the following example, the presence of the
processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET indicates that the
Cisco IOS device will process SIP messages:
Router# show processes | include SIP
149 Mwe 40F48254 4 1 400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034 4 1 400023388/24000 0 CCSIP_TCP_SOCKET
Note: Because there are several ways a device running Cisco IOS
Software can start processing SIP messages, it is recommended that
the show processes | include SIP command be used to determine whether
the device is processing SIP messages instead of relying on the
presence of specific configuration commands.
Note: The Cisco Unified Border Element feature (previously known as
the Cisco Multiservice IP-to-IP Gateway) is a special Cisco IOS
Software image that runs on Cisco multiservice gateway platforms. It
provides a network-to-network interface point for billing, security,
call admission control, quality of service, and signaling
interworking.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router# show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router# show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T,
RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Note: CUCM is affected by the vulnerabilities described in this
advisory. Two separate Cisco Security Advisories have been published
to disclose the vulnerabilities that affect the Cisco Unified
Communications Manager at the following locations:
http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20100922-cucm.shtml
Products Confirmed Not Vulnerable
+--------------------------------
The SIP Application Layer Gateway (ALG), which is used by the Cisco
IOS NAT and firewall features of Cisco IOS Software, is not affected
by these vulnerabilities.
Cisco IOS XR Software is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
SIP is a popular signaling protocol that is used to manage voice and
video calls across IP networks such as the Internet. SIP is
responsible for handling all aspects of call setup and termination.
Voice and video are the most popular types of sessions that SIP
handles, but the protocol has the flexibility to accommodate other
applications that require call setup and termination. SIP call
signaling can use UDP (port 5060), TCP (port 5060), or Transport
Layer Security (TLS; TCP port 5061) as the underlying transport
protocol.
Three vulnerabilities exist in the SIP implementation in Cisco IOS
Software that may allow a remote attacker to cause an affected device
to reload. These vulnerabilities are triggered when the device
running Cisco IOS Software processes crafted SIP messages.
Note: In cases where SIP is running over TCP transport, a TCP
three-way handshake is necessary to exploit these vulnerabilities.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCta20040 - Device crashes when receiving crafted SIP message
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCsz43987 - IOS coredump when sending crafted packets
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
CSCtf72678 - IOS Coredump Generated when sending crafted packets
CVSS Base Score - 7.8
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
CVSS Temporal Score - 6.4
Exploitability Functional
Remediation Level Official Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in a reload of the device. Repeated exploitation could result
in a sustained denial of service condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco IOS Software table corresponds to a
Cisco IOS Software train. If a particular train is vulnerable, the
earliest releases that contain the fix are listed in the First Fixed
Release For This Advisory column. The First Fixed Release for All
Advisories in the September 2010 Bundle Publication column lists the
earliest possible releases that correct all the published
vulnerabilities in the Cisco IOS Software Security Advisory bundled
publication. Cisco recommends upgrading to the latest available
release, where possible.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.0-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|-------------------------------------------------------------------|
| There are no affected 12.0-based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.1-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|-------------------------------------------------------------------|
| There are no affected 12.1-based releases |
|-------------------------------------------------------------------|
| Affected | | First Fixed Release for |
| 12.2-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|------------+--------------------------+---------------------------|
| 12.2 | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; first fixed |
| | | in 12.4T |
| 12.2B | Not Vulnerable | |
| | | Releases up to and |
| | | including 12.2(2)B7 are |
| | | not vulnerable. |
|------------+--------------------------+---------------------------|
| 12.2BC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2BW | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; first fixed |
| | | in 12.2SB |
| 12.2BX | Not Vulnerable | |
| | | Releases up to and |
| | | including 12.2(15)BX are |
| | | not vulnerable. |
|------------+--------------------------+---------------------------|
| | | Vulnerable; first fixed |
| | | in 12.4T |
| 12.2BY | Not Vulnerable | |
| | | Releases up to and |
| | | including 12.2(2)BY3 are |
| | | not vulnerable. |
|------------+--------------------------+---------------------------|
| 12.2BZ | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2CX | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2CY | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2CZ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2DA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2DD | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2DX | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2EW | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2EWA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2EX | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2EY | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2EZ | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2FX | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2FY | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2FZ | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IRE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXF | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXG | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2IXH | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2JA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2JK | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2MB | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Releases up to and |
| | | including 12.2(15)MC1 are |
| 12.2MC | Not Vulnerable | not vulnerable. Releases |
| | | 12.2(15)MC2b and later |
| | | are not vulnerable; first |
| | | fixed in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2MRA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2MRB | Not Vulnerable | 12.2(33)MRB2 |
|------------+--------------------------+---------------------------|
| | | Releases prior to 12.2 |
| 12.2S | Not Vulnerable | (30)S are vulnerable, |
| | | release 12.2(30)S and |
| | | later are not vulnerable |
|------------+--------------------------+---------------------------|
| | | 12.2(31)SB19 |
| | | |
| 12.2SB | Not Vulnerable | Releases prior to 12.2 |
| | | (33)SB5 are vulnerable, |
| | | release 12.2(33)SB5 and |
| | | later are not vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SBC | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SB |
|------------+--------------------------+---------------------------|
| 12.2SCA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SCB |
|------------+--------------------------+---------------------------|
| 12.2SCB | Not Vulnerable | 12.2(33)SCB9 |
|------------+--------------------------+---------------------------|
| 12.2SCC | Not Vulnerable | 12.2(33)SCC5 |
|------------+--------------------------+---------------------------|
| 12.2SCD | Not Vulnerable | 12.2(33)SCD3 |
|------------+--------------------------+---------------------------|
| 12.2SE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEB | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SED | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEF | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SEG | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Releases prior to 12.2 |
| | | (40)SG are vulnerable, |
| 12.2SG | Not Vulnerable | release 12.2(40)SG and |
| | | later are not vulnerable; |
| | | migrate to any release in |
| | | 12.2SGA |
|------------+--------------------------+---------------------------|
| 12.2SGA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SL | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SM | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SO | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SQ | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Releases prior to 12.2 |
| 12.2SRA | Not Vulnerable | (33)SRA6 are vulnerable, |
| | | release 12.2(33)SRA6 and |
| | | later are not vulnerable |
|------------+--------------------------+---------------------------|
| | | Releases prior to 12.2 |
| 12.2SRB | Not Vulnerable | (33)SRB1 are vulnerable, |
| | | release 12.2(33)SRB1 and |
| | | later are not vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SRC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SRD | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SRE | Not Vulnerable | 12.2(33)SRE1 |
|------------+--------------------------+---------------------------|
| 12.2STE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SU | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Releases prior to 12.2 |
| | | (29b)SV1 are vulnerable, |
| 12.2SV | Not Vulnerable | release 12.2(29b)SV1 and |
| | | later are not vulnerable; |
| | | migrate to any release in |
| | | 12.2SVD |
|------------+--------------------------+---------------------------|
| 12.2SVA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SVC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SVD | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SVE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Releases up to and |
| | | including 12.2(21)SW1 are |
| 12.2SW | Not Vulnerable | not vulnerable. Releases |
| | | 12.2(25)SW12 and later |
| | | are not vulnerable; first |
| | | fixed in 12.4T |
|------------+--------------------------+---------------------------|
| | | Releases up to and |
| 12.2SX | Not Vulnerable | including 12.2(14)SX2 are |
| | | not vulnerable. |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SXE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Releases prior to 12.2 |
| 12.2SXF | Not Vulnerable | (18)SXF11 are vulnerable, |
| | | release 12.2(18)SXF11 and |
| | | later are not vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SXH | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SXI | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2SY | Vulnerable; migrate to | Not Vulnerable |
| | any release in 12.2S | |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2SZ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2T | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2TPC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2XA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XB | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XC | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XD | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XE | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2XF | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2XG | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XH | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XI | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XJ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XK | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XL | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XM | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XN | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.2SB |
|------------+--------------------------+---------------------------|
| 12.2XNA | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+--------------------------+---------------------------|
| 12.2XNB | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+--------------------------+---------------------------|
| 12.2XNC | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+--------------------------+---------------------------|
| 12.2XND | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+--------------------------+---------------------------|
| 12.2XNE | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+--------------------------+---------------------------|
| 12.2XNF | Please see Cisco IOS-XE | Please see Cisco IOS-XE |
| | Software Availability | Software Availability |
|------------+--------------------------+---------------------------|
| 12.2XO | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2XQ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XR | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2XS | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XT | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XU | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XV | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2XW | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2YA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YE | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YF | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2YG | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YH | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YJ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YK | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YL | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2YM | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YN | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2YO | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2YP | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2YQ | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2YR | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2YS | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YT | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YU | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Releases prior to 12.2 |
| 12.2YV | Not Vulnerable | (11)YV1 are vulnerable, |
| | | release 12.2(11)YV1 and |
| | | later are not vulnerable |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YW | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YX | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YY | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2YZ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2ZA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Releases up to and |
| 12.2ZB | Not Vulnerable | including 12.2(8)ZB are |
| | | not vulnerable. |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2ZE | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2ZF | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.2ZG | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.2ZH | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZJ | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZL | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZP | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZU | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.2ZX | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZY | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.2ZYA | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| Affected | | First Fixed Release for |
| 12.3-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|------------+--------------------------+---------------------------|
| 12.3 | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3B | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3BC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3BW | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3EU | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3JA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3JEA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3JEB | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3JEC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3JED | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | Releases up to and | |
| | including 12.3(2)JK3 are | Releases up to and |
| | not vulnerable. | including 12.3(2)JK3 are |
| 12.3JK | | not vulnerable. Releases |
| | Releases 12.3(8)JK1 and | 12.3(8)JK1 and later are |
| | later are not | not vulnerable; first |
| | vulnerable; first fixed | fixed in 12.4T |
| | in 12.4T | |
|------------+--------------------------+---------------------------|
| 12.3JL | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.3JX | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| | Vulnerable; first fixed | |
| | in 12.4T | |
| 12.3T | | Vulnerable; first fixed |
| | Releases up to and | in 12.4T |
| | including 12.3(4)T11 are | |
| | not vulnerable. | |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.3TPC | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.3VA | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.3XB | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.3XC | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XD | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XE | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | Vulnerable; Contact your | Vulnerable; Contact your |
| | support organization per | support organization per |
| 12.3XF | the instructions in | the instructions in |
| | Obtaining Fixed Software | Obtaining Fixed Software |
| | section of this advisory | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.3XG | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| | Releases prior to 12.3 | Releases prior to 12.3(7) |
| | (7)XI11 are vulnerable, | XI11 are vulnerable, |
| 12.3XI | release 12.3(7)XI11 and | release 12.3(7)XI11 and |
| | later are not vulnerable | later are not vulnerable; |
| | | first fixed in 12.2SB |
|------------+--------------------------+---------------------------|
| 12.3XJ | Vulnerable; migrate to | Vulnerable; first fixed |
| | any release in 12.4XN | in 12.4XR |
|------------+--------------------------+---------------------------|
| 12.3XK | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XL | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XQ | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XR | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XS | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | Vulnerable; first fixed | |
| | in 12.4T | |
| 12.3XU | | Vulnerable; first fixed |
| | Releases up to and | in 12.4T |
| | including 12.3(8)XU1 are | |
| | not vulnerable. | |
|------------+--------------------------+---------------------------|
| 12.3XW | Vulnerable; migrate to | Vulnerable; first fixed |
| | any release in 12.4XN | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XX | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XY | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3XZ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YA | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YD | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YF | Vulnerable; migrate to | Vulnerable; first fixed |
| | any release in 12.4XN | in 12.4XR |
|------------+--------------------------+---------------------------|
| 12.3YG | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YH | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YI | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YJ | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | Releases prior to 12.3 | |
| | (11)YK3 are vulnerable, | |
| 12.3YK | release 12.3(11)YK3 and | Vulnerable; first fixed |
| | later are not | in 12.4T |
| | vulnerable; first fixed | |
| | in 12.4T | |
|------------+--------------------------+---------------------------|
| 12.3YM | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YQ | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| | Vulnerable; first fixed | |
| | in 12.4T | |
| 12.3YS | | Vulnerable; first fixed |
| | Releases up to and | in 12.4T |
| | including 12.3(11)YS1 | |
| | are not vulnerable. | |
|------------+--------------------------+---------------------------|
| 12.3YT | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YU | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.3YX | Vulnerable; migrate to | Vulnerable; first fixed |
| | any release in 12.4XN | in 12.4XR |
|------------+--------------------------+---------------------------|
| | Vulnerable; Contact your | Vulnerable; Contact your |
| | support organization per | support organization per |
| 12.3YZ | the instructions in | the instructions in |
| | Obtaining Fixed Software | Obtaining Fixed Software |
| | section of this advisory | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.3ZA | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| Affected | | First Fixed Release for |
| 12.4-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|------------+--------------------------+---------------------------|
| 12.4 | 12.4(25d) | 12.4(25d) |
|------------+--------------------------+---------------------------|
| 12.4GC | 12.4(24)GC2 | 12.4(24)GC2 |
|------------+--------------------------+---------------------------|
| 12.4JA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JDA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JDC | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JDD | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JHA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JHB | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JK | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JL | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JMA | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JMB | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JX | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4JY | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| 12.4MD | Not Vulnerable | 12.4(24)MD2 |
|------------+--------------------------+---------------------------|
| 12.4MDA | Not Vulnerable | 12.4(22)MDA4 |
|------------+--------------------------+---------------------------|
| 12.4MR | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4MRA | in 12.4MRA |
|------------+--------------------------+---------------------------|
| 12.4MRA | 12.4(20)MRA1 | 12.4(20)MRA1 |
|------------+--------------------------+---------------------------|
| 12.4SW | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | 12.4(15)T14 | 12.4(15)T14 |
| | | |
| 12.4T | 12.4(24)T4 | 12.4(24)T4 |
| | | |
| | 12.4(20)T6 | 12.4(20)T6 |
|------------+--------------------------+---------------------------|
| 12.4XA | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XB | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XC | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XD | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| | Releases prior to 12.4 | Releases prior to 12.4(6) |
| | (6)XE5 are vulnerable, | XE5 are vulnerable, |
| 12.4XE | release 12.4(6)XE5 and | release 12.4(6)XE5 and |
| | later are not | later are not vulnerable; |
| | vulnerable; first fixed | first fixed in 12.4T |
| | in 12.4T | |
|------------+--------------------------+---------------------------|
| 12.4XF | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XG | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XJ | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XK | Not Vulnerable | Vulnerable; first fixed |
| | | in 12.4T |
|------------+--------------------------+---------------------------|
| | Vulnerable; Contact your | Vulnerable; Contact your |
| | support organization per | support organization per |
| 12.4XL | the instructions in | the instructions in |
| | Obtaining Fixed Software | Obtaining Fixed Software |
| | section of this advisory | section of this advisory |
|------------+--------------------------+---------------------------|
| | Releases up to and | |
| | including 12.4(15)XM are | |
| | not vulnerable. | |
| 12.4XM | | Vulnerable; first fixed |
| | Releases 12.4(15)XM3 and | in 12.4T |
| | later are not | |
| | vulnerable; first fixed | |
| | in 12.4T | |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.4XN | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| | Vulnerable; Contact your | Vulnerable; Contact your |
| | support organization per | support organization per |
| 12.4XP | the instructions in | the instructions in |
| | Obtaining Fixed Software | Obtaining Fixed Software |
| | section of this advisory | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.4XQ | Not Vulnerable | 12.4(15)XQ6; Available on |
| | | 22-SEP-10 |
|------------+--------------------------+---------------------------|
| | | 12.4(15)XR9 |
| 12.4XR | Not Vulnerable | |
| | | 12.4(22)XR7 |
|------------+--------------------------+---------------------------|
| 12.4XT | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| | Vulnerable; Contact your | Vulnerable; Contact your |
| | support organization per | support organization per |
| 12.4XV | the instructions in | the instructions in |
| | Obtaining Fixed Software | Obtaining Fixed Software |
| | section of this advisory | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.4XW | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XY | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4XZ | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| 12.4YA | Vulnerable; first fixed | Vulnerable; first fixed |
| | in 12.4T | in 12.4T |
|------------+--------------------------+---------------------------|
| | Vulnerable; Contact your | Vulnerable; Contact your |
| | support organization per | support organization per |
| 12.4YB | the instructions in | the instructions in |
| | Obtaining Fixed Software | Obtaining Fixed Software |
| | section of this advisory | section of this advisory |
|------------+--------------------------+---------------------------|
| | | Vulnerable; Contact your |
| | | support organization per |
| 12.4YD | Not Vulnerable | the instructions in |
| | | Obtaining Fixed Software |
| | | section of this advisory |
|------------+--------------------------+---------------------------|
| 12.4YE | Not Vulnerable | 12.4(24)YE1 |
|------------+--------------------------+---------------------------|
| 12.4YG | Not Vulnerable | 12.4(24)YG3 |
|------------+--------------------------+---------------------------|
| Affected | | First Fixed Release for |
| 15.0-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|------------+--------------------------+---------------------------|
| 15.0M | 15.0(1)M3 | 15.0(1)M3 |
|------------+--------------------------+---------------------------|
| | Cisco 7600 and 10000 | Cisco 7600 and 10000 |
| | Series routers: Not | Series routers: 15.0(1)S1 |
| | Vulnerable | (available early October |
| | | 2010). |
| 15.0S | Cisco ASR 1000 Series | |
| | routes: Please see Cisco | Cisco ASR 1000 Series |
| | IOS-XE Software | routes: Please see Cisco |
| | Availability | IOS-XE Software |
| | | Availability |
|------------+--------------------------+---------------------------|
| 15.0XA | 15.0(1)XA4 | Vulnerable; first fixed |
| | | in 15.1T |
|------------+--------------------------+---------------------------|
| 15.0XO | Not Vulnerable | Not Vulnerable |
|------------+--------------------------+---------------------------|
| Affected | | First Fixed Release for |
| 15.1-Based | First Fixed Release for | All Advisories in the |
| Releases | This Advisory | September 2010 Bundle |
| | | Publication |
|------------+--------------------------+---------------------------|
| | 15.1(2)T0a | |
| 15.1T | | 15.1(2)T1 |
| | 15.1(1)T1 | |
|------------+--------------------------+---------------------------|
| 15.1XB | 15.1(1)XB | Vulnerable; first fixed |
| | | in 15.1T |
+-------------------------------------------------------------------+
Cisco IOS XE Software
+--------------------
+-------------------------------------------------------------------+
| Cisco IOS | First Fixed | First Fixed Release for All |
| XE | Release for This | Advisories in the September 2010 |
| Release | Advisory | Bundle Publication |
|-----------+------------------+------------------------------------|
| 2.1.x | Not Vulnerable | Not Vulnerable |
|-----------+------------------+------------------------------------|
| 2.2.x | Not Vulnerable | Not Vulnerable |
|-----------+------------------+------------------------------------|
| 2.3.x | Not Vulnerable | Not Vulnerable |
|-----------+------------------+------------------------------------|
| 2.4.x | Not Vulnerable | Not Vulnerable |
|-----------+------------------+------------------------------------|
| | Vulnerable; | Vulnerable; migrate to 2.6.2 or |
| 2.5.x | migrate to 2.6.2 | later |
| | or later | |
|-----------+------------------+------------------------------------|
| 2.6.x | 2.6.1 | 2.6.2 |
|-----------+------------------+------------------------------------|
| 3.1.xS | Not Vulnerable | Not Vulnerable |
+-------------------------------------------------------------------+
For mapping of Cisco IOS XE to Cisco IOS releases, please refer to
the Cisco IOS XE 2 and Cisco IOS XE 3S Release Notes.
Cisco IOS XR System Software
+---------------------------
Cisco IOS XR Software is not affected by the vulnerabilities
disclosed in the September 22, 2010, Cisco IOS Software Security
Advisory bundled publication.
Workarounds
===========
If the affected Cisco IOS device requires SIP for VoIP services, SIP
cannot be disabled, and no workarounds are available. Users are
advised to apply mitigation techniques to help limit exposure to the
vulnerabilities. Mitigation consists of allowing only legitimate
devices to connect to affected devices. To increase effectiveness,
the mitigation must be coupled with anti-spoofing measures on the
network edge. This action is required because SIP can use UDP as the
transport protocol.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the companion document "Cisco Applied
Mitigation Bulletin:Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Voice Products", which is available
at the following location:
http://www.cisco.com/warp/public/707/cisco-amb-20100922-voice.shtml
Disabling SIP Listening Ports
+----------------------------
For devices that do not require SIP to be enabled, the simplest and
most effective workaround is to disable SIP processing on the device.
Some versions of Cisco IOS Software allow administrators to disable
SIP with the following commands:
sip-ua
no transport udp
no transport tcp
no transport tcp tls
warning Warning: When applying this workaround to devices that are
processing Media Gateway Control Protocol (MGCP) or H.323 calls, the
device will not stop SIP processing while active calls are being
processed. Under these circumstances, this workaround should be
implemented during a maintenance window when active calls can be
briefly stopped.
The show udp connections, show tcp brief all, and show processes |
include SIP commands can be used to confirm that the SIP UDP and TCP
ports are closed after applying this workaround.
Depending on the Cisco IOS Software version in use, the output from
the show ip sockets command may still show the SIP ports open, but
sending traffic to them will cause the SIP process to emit the
following message:
*Jun 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED
Control Plane Policing
+---------------------
For devices that need to offer SIP services, it is possible to use
Control Plane Policing (CoPP) to block SIP traffic to the device from
untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T,
12.4, and 12.4T support the CoPP feature. CoPP may be configured on a
device to protect the management and control planes to minimize the
risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in
accordance with existing security policies and configurations. The
following example can be adapted to specific network configurations:
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5061
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
access-list 100 permit tcp any any eq 5061
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map control-plane-policy
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input control-plane-policy
Note: Because SIP can use UDP as a transport protocol, it is possible
to easily spoof the IP address of the sender, which may defeat access
control lists that permit communication to these ports from trusted
IP addresses.
In the above CoPP example, the access control entries (ACEs) that
match the potential exploit packets with the "permit" action result
in these packets being discarded by the policy-map "drop" function,
while packets that match the "deny" action (not shown) are not
affected by the policy-map drop function. Additional information on
the configuration and use of the CoPP feature can be found at
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were discovered by Cisco during internal
testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20100922-sip.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-----------------------------------------+
| Revision | | Initial |
| 1.0 | 2010-September-22 | public |
| | | release. |
+-----------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAkyZ/SsACgkQ86n/Gc8U/uAExQCePGMUBQypd2bPNr1CbH19j1h3
9WgAn0czHTv1JOH6pJl2Bz4MRrPzokRR
=6+8R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. The Session Initiation
Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are
affected by these vulnerabilities.
There are no workarounds for these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, VoIP gateways, and multimedia
applications. To mitigate against
this vulnerability, administrators are advised to restrict access to
TCP and UDP port 5060 on vulnerable Cisco Unified Communications
Manager 4.x systems that are configured to use SIP trunks with
screening devices to valid SIP trunk end points.
Network Connection Tracking Vulnerability
+----------------------------------------
Cisco Unified Communications Manager contains a DoS vulnerability
that involves the tracking of network connections by the embedded
operating system firewall. By establishing many TCP connections with
a vulnerable system, an attacker could overwhelm the operating system
table that is used to track network connections and prevent new
connections from being established to system services. Any service
that listens to a TCP port on a vulnerable system could be affected
by this vulnerability, including SIP and SCCP. This action
could prevent new connections from being established to the SIP and
SCCP services.
Administrators can mitigate the SCCP- and SIP-related vulnerabilities
by implementing filtering on screening devices to permit access to
TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only
from networks that need SCCP and SIP access to Cisco Unified
Communications Manager servers. ----------------------------------------------------------------------
Windows Applications Insecure Library Loading
The Official, Verified Secunia List:
http://secunia.com/advisories/windows_insecure_library_loading/
The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected.
Successful exploitation of the vulnerabilities requires that SIP
voice services are enabled.
SOLUTION:
Apply updates (please see the vendor's advisory for details)
VAR-200909-0408 | CVE-2009-3104 | Symantec Norton AntiVirus Service disruption in products such as (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Symantec Norton AntiVirus 2005 through 2008; Norton Internet Security 2005 through 2008; AntiVirus Corporate Edition 9.0 before MR7, 10.0, 10.1 before MR8, and 10.2 before MR3; and Client Security 2.0 before MR7, 3.0, and 3.1 before MR8; when Internet Email Scanning is installed and enabled, allows remote attackers to cause a denial of service (CPU consumption and persistent connection loss) via unknown attack vectors. Multiple Symantec products are prone to a remote denial-of-service vulnerability when processing specially crafted email messages.
An attacker can exploit this issue to cause denial-of-service conditions and launch further attacks. Symantec AntiVirus is a very popular antivirus solution. Malicious mail messages can take a significant amount of time to process, causing the client system to lose connection to the mail server; the client will then continue to try to download the mail message the next time it connects to the mail server, and lose connection again. This behavior is repeated until the malicious email is deleted from the mail server. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Symantec Products Internet Email Scanning Denial of Service
SECUNIA ADVISORY ID:
SA36493
VERIFY ADVISORY:
http://secunia.com/advisories/36493/
DESCRIPTION:
A vulnerability has been reported in multiple Symantec products,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to an error when processing email
messages and can be exploited to disable an email client by placing
it in an infinite loop where unsuccessful email retrievals are
repeatedly attempted.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Mark Litchfield of Next Generation Security
Software.
ORIGINAL ADVISORY:
Symantec (SYM09-012):
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090826_01
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200908-0258 | CVE-2009-2053 |
Cisco Unified Communications Manager Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200908-1143 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x, 5.x before 5.1(3g), 6.x before 6.1(4), 7.0 before 7.0(2a)su1, and 7.1 before 7.1(2) allows remote attackers to cause a denial of service (file-descriptor exhaustion and SCCP outage) via a flood of TCP packets, aka Bug ID CSCsx32236. Cisco Unified Communications Manager There is a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug IDs CSCsx32236 It is a problem.A large amount by a third party TCP Service disruption via packets (DoS) There is a possibility of being put into a state.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCsi46466
CSCsz40392
CSCsq22534
CSCsx32236
CSCsx23689. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
SOLUTION:
Update to version 5.1(3g) (reportedly available in early September
2009).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The Session Initiation
Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are
affected by these vulnerabilities.
There are no workarounds for these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, VoIP gateways, and multimedia
applications. Each vulnerability is
triggered by a malformed SIP message that could cause a critical
process to fail, resulting in the disruption of voice services. All
SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by
these vulnerabilities. To mitigate against
this vulnerability, administrators are advised to restrict access to
TCP and UDP port 5060 on vulnerable Cisco Unified Communications
Manager 4.x systems that are configured to use SIP trunks with
screening devices to valid SIP trunk end points.
The second SIP DoS vulnerability is documented in Cisco Bug ID
CSCsz40392 and has been assigned the CVE identifier CVE-2009-2051. By establishing many TCP connections with
a vulnerable system, an attacker could overwhelm the operating system
table that is used to track network connections and prevent new
connections from being established to system services. Any service
that listens to a TCP port on a vulnerable system could be affected
by this vulnerability, including SIP and SCCP. By flooding a
vulnerable system with many TCP packets, an attacker could exhaust
operating system file descriptors that cause the SIP port (TCP 5060
and 5061) and SCCP port (TCP 2000 and 2443) to close. This action
could prevent new connections from being established to the SIP and
SCCP services. SIP UDP (5060 and 5061) ports are not affected.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsi46466 - CM 6.1 SDL router services dead when receiving abnormal
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsz40392 - CCM: Coredump in sipSafeStrlen from malicious INVITE
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq22534 - IP_Conntrack Fills Up During TCP Flood Attack
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx32236 - SCCP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx23689 - SIP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Administrators can mitigate the SCCP- and SIP-related vulnerabilities
by implementing filtering on screening devices to permit access to
TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only
from networks that need SCCP and SIP access to Cisco Unified
Communications Manager servers.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090826-cucm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates for select Cisco Unified
Communications Manager versions that address these vulnerabilities.
Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers who are concerned about the availability of fixed software
for this vulnerability in these releases should contact the following
email address:
cucm-august26-inquiry@cisco.com
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. The
vulnerabilities were discovered by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-August-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFKlVmL86n/Gc8U/uARAv5YAJ9Qo8XGM9LvJWJ6AvVGQ0DvQ1v1KQCgg8vf
x3d5mwP1SWPEvIGzoXffuBc=
=oqg/
-----END PGP SIGNATURE-----
VAR-200908-0259 | CVE-2009-2054 |
Cisco Unified Communications Manager Service operation interruption in  (DoS) Vulnerability
Related entries in the VARIoT exploits database: VAR-E-200908-1143 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x, 5.x before 5.1(3g), 6.x before 6.1(4), 7.0 before 7.0(2a)su1, and 7.1 before 7.1(2a)su1 allows remote attackers to cause a denial of service (file-descriptor exhaustion and SIP outage) via a flood of TCP packets, aka Bug ID CSCsx23689. Cisco Unified Communications Manager includes denial of service (DoS) There is a vulnerability that could result in a condition. This problem is Bug IDs CSCsx23689 It's a problem.A large amount of TCP Denial of service via packets (DoS) It may be in a state.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCsi46466
CSCsz40392
CSCsq22534
CSCsx32236
CSCsx23689. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
SOLUTION:
Update to version 5.1(3g) (reportedly available in early September
2009).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. The Session Initiation
Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are
affected by these vulnerabilities.
There are no workarounds for these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, VoIP gateways, and multimedia
applications. Each vulnerability is
triggered by a malformed SIP message that could cause a critical
process to fail, resulting in the disruption of voice services. All
SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by
these vulnerabilities. To mitigate against
this vulnerability, administrators are advised to restrict access to
TCP and UDP port 5060 on vulnerable Cisco Unified Communications
Manager 4.x systems that are configured to use SIP trunks with
screening devices to valid SIP trunk end points.
The second SIP DoS vulnerability is documented in Cisco Bug ID
CSCsz40392 and has been assigned the CVE identifier CVE-2009-2051. By establishing many TCP connections with
a vulnerable system, an attacker could overwhelm the operating system
table that is used to track network connections and prevent new
connections from being established to system services. Any service
that listens to a TCP port on a vulnerable system could be affected
by this vulnerability, including SIP and SCCP. By flooding a
vulnerable system with many TCP packets, an attacker could exhaust
operating system file descriptors that cause the SIP port (TCP 5060
and 5061) and SCCP port (TCP 2000 and 2443) to close. This action
could prevent new connections from being established to the SIP and
SCCP services. SIP UDP (5060 and 5061) ports are not affected.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsi46466 - CM 6.1 SDL router services dead when receiving abnormal
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsz40392 - CCM: Coredump in sipSafeStrlen from malicious INVITE
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq22534 - IP_Conntrack Fills Up During TCP Flood Attack
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx32236 - SCCP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx23689 - SIP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Administrators can mitigate the SCCP- and SIP-related vulnerabilities
by implementing filtering on screening devices to permit access to
TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only
from networks that need SCCP and SIP access to Cisco Unified
Communications Manager servers.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090826-cucm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates for select Cisco Unified
Communications Manager versions that address these vulnerabilities.
Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers who are concerned about the availability of fixed software
for this vulnerability in these releases should contact the following
email address:
cucm-august26-inquiry@cisco.com
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory. The
vulnerabilities were discovered by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-August-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFKlVmL86n/Gc8U/uARAv5YAJ9Qo8XGM9LvJWJ6AvVGQ0DvQ1v1KQCgg8vf
x3d5mwP1SWPEvIGzoXffuBc=
=oqg/
-----END PGP SIGNATURE-----
VAR-200908-0257 | CVE-2009-2052 |
Cisco Unified Communications Manager and Cisco Unified Presence Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200908-1143 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x, 5.x before 5.1(3g), 6.x before 6.1(4), 7.0 before 7.0(2), and 7.1 before 7.1(2); and Cisco Unified Presence 1.x, 6.x before 6.0(6), and 7.x before 7.0(4); allows remote attackers to cause a denial of service (TCP services outage) via a large number of TCP connections, related to "tracking of network connections," aka Bug IDs CSCsq22534 and CSCsw52371. (DoS) There is a vulnerability that becomes a condition. The problem is Bug IDs CSCsq22534 and CSCsw52371 It is a problem.A large number of third parties TCP Service disruption via connection (DoS) There is a possibility of being put into a state.
An attacker can exploit these issues to cause denial-of-service conditions in the affected application.
These issues are documented by these Cisco bug IDs:
CSCsi46466
CSCsz40392
CSCsq22534
CSCsx32236
CSCsx23689.
An attacker can exploit this issue to prevent new TCP connections from being established, denying service to legitimate users.
This issue is being tracked by Cisco BugID CSCsw52371. The software version can
be determined by running the command "show version active" via the
Command Line Interface (CLI). TCP 3-way
handshakes must be completed for the attack to be successful. The
TimesTenD process will be automatically restarted upon failure. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
SOLUTION:
Update to version 5.1(3g) (reportedly available in early September
2009).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified Communications Manager Denial
of Service Vulnerabilities
Advisory ID: cisco-sa-20090826-cucm
Revision 1.0
For Public Release 2009 August 26 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco Unified Communications Manager (formerly CallManager) contains
multiple denial of service (DoS) vulnerabilities that if exploited
could cause an interruption to voice services. The Session Initiation
Protocol (SIP) and Skinny Client Control Protocol (SCCP) services are
affected by these vulnerabilities.
There are no workarounds for these vulnerabilities. No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices, such as
IP phones, media processing devices, VoIP gateways, and multimedia
applications. Each vulnerability is
triggered by a malformed SIP message that could cause a critical
process to fail, resulting in the disruption of voice services. All
SIP ports (TCP 5060 and 5061, UDP 5060 and 5061) are affected by
these vulnerabilities.
Cisco Unified Communications Manager 4.x versions are only affected
by the first SIP DoS vulnerability if a SIP trunk is explicitly
configured. To determine if a SIP truck is configured on a Cisco
Unified Communications Manager version 4.x system, navigate to
Device > Trunk and choose the option SIP Trunk in the Cisco Unified
Communications Manager administration interface. To mitigate against
this vulnerability, administrators are advised to restrict access to
TCP and UDP port 5060 on vulnerable Cisco Unified Communications
Manager 4.x systems that are configured to use SIP trunks with
screening devices to valid SIP trunk end points.
The second SIP DoS vulnerability is documented in Cisco Bug ID
CSCsz40392 and has been assigned the CVE identifier CVE-2009-2051. Any service
that listens to a TCP port on a vulnerable system could be affected
by this vulnerability, including SIP and SCCP. By flooding a
vulnerable system with many TCP packets, an attacker could exhaust
operating system file descriptors that cause the SIP port (TCP 5060
and 5061) and SCCP port (TCP 2000 and 2443) to close. SIP UDP (5060 and 5061) ports are not affected.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsi46466 - CM 6.1 SDL router services dead when receiving abnormal
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsz40392 - CCM: Coredump in sipSafeStrlen from malicious INVITE
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsq22534 - IP_Conntrack Fills Up During TCP Flood Attack
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx32236 - SCCP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsx23689 - SIP Port Closed in Response to FD Resource Exhaustion
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
advisory could result in the interruption of voice services.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Administrators can mitigate the SCCP- and SIP-related vulnerabilities
by implementing filtering on screening devices to permit access to
TCP ports 2000 and 2443, and TCP and UDP ports 5060 and 5061 only
from networks that need SCCP and SIP access to Cisco Unified
Communications Manager servers.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20090826-cucm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates for select Cisco Unified
Communications Manager versions that address these vulnerabilities.
Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers who are concerned about the availability of fixed software
for this vulnerability in these releases should contact the following
email address:
cucm-august26-inquiry@cisco.com
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090826-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-August-26 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFKlVmL86n/Gc8U/uARAv5YAJ9Qo8XGM9LvJWJ6AvVGQ0DvQ1v1KQCgg8vf
x3d5mwP1SWPEvIGzoXffuBc=
=oqg/
-----END PGP SIGNATURE-----
VAR-200908-0381 | CVE-2009-2976 |
Cisco Aironet Lightweight AP Vulnerabilities in which details of access point settings are discovered
Related entries in the VARIoT exploits database: VAR-E-200908-0283 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Aironet Lightweight Access Point (AP) devices send the contents of certain multicast data frames in cleartext, which allows remote attackers to discover Wireless LAN Controller MAC addresses and IP addresses, and AP configuration details, by sniffing the wireless network. Cisco Lightweight Access Point is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause the affected device to stop responding, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCtb56664. Cisco Aironet wireless access points (APs) are very popular wireless access network devices. This paper associates devices with malicious controllers so that wireless clients cannot access legitimate network resources. This is a denial of service
VAR-200908-0382 | CVE-2009-2977 | Cisco Security Monitoring Analysis and Response System Password Information Disclosure Vulnerability |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 6.0.4 and earlier stores cleartext passwords in log/sysbacktrace.## files within error-logs.tar.gz archives, which allows context-dependent attackers to obtain sensitive information by reading these files. Cisco Security Monitoring, Analysis, and Response System (MARS) is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information that can aid in further attacks.
This issue is being tracked by Cisco Bug CSCtb52450.
Cisco Security MARS 6.0.4 and prior are vulnerable
VAR-200908-0252 | CVE-2009-1154 | Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
Cisco IOS XR 3.8.1 and earlier allows remote attackers to cause a denial of service (process crash) via a long BGP UPDATE message, as demonstrated by a message with many AS numbers in the AS Path Attribute.
An attacker can exploit this issue to cause the BGP process to crash, creating a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCtb05382. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment. The number of AS numbers must exceed the full or maximum length of the update message to trigger this vulnerability
VAR-200908-0261 | CVE-2009-2056 | Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
Cisco IOS XR 3.8.1 and earlier allows remote authenticated users to cause a denial of service (process crash) via vectors involving a BGP UPDATE message with many AS numbers prepended to the AS path. Cisco IOS XR Is AS Service operation disruption due to incomplete number-related processing (DoS) There is a vulnerability that becomes a condition.Service disruption by remotely authenticated user (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to cause the BGP process to crash, creating a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCtb12726. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment. Both the number of AS numbers required to prepend and the resulting crashes exceeded normal limits in a production environment. When the BGP process of an affected device crashes due to such an oversized AS path forwarding, no log message is generated before the crash
VAR-200908-0248 | CVE-2009-0638 | Cisco Firewall Services Module Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Cisco Firewall Services Module (FWSM) 2.x, 3.1 before 3.1(16), 3.2 before 3.2(13), and 4.0 before 4.0(6) for Cisco Catalyst 6500 switches and Cisco 7600 routers allows remote attackers to cause a denial of service (traffic-handling outage) via a series of malformed ICMP messages.
Attackers can exploit this issue to cause the vulnerable module to fail to respond to further traffic, resulting in a denial-of-service condition.
This issue is tracked by Cisco Bug ID CSCsz97207. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
SOLUTION:
Update to version 3.1(16), 3.2(13), or 4.0(6).
Users of version 2.x should migrate to either 3.x or 4.x.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. The
vulnerability may cause the FWSM to stop forwarding traffic and may be
triggered while processing multiple, crafted ICMP messages.
There are no known instances of intentional exploitation of this
vulnerability. However, Cisco has observed data streams that appear to
trigger this vulnerability unintentionally.
Cisco has released free software updates that address this
vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml.
Affected Products
=================
Vulnerable Products
- -------------------
All non-fixed 2.x, 3.x and 4.x versions of the FWSM software are
affected by this vulnerability.
To determine the version of the FWSM software that is running, issue
the "show module" command-line interface (CLI) command from Cisco IOS
Software or Cisco Catalyst Operating System Software to identify what
modules and sub-modules are installed in the system.
The following example shows a system with an FWSM (WS-SVC-FWM-1)
installed in slot 4.
switch#show module
Mod Ports Card Type Model Serial
No.
--- ----- -------------------------------------- -----------------
-----------
1 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
SAxxxxxxxxx
4 6 Firewall Module WS-SVC-FWM-1
SAxxxxxxxxx
5 2 Supervisor Engine 720 (Active) WS-SUP720-BASE
SAxxxxxxxxx
6 2 Supervisor Engine 720 (Hot) WS-SUP720-BASE
SAxxxxxxxxx
After locating the correct slot, issue the "show module <slot number>"
command to identify the software version that is running.
switch#show module 4
Mod Ports Card Type Model Serial
No.
--- ----- -------------------------------------- -----------------
-----------
4 6 Firewall Module WS-SVC-FWM-1
SAxxxxxxxxx
Mod MAC addresses Hw Fw Sw
Status
--- --------------------------------- ------ ------------ ------------
-------
4 0003.e4xx.xxxx to 0003.e4xx.xxxx 3.0 7.2(1) 3.2(3) Ok
The preceding example shows that the FWSM is running software version
3.2(3) as indicated by the column under "Sw".
Note: Recent versions of Cisco IOS Software will show the software
version of each module in the output from the "show module" command;
therefore, executing the "show module <slot number>" command is not
necessary.
If a Virtual Switching System (VSS) is used to allow two physical Cisco
Catalyst 6500 Series Switches to operate as a single logical virtual
switch, the "show module switch all" command can display the software
version of all FWSMs that belong to switch 1 and switch 2. The output
from this command will be similar to the output from the "show module
<slot number>" but will include module information for the modules in
each switch in the VSS.
Alternatively, version information can be obtained directly from the
FWSM through the "show version" command, as shown in the following
example.
FWSM#show version
FWSM Firewall Version 3.2(3)
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to
manage their devices can find the version of the software displayed in
the table in the login window or in the upper left corner of the ASDM
window. The version notation is similar to the following example.
FWSM Version: 3.2(3)
Products Confirmed Not Vulnerable
- ---------------------------------
Other Cisco products that offer firewall services, including Cisco IOS
Software, Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco
PIX Security Appliances, are not affected by this vulnerability.
No other Cisco products are currently known to be affected by this
vulnerability. The FWSM offers
firewall services with stateful packet filtering and deep packet
inspection.
A vulnerability exists in the Cisco FWSM Software that may cause
the FWSM to stop forwarding traffic between interfaces, or stop
processing traffic that is directed at the FWSM (management traffic)
after multiple, crafted ICMP messages are processed by the FWSM. Any
traffic that transits or is directed towards the FWSM is affected,
regardless of whether ICMP inspection ("inspect icmp" command under
Class configuration mode) is enabled.
The FWSM stops processing traffic because one of the Network Processors
(NPs) that is used by the FWSM to handle traffic may use all available
execution threads while handling a specific type of crafted ICMP
messages. This behavior limits the execution threads that are available
to handle additional traffic.
Administrators may be able to determine if the FWSM has been affected
by this vulnerability by issuing the "show np 2 stats" command. If this
command produces output showing various counters and their values, as
shown in the example CLI output that follows, the FWSM has not been
affected by the vulnerability. If the command returns a single line that
reads "ERROR: np_logger_query request for FP Stats failed", the FWSM may
have been affected by the vulnerability.
FWSM#show np 2 stats
-
-------------------------------------------------------------------------------
Fast Path 64 bit Global Statistics Counters (NP-2)
-
-------------------------------------------------------------------------------
PKT_MNG: total packets (dot1q) rcvd : 10565937
PKT_MNG: total packets (dot1q) sent : 4969517
PKT_MNG: total packets (dot1q) dropped : 65502
PKT_MNG: TCP packets received : 0
PKT_MNG: UDP packets received : 4963509
PKT_MNG: ICMP packets received : 0
PKT_MNG: ARP packets received : 2
PKT_MNG: other protocol pkts received : 0
PKT_MNG: default (no IP/ARP) dropped : 0
SESS_MNG: sessions created : 18
SESS_MNG: sessions embryonic to active : 0
[...]
An FWSM that stops processing traffic as a result of this vulnerability
will need to be reloaded. Note that unless the FWSM software is updated to a
non-vulnerable version, or crafted ICMP messages are blocked (see the
Workarounds section for details), the FWSM can still be subject to
exploitation (intentional or otherwise) after a reload.
If an FWSM that is configured for failover operation encounters this
issue, the active FWSM may not properly fail over to the standby FWSM.
IPv6 (in particular ICMPv6) cannot trigger this vulnerability.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided a FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* NP 2 threads lock due to processing crafted ICMP message (CSCsz97207)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may cause the FWSM to
stop forwarding traffic between interfaces (transit traffic), and stop
processing traffic directed at the FWSM (management traffic). If the
FWSM is configured for failover operation, the active FWSM may not fail
over to the standby FWSM.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the FWSM software table below describes a major FWSM
software train and the earliest possible release within that train that
contains the fix (the "First Fixed Release") and the anticipated date of
availability (if not currently available) in the "First Fixed Release"
column. A device running a release that is earlier than the release in
a specific column (less than the First Fixed Release) is known to be
vulnerable. The release should be upgraded at least to the indicated
release or a later version (greater than or equal to the First Fixed
Release label).
+---------------------------------------+
| Major | First Fixed Release |
| Release | |
|------------+--------------------------|
| 2.x | Vulnerable; migrate to |
| | 3.x or 4.x |
|------------+--------------------------|
| 3.1 | 3.1(16) |
|------------+--------------------------|
| 3.2 | 3.2(13) |
|------------+--------------------------|
| 4.0 | 4.0(6) |
+---------------------------------------+
Fixed FWSM software can be downloaded from the Software Center on
cisco.com by visiting http://www.cisco.com/public/sw-center/index.shtml
and navigating to "Security" > "Cisco Catalyst 6500 Series Firewall
Services Module" > "Firewall Services Module (FWSM) Software".
Workarounds
===========
There are no workarounds for this vulnerability. Access control lists
(ACLs) that are deployed on the FWSM itself to block through-the-device
or to-the-device ICMP messages are not effective to prevent this
vulnerability. However, blocking unnecessary ICMP messages on screening
devices or on devices in the path to the FWSM will prevent the FWSM
from triggering the vulnerability. For example, the following ACL,
when deployed on a Cisco IOS device in front of the FWSM, will prevent
crafted ICMP messages from reaching the FWSM, and thus protect the FWSM
from triggering the vulnerability:
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any
access-list 101 permit ip any any
This sample ACL is allowing certain ICMP messages that are vital for
network troubleshooting and for proper operation of the network. It is
safe to allow any other ICMP messages for which the Cisco IOS Software
"access-list" command has named ICMP type keywords. ACLs like the one
in the preceding example may also be deployed on non-Cisco IOS devices,
such as the Cisco PIX and ASA security appliances, although the ACL
syntax on non-Cisco IOS devices may not support all the named ICMP type
keywords that the Cisco IOS ACL syntax supports. However, on non-Cisco
IOS devices, it is safe to permit all ICMP messages for which there are
named ICMP type keywords in the ACL syntax.
As mentioned in the Details section, if the FWSM has stopped processing
traffic due to this vulnerability, the FWSM will require a reload.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Mitigation Bulletin companion
document for this advisory, which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090819-fwsm.shtml.
Obtaining Fixed Software
========================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
- --------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
- -------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
- -----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory, but Cisco is aware
of customers that have encountered this vulnerability during normal
network operation.
This vulnerability was discovered during the handling of customer
support cases.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090819-fwsm.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2009-August-19 | Initial public release |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Aug 19, 2009 Document ID: 110460
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqMMFYACgkQ86n/Gc8U/uA2jACeLVA38jWbQv4AGpSCvOPVJjgR
NqUAniMoiEUkV/JIDlo1xA0ztaO6jCFR
=2Tm1
-----END PGP SIGNATURE-----