VARIoT IoT vulnerabilities database

VAR-200909-0395 | CVE-2009-3091 | ASUS WL-330gE Vulnerabilities in unknown details |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability on the ASUS WL-330gE has unknown impact and remote attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes
VAR-201004-0085 | CVE-2009-4775 | Ipswitch WS_FTP Professional HTTP Server Response Format String Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Format string vulnerability in Ipswitch WS_FTP Professional 12 before 12.2 allows remote attackers to cause a denial of service (crash) via format string specifiers in the status code portion of an HTTP response. Ipswitch WS_FTP Professional client is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.
WS_FTP Professional 12 is vulnerable; other versions may also be affected. Ipswitch WS_FTP is a widely used FTP server program that can be used under Microsoft NT/2000/XP operating system
VAR-200909-0403 | CVE-2009-3099 |
Windows Server 2003 SP2 upper HP OpenView Operations Manager Vulnerability in
Related entries in the VARIoT exploits database: VAR-E-200909-0857 |
CVSS V2: 10.0 CVSS V3: - Severity: High |
Unspecified vulnerability in HP OpenView Operations Manager 8.1 on Windows Server 2003 SP2 allows remote attackers to have an unknown impact, related to a "Remote exploit," as demonstrated by a certain module in VulnDisco Pack Professional 8.11, a different vulnerability than CVE-2007-3872. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. This vulnerability CVE-2007-3872 Is a different vulnerability.A third party may be affected unspecified. HP OpenView is prone to a remote security vulnerability. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
HP Operations Manager Unspecified Vulnerability
SECUNIA ADVISORY ID:
SA36541
VERIFY ADVISORY:
http://secunia.com/advisories/36541/
DESCRIPTION:
A vulnerability has been reported in HP Operations, which can be
exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an unspecified error and may allow
execution of arbitrary code. No more information is currently
available.
The vulnerability is reported in version 8.1. Other versions may also
be affected.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reportedly a module for VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0138 | CVE-2009-3345 | SAP Crystal Reports Server Heap-based buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in SAP Crystal Reports Server 2008 has unknown impact and attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.3 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. Crystal Reports Server 2008 is prone to a remote security vulnerability.
An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Crystal Reports Server Unspecified Vulnerabilities
SECUNIA ADVISORY ID:
SA36583
VERIFY ADVISORY:
http://secunia.com/advisories/36583/
DESCRIPTION:
Some vulnerabilities have been reported in Crystal Reports Server,
which can be exploited to cause a DoS (Denial of Service) or
compromise a vulnerable system.
1) An unspecified error can be exploited to cause a service to enter
an infinite loop.
The vulnerabilities are reported in version 2008. Other versions may
also be affected.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reportedly modules for VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0139 | CVE-2009-3346 | SAP Crystal Reports Server Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in SAP Crystal Reports Server 2008 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.3 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Crystal Reports Server Unspecified Vulnerabilities
SECUNIA ADVISORY ID:
SA36583
VERIFY ADVISORY:
http://secunia.com/advisories/36583/
DESCRIPTION:
Some vulnerabilities have been reported in Crystal Reports Server,
which can be exploited to cause a DoS (Denial of Service) or
compromise a vulnerable system.
1) An unspecified error can be exploited to cause a service to enter
an infinite loop.
3) An unspecified error can be exploited to cause a heap-based buffer
overflow.
The vulnerabilities are reported in version 2008. Other versions may
also be affected.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reportedly modules for VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0134 | CVE-2009-3341 | Linksys WRT54GL Wireless router buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow on the Linksys WRT54GL wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition. WRT54GL is prone to a remote security vulnerability. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Linksys WRT54GL Unspecified Buffer Overflow Vulnerability
SECUNIA ADVISORY ID:
SA36571
VERIFY ADVISORY:
http://secunia.com/advisories/36571/
DESCRIPTION:
A vulnerability has been reported in Linksys WRT54GL, which can be
exploited by malicious people to compromise a vulnerable device.
The vulnerability is caused due to an unspecified error and can be
exploited to cause a buffer overflow. No further information is
currently available.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reportedly a module for VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0696 | No CVE | HP Operations Manager Default Manager Account Remote Security Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
HP Operations Manager is prone to a remote security vulnerability.
Operations Manager 8.1 for Windows is vulnerable; other versions may also be vulnerable.
NOTE: This issue may be related to the issue documented in BID 37086 (HP Operations Manager Remote Unauthorized Access Vulnerability), but this has not been confirmed.
VAR-200909-0698 | No CVE | SAP NetWeaver Multiple Unspecified Remote Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
SAP NetWeaver is prone to multiple unspecified remote vulnerabilities, including:
- Multiple information-disclosure vulnerabilities.
- A NULL-pointer dereference vulnerability.
- Multiple heap-overflow vulnerabilities.
- A denial-of-service vulnerability.
Attackers can exploit these issues to execute code within the context of the affected server, cause denial-of-service conditions, and obtain potentially sensitive information.
VAR-200912-0357 | CVE-2009-4480 | AzeoTech DAQFactory of Web Service buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in the web service in AzeoTech DAQFactory 5.77 might allow remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 7.16 through 8.11. NOTE: as of 20091229, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. AzeoTech DAQFactory is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Failed attacks will cause denial-of-service conditions.
DAQFactory 5.77 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
DAQFactory Web Service Unspecified Buffer Overflow
SECUNIA ADVISORY ID:
SA36504
VERIFY ADVISORY:
http://secunia.com/advisories/36504/
DESCRIPTION:
A vulnerability has been reported in DAQFactory, which can be
exploited by malicious people to compromise a vulnerable system.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 5.77.
SOLUTION:
Disable the web service if not required or restrict access to it.
PROVIDED AND/OR DISCOVERED BY:
Reportedly a module for VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0137 | CVE-2009-3344 |
Windows Run on Crystal Reports Server Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200909-0247 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in SAP Crystal Reports Server 2008 on Windows XP allows attackers to cause a denial of service (infinite loop) via unknown vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.3 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
- A heap-based buffer-overflow vulnerability.
- An unspecified remote code-execution vulnerability.
Attackers can exploit these issues to execute code within the context of the affected server and cause denial-of-service conditions. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Crystal Reports Server Unspecified Vulnerabilities
SECUNIA ADVISORY ID:
SA36583
VERIFY ADVISORY:
http://secunia.com/advisories/36583/
DESCRIPTION:
Some vulnerabilities have been reported in Crystal Reports Server,
which can be exploited to cause a DoS (Denial of Service) or
compromise a vulnerable system.
2) An unspecified error may be exploited to execute arbitrary code.
3) An unspecified error can be exploited to cause a heap-based buffer
overflow.
The vulnerabilities are reported in version 2008. Other versions may
also be affected.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reportedly modules for VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0789 | CVE-2009-3767 | OpenLDAP In any SSL Vulnerability impersonating a server |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. SSL A vulnerability that impersonates a server exists. This vulnerability CVE-2009-2408 And is related.By crafted certificate, any SSL There is a possibility of impersonating a server. OpenLDAP is prone to a security-bypass vulnerability.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. Summary:
JBoss Enterprise Web Server 1.0.2 is now available from the Red Hat
Customer Portal for Red Hat Enterprise Linux 4, 5 and 6, Solaris, and
Microsoft Windows.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section. Description:
JBoss Enterprise Web Server is a fully-integrated and certified set of
components for hosting Java web applications.
This is the first release of JBoss Enterprise Web Server for Red Hat
Enterprise Linux 6. For Red Hat Enterprise Linux 4 and 5, Solaris, and
Microsoft Windows, this release serves as a replacement for JBoss
Enterprise Web Server 1.0.1, and includes a number of bug fixes. Refer to
the Release Notes, linked in the References, for more information.
This update corrects security flaws in the following components:
tomcat6:
A cross-site scripting (XSS) flaw was found in the Manager application,
used for managing web applications on Apache Tomcat. If a remote attacker
could trick a user who is logged into the Manager application into visiting
a specially-crafted URL, the attacker could perform Manager application
tasks with the privileges of the logged in user. (CVE-2010-4172)
tomcat5 and tomcat6:
It was found that web applications could modify the location of the Apache
Tomcat host's work directory. As web applications deployed on Tomcat have
read and write access to this directory, a malicious web application could
use this flaw to trick Tomcat into giving it read and write access to an
arbitrary directory on the file system. (CVE-2010-3718)
A second cross-site scripting (XSS) flaw was found in the Manager
application. A malicious web application could use this flaw to conduct an
XSS attack, leading to arbitrary web script execution with the privileges
of victims who are logged into and viewing Manager application web pages.
(CVE-2011-0013)
A possible minor information leak was found in the way Apache Tomcat
generated HTTP BASIC and DIGEST authentication requests. For configurations
where a realm name was not specified and Tomcat was accessed via a proxy,
the default generated realm contained the hostname and port used by the
proxy to send requests to the Tomcat server. (CVE-2010-1157)
httpd:
A flaw was found in the way the mod_dav module of the Apache HTTP Server
handled certain requests. If a remote attacker were to send a carefully
crafted request to the server, it could cause the httpd child process to
crash. (CVE-2010-1452)
A flaw was discovered in the way the mod_proxy_http module of the Apache
HTTP Server handled the timeouts of requests forwarded by a reverse proxy
to the back-end server. In some configurations, the proxy could return
a response intended for another user under certain timeout conditions,
possibly leading to information disclosure. Note: This issue only affected
httpd running on the Windows operating system. (CVE-2010-2068)
apr:
It was found that the apr_fnmatch() function used an unconstrained
recursion when processing patterns with the '*' wildcard. An attacker could
use this flaw to cause an application using this function, which also
accepted untrusted input as a pattern for matching (such as an httpd server
using the mod_autoindex module), to exhaust all stack memory or use an
excessive amount of CPU time when performing matching. (CVE-2011-0419)
apr-util:
It was found that certain input could cause the apr-util library to
allocate more memory than intended in the apr_brigade_split_line()
function. An attacker able to provide input in small chunks to an
application using the apr-util library (such as httpd) could possibly use
this flaw to trigger high memory consumption. (CVE-2010-1623)
The following flaws were corrected in the packages for Solaris and Windows.
Updates for Red Hat Enterprise Linux can be downloaded from the Red Hat
Network.
Multiple flaws in OpenSSL, which could possibly cause a crash, code
execution, or a change of session parameters, have been corrected.
(CVE-2009-3245, CVE-2010-4180, CVE-2008-7270)
Two denial of service flaws were corrected in Expat. (CVE-2009-3560,
CVE-2009-3720)
An X.509 certificate verification flaw was corrected in OpenLDAP.
(CVE-2009-3767)
More information about these flaws is available from the CVE links in the
References. Solution:
All users of JBoss Enterprise Web Server 1.0.1 as provided from the Red Hat
Customer Portal are advised to upgrade to JBoss Enterprise Web Server
1.0.2, which corrects these issues.
The References section of this erratum contains a download link (you must
log in to download the update). Before installing the update, backup your
existing JBoss Enterprise Web Server installation (including all
applications and configuration files). Apache Tomcat and the Apache HTTP
Server must be restarted for the update to take effect. Bugs fixed (http://bugzilla.redhat.com/):
530715 - CVE-2009-3767 OpenLDAP: Doesn't properly handle NULL character in subject Common Name
531697 - CVE-2009-3720 expat: buffer over-read and crash on XML with malformed UTF-8 sequences
533174 - CVE-2009-3560 expat: buffer over-read and crash in big2_toUtf8() on XML with malformed UTF-8 sequences
570924 - CVE-2009-3245 openssl: missing bn_wexpand return value checks
585331 - CVE-2010-1157 tomcat: information disclosure in authentication headers
618189 - CVE-2010-1452 httpd mod_cache, mod_dav: DoS (httpd child process crash) by parsing URI structure with missing path segments
632994 - CVE-2010-2068 httpd (mod_proxy): Sensitive response disclosure due improper handling of timeouts
640281 - CVE-2010-1623 apr-util: high memory consumption in apr_brigade_split_line()
656246 - CVE-2010-4172 tomcat: cross-site-scripting vulnerability in the manager application
659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack
660650 - CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack
675786 - CVE-2011-0013 tomcat: XSS vulnerability in HTML Manager interface
675792 - CVE-2010-3718 tomcat: file permission bypass flaw
703390 - CVE-2011-0419 apr: unconstrained recursion in apr_fnmatch
5. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
For the oldstable distribution (etch), this problem has been fixed in version
2.3.30-5+etch3 for openldap2.3.
For the stable distribution (lenny), this problem has been fixed in version
2.4.11-1+lenny1 for openldap.
For the testing distribution (squeeze), and the unstable distribution (sid),
this problem has been fixed in version 2.4.17-2.1 for openldap.
We recommend that you upgrade your openldap2.3/openldap packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips,
mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz
Size/MD5 checksum: 2971126 c40bcc23fa65908b8d7a86a4a6061251
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch3.dsc
Size/MD5 checksum: 1214 36efc1cf2a98c54d4b1da0910e273843
http://security.debian.org/pool/updates/main/o/openldap2.3/openldap2.3_2.3.30-5+etch3.diff.gz
Size/MD5 checksum: 315058 310ce752b78ff3227d78dcd8c1bd60a5
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 293108 2172048d5f8b8b7f379b3414fc5c2e37
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 1280772 ab65f162a40607c1787f9b03783a7563
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_alpha.deb
Size/MD5 checksum: 193768 602a6da790648dd8b0af7d9f386b5c6e
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 285554 42480b47018eb1d70b9e62d05b925a5b
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 1244570 b88256f8259516b09c51f166ff6b4aea
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_amd64.deb
Size/MD5 checksum: 184652 716cc53985a031d1fe03fede778d6ae5
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 1190314 8686c6a9a9240e6113f92c8bb20d7e1a
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 254828 49d9c9a250fb4a5a828de5791ee92380
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_arm.deb
Size/MD5 checksum: 155876 bb45d3104fe4b9811fdb3063da42d3b1
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 1307146 698d7416e4cc544522ce2e25ac9c0fce
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 292798 eb9d6d19560a1153cc58ccae3f354a4e
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_hppa.deb
Size/MD5 checksum: 182568 caade74265ee9d7b8ac77c844c23b413
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 1177552 f3ccf11b82474593af5e30a272f9edb9
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 148744 168e58797e74f9b3b6d3c337b6369ca7
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_i386.deb
Size/MD5 checksum: 266538 3be52b8402d06913624a3e808be58ecb
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 239248 78d1537b3a106824ff5d076e828a0312
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 379904 dbc96e1a44dce4bb5f79b9c043823293
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_ia64.deb
Size/MD5 checksum: 1660854 fcc2873ffd50e45c956d9bcc81d83c51
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 258210 298f5a83a1efd8c035644fd58df21f2c
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 185598 b6c67ee072f2de03820e7ce11edb39c3
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_mips.deb
Size/MD5 checksum: 1205768 3f312958af5ea129384513e5fab72208
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 258852 d7ba57787989e3fb5035fce34b04965d
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 187100 46910e3923926ac060c13a7a53f8cac4
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_mipsel.deb
Size/MD5 checksum: 1188878 5698884b42d7206c2b0c134602861354
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 188914 e03855167b8e13bdb72e47baa9644f86
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 272378 f5741b7ac8f4172e7481f5c2e699231b
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_powerpc.deb
Size/MD5 checksum: 1243754 2a8b933e956e5ac4bc29028688bb09ec
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 291822 6b47ac5b7fbc269c1973c494d5dadbc2
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 168716 f72b023d98d61565c624f7acbf953baf
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_s390.deb
Size/MD5 checksum: 1241532 0167eb506b063de5435181f40c6cf809
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openldap2.3/slapd_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 1177712 770a58d0c60ad11e5ca4cf25159fe2c7
http://security.debian.org/pool/updates/main/o/openldap2.3/ldap-utils_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 153682 d8bf20f2a94456451d4ea29d3237d280
http://security.debian.org/pool/updates/main/o/openldap2.3/libldap-2.3-0_2.3.30-5+etch3_sparc.deb
Size/MD5 checksum: 258560 4bfd77d56852608813f158ecfd91b42b
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny1.diff.gz
Size/MD5 checksum: 148075 024b717169f42734ee5650ebe2978631
http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11-1+lenny1.dsc
Size/MD5 checksum: 1831 ca4cb86b4847a59f95275ff2f4d0e173
http://security.debian.org/pool/updates/main/o/openldap/openldap_2.4.11.orig.tar.gz
Size/MD5 checksum: 4193523 d4e8669e2c9b8d981e371e97e3cf92d9
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 3624752 5b4e467360ecd8cc897b03b5aca57dad
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 205526 3b083869976ab4d8d8df69d27fe9480e
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 280526 4ed333757fef7e98d89c5edda6589b04
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 1537448 98d6aeab748560a491e0b526d930fc0c
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 1013148 cc656603f7ae0eacc2b3c22dd1fae967
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_alpha.deb
Size/MD5 checksum: 285128 e526e547a4af2c13bf3ae90dfdf023a2
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 1493300 31c077d63cc2ff159927939cadb29808
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 299612 e148216f77a9136adb19acd8df026d6d
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 267470 f903f46433faa1d2b6b203e50aaed3d8
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 881074 de337737dd93af0b81bd90e3c6f23377
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 3664994 8ad4581bd54e1ed7a8f3c1c8bf210c17
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_amd64.deb
Size/MD5 checksum: 204896 c0dba3b62aa14392d29f831d6c87206d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 280140 ccaed923684d35304f50f27fc6b868b3
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 248918 a08cf9fd18ce8806be437c364179c2b3
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 877400 614df898211cc5311a62159f6ee21b93
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 1405962 5e1e62d6f0a5984486fa2eaa478eab38
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 180520 96b5fe5d50b9a1d59eb5ab03489a1b90
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_arm.deb
Size/MD5 checksum: 3572646 a8e804a9e966a57306a9229acd11ff80
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 1533292 8d5c2d83596b10c9d3ee7a4dcb692026
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 3619256 2ad8452962291b553fadc8bb6398f834
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 200874 27205d8a86701cb133f7507eeef5e76a
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 283816 1163f67e39b08c10cf492b24bd526f24
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 264158 905749f1e385f9d93c2358b05dc42dfb
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_hppa.deb
Size/MD5 checksum: 999386 6a071952604a9c30483fca7f3a3754ec
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 189442 879dac84b581979646c49bde9743c630
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 286808 2dcb4f8e5514d9e4d9072b4853da322d
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 892068 449ba5d6037617e4e93dfd6bcb093549
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 3560322 c6a6fbc66944bd05585c1065ab012c93
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 244952 5a5b31ebb9098059e62eb57d209a6846
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_i386.deb
Size/MD5 checksum: 1404266 a3bffb93ec3b0d0d130a6a7e29091a9b
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 3589108 d34afb06a3b21ad7267ef5d31b6ad322
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 932026 1194a002673f8a73cf382c2333c7882b
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 352020 e40c570396514fee0c6eee3920be2607
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 269084 1720388cc8102f33122375034a703a05
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 259018 658248f4329555e81896800709302575
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_ia64.deb
Size/MD5 checksum: 2006532 6ad20563d8999759f32445576fd69856
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 3712752 8d48a2797c1f4e6b5dea203698e4b31c
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 180956 88613b463fcdba79539048ce681d4f5e
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 260240 f6fa5402a6fc03aef4b87735030969c5
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 854756 76ad64ab6fe85c5bfc654266101e024a
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 1394436 4930b2b56c642182c8ccd69d5bc53685
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_mips.deb
Size/MD5 checksum: 302106 3672bab4d2c0c037a1d9c0a61fa16139
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 3718584 7b120292ce66e7ea85b3ad623da0bb4e
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 295146 f131ea5cdbab25c2416ff06f6697bc08
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 199248 c683d506deb5fadabea906c9dec36c9f
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 1536614 b5c37ae6f72127bdf6910100edeb06e5
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 907106 6af4614c092e6ccda8580e6a73cb8728
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_powerpc.deb
Size/MD5 checksum: 284952 b75e2ddab46ddab036ef40b21cec63ee
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openldap/libldap2-dev_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 872178 a7739e034d0df26a69e0cb569802d594
http://security.debian.org/pool/updates/main/o/openldap/ldap-utils_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 249022 334ecf73608e20ec6cff79716cf10fde
http://security.debian.org/pool/updates/main/o/openldap/slapd_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 1387990 4935db487abd61e04adb3a846ed7aadc
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2-dbg_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 260980 006fdd6b90293fdf1331442ccabde568
http://security.debian.org/pool/updates/main/o/openldap/libldap-2.4-2_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 182822 73c3edfab6b52e772ed36c990c13f210
http://security.debian.org/pool/updates/main/o/openldap/slapd-dbg_2.4.11-1+lenny1_sparc.deb
Size/MD5 checksum: 3502906 c19b8875ae915cec344bb74a5e462e44
These files will probably be moved into the stable distribution on
its next update. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201406-36
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: OpenLDAP: Multiple vulnerabilities
Date: June 30, 2014
Bugs: #290345, #323777, #355333, #388605, #407941, #424167
ID: 201406-36
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were found in OpenLDAP, allowing for Denial of
Service or a man-in-the-middle attack.
Background
==========
OpenLDAP is an LDAP suite of application and development tools.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-nds/openldap < 2.4.35 >= 2.4.35
Description
===========
Multiple vulnerabilities have been discovered in OpenLDAP. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker might employ a specially crafted certificate to
conduct man-in-the-middle attacks on SSL connections made using
OpenLDAP, bypass security restrictions or cause a Denial of Service
condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All OpenLDAP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-nds/openldap-2.4.35"
References
==========
[ 1 ] CVE-2009-3767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3767
[ 2 ] CVE-2010-0211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0211
[ 3 ] CVE-2010-0212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0212
[ 4 ] CVE-2011-1024
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1024
[ 5 ] CVE-2011-1025
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1025
[ 6 ] CVE-2011-1081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1081
[ 7 ] CVE-2011-4079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4079
[ 8 ] CVE-2012-1164
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1164
[ 9 ] CVE-2012-2668
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2668
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201406-36.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0015
Synopsis: VMware ESX third party updates for Service Console
Issue date: 2010-09-30
Updated on: 2010-09-30 (initial release of advisory)
CVE numbers: CVE-2010-0826 CVE-2009-3767 CVE-2010-0734
CVE-2010-1646 CVE-2009-3555 CVE-2009-2409
CVE-2009-3245 CVE-2010-0433
- ------------------------------------------------------------------------
1. Summary
ESX 4.0 Console OS (COS) updates for NSS_db, OpenLDAP, cURL, sudo
OpenSSL, GnuTLS, NSS and NSPR packages.
2. Relevant releases
VMware ESX 4.0 without patches ESX400-201009407-SG,
ESX400-201009408-SG, ESX400-201009409-SG, ESX400-201009410-SG,
ESX400-201009401-SG
Notes:
Effective May 2010, VMware's patch and update release program during
Extended Support will be continued with the condition that all
subsequent patch and update releases will be based on the latest
baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
details.
Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
to upgrade to at least ESX 3.5 and preferably to the newest release
available.
3. Problem Description
a. Service Console update for NSS_db
The service console package NSS_db is updated to version
nss_db-2.2-35.4.el5_5.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0826 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX ESX400-201009407-SG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
b. Service Console update for OpenLDAP
The service console package OpenLDAP updated to version
2.3.43-12.el5.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-3767 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX ESX400-201009408-SG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
c. Service Console update for cURL
The service console packages for cURL updated to version
7.15.5-9.el5.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0734 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX ESX400-201009409-SG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
d. Service Console update for sudo
The service console package sudo updated to version 1.7.2p1-7.el5_5.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1646 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX ESX400-201009410-SG
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
e. Service Console update for OpenSSL, GnuTLS, NSS and NSPR
Service Console updates for OpenSSL to version 097a-0.9.7a-9.el5_4.2
and version 0.9.8e-12.el5_4.6, GnuTLS to version 1.4.1-3.el5_4.8,
and NSS to version 3.12.6-1.3235.vmw and NSPR to version
4.8.4-1.3235.vmw. These four updates are bundled together due to
their mutual dependencies.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-3555, CVE-2009-2409, CVE-2009-3245
and CVE-2010-0433 to the issues addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX ESX400-201009401-SG **
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
** Note: This patch also addresses non-security issues. See KB article
1023759 for details.
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.
ESX 4.0
-------
ESX400-201009001
Download link: http://bit.ly/adhjEu
md5sum: 988c593b7a7abf0be5b72970ac64a369
sha1sum: 26d875955b01c19f4e56703216e135257c08836f
http://kb.vmware.com/kb/1025321
ESX400-201009001 contains the following security bulletins:
ESX400-201009407-SG (NSS_db) | http://kb.vmware.com/kb/1023763
ESX400-201009408-SG (OpenLDAP) | http://kb.vmware.com/kb/1023764
ESX400-201009409-SG (cURL) | http://kb.vmware.com/kb/1023765
ESX400-201009410-SG (sudo) | http://kb.vmware.com/kb/1023766
ESX400-201009401-SG (OpenSSL, GnuTLS, NSS)
| http://kb.vmware.com/kb/1023759
And contains the following security bundles from VMSA-2010-0013.1:
ESX400-201009402-SG (cpio) | http://kb.vmware.com/kb/1023760
ESX400-201009406-SG (tar) | http://kb.vmware.com/kb/1023762
ESX400-201009403-SG (krb5) | http://kb.vmware.com/kb/1023761
ESX400-201009411-SG (perl) | http://kb.vmware.com/kb/1023767
And also contains ESX400-201009412-BG a non-security critical update.
To install an individual bulletin use esxupdate with the -b option.
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0826
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1646
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
- ------------------------------------------------------------------------
6. Change log
2010-09-30 VMSA-2010-0015
Initial security advisory after release of patches for ESX 4.0
on 2010-09-30
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware Security Advisories
http://www.vmware.com/security/advisoiries
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iEYEARECAAYFAkykSsUACgkQS2KysvBH1xn89gCcCMcHvt1LDG9pNh5lbRmxphDg
R2UAmQHIUDg4mWUStJolvh98eiTS140I
=bM3K
-----END PGP SIGNATURE-----
.
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
The updated packages have been patched to correct this issue. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLXwOHmqjQ0CJFipgRAp7yAJ40umReJDo1Asg6BoihvuXXShK+vACeP+Vx
9jUkR+Zs9Nl7nEVuZXdjAvw=
=Fkxu
-----END PGP SIGNATURE-----
. ===========================================================
Ubuntu Security Notice USN-858-1 November 12, 2009
openldap2.2 vulnerability
CVE-2009-3767
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libldap-2.2-7 2.2.26-5ubuntu2.9
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that OpenLDAP did not correctly handle SSL certificates
with zero bytes in the Common Name. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.9.diff.gz
Size/MD5: 516098 098a03b4f7d511ce730e9647deca2072
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.9.dsc
Size/MD5: 1028 5a95dae94a1016fbcf41c1c1992ea8e6
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz
Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_amd64.deb
Size/MD5: 130854 1f1b40b12adcb557a810194d0c4f7993
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_amd64.deb
Size/MD5: 166444 500528d10502361c075a08578c1586f5
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_amd64.deb
Size/MD5: 961974 f56eef919306d6ca7f4a7a090d2ae6ba
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_i386.deb
Size/MD5: 118638 0558a833fb6eadf4d87bd9fd6e687838
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_i386.deb
Size/MD5: 146444 fc85d5259c97622324047bbda153937d
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_i386.deb
Size/MD5: 873424 358c78f76ee16010c1fb81e89adfe849
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_powerpc.deb
Size/MD5: 133012 92d9de435a795261e6bf4143f2bf59c7
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_powerpc.deb
Size/MD5: 157480 099b1ee5e158f77be109a7972587f596
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_powerpc.deb
Size/MD5: 960052 850fb56995224edd6ae329af1b8236ef
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.9_sparc.deb
Size/MD5: 120932 4fa0f7accd968ba71dff1f7c5b2ef811
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.9_sparc.deb
Size/MD5: 148546 2d1af209a8b53a8315fbd4bd86573d70
http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.9_sparc.deb
Size/MD5: 903928 4aa6b0478821e803c80a020b031aafed
VAR-200909-0397 | CVE-2009-3093 | ASUS WL-500W Unknown vulnerabilities in wireless routers |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability on the ASUS WL-500W wireless router has unknown impact and remote attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.
Attackers can exploit these issues to completely compromise the vulnerable device; other attacks may also be possible. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
ASUS WL-500W Wireless Router Two Vulnerabilities
SECUNIA ADVISORY ID:
SA36439
VERIFY ADVISORY:
http://secunia.com/advisories/36439/
DESCRIPTION:
Two vulnerabilities have been reported in ASUS WL-500W wireless
router.
1) An unspecified error can be exploited to cause a buffer overflow.
2) An unspecified error has an unknown impact.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reported as modules included in VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0396 | CVE-2009-3092 | ASUS WL-500W Wireless router buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow on the ASUS WL-500W wireless router has unknown impact and remote attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. ASUS WL-500W router is prone to multiple remote vulnerabilities.
Attackers can exploit these issues to completely compromise the vulnerable device; other attacks may also be possible. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
ASUS WL-500W Wireless Router Two Vulnerabilities
SECUNIA ADVISORY ID:
SA36439
VERIFY ADVISORY:
http://secunia.com/advisories/36439/
DESCRIPTION:
Two vulnerabilities have been reported in ASUS WL-500W wireless
router.
1) An unspecified error can be exploited to cause a buffer overflow.
2) An unspecified error has an unknown impact.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reported as modules included in VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0140 | CVE-2009-3347 | D-Link DIR-400 Wireless router buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow on the D-Link DIR-400 wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. D-Link DIR-400 is prone to an unspecified remote buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
D-Link DIR-400 Wireless Router Unspecified Buffer Overflow
SECUNIA ADVISORY ID:
SA36454
VERIFY ADVISORY:
http://secunia.com/advisories/36454/
DESCRIPTION:
A vulnerability has been reported in D-Link DIR-400 wireless router,
which can be exploited to compromise a vulnerable device.
The vulnerability is caused due to an unspecified error and can be
exploited to cause a buffer overflow.
SOLUTION:
Due to the very limited available information, it is not possible to
suggest an effective workaround.
PROVIDED AND/OR DISCOVERED BY:
Reportedly a module for VulnDisco Pack.
ORIGINAL ADVISORY:
http://intevydis.com/vd-list.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0399 | CVE-2009-3095 | Apache mod_proxy_ftp remote command injection vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. Apache HTTP Server is an open source web server from the American Apache Software (Apache) Foundation. The server is fast, reliable and scalable via a simple API. The Apache mod_proxy_ftp module is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
Attackers can exploit this issue to execute arbitrary commands within the context of the affected application. one. ===========================================================
Ubuntu Security Notice USN-860-1 November 19, 2009
apache2 vulnerabilities
CVE-2009-3094, CVE-2009-3095, CVE-2009-3555
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apache2-common 2.0.55-4ubuntu2.9
Ubuntu 8.04 LTS:
apache2.2-common 2.2.8-1ubuntu0.14
Ubuntu 8.10:
apache2.2-common 2.2.9-7ubuntu3.5
Ubuntu 9.04:
apache2.2-common 2.2.11-2ubuntu2.5
Ubuntu 9.10:
apache2.2-common 2.2.12-1ubuntu2.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3
protocols. If an attacker could perform a man in the middle attack at the
start of a TLS connection, the attacker could inject arbitrary content at
the beginning of the user's session. The flaw is with TLS renegotiation and
potentially affects any software that supports this feature. Attacks
against the HTTPS protocol are known, with the severity of the issue
depending on the safeguards used in the web application. Until the TLS
protocol and underlying libraries are adjusted to defend against this
vulnerability, a partial, temporary workaround has been applied to Apache
that disables client initiated TLS renegotiation. This update does not
protect against server initiated TLS renegotiation when using
SSLVerifyClient and SSLCipherSuite on a per Directory or Location basis.
Users can defend againt server inititiated TLS renegotiation attacks by
adjusting their Apache configuration to use SSLVerifyClient and
SSLCipherSuite only on the server or virtual host level. (CVE-2009-3555)
It was discovered that mod_proxy_ftp in Apache did not properly sanitize
its input when processing replies to EPASV and PASV commands.
(CVE-2009-3094)
Another flaw was discovered in mod_proxy_ftp.
(CVE-2009-3095)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9.diff.gz
Size/MD5: 130638 5d172b0ca228238e211940fad6b0935d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9.dsc
Size/MD5: 1156 a6d575c4c0ef0ef9c4c77e7f6ddfb02d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz
Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.9_all.deb
Size/MD5: 2125884 643115e9135b9bf626f3a65cfc5f2ed3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 834492 818915da9848657833480b1ead6b4a12
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 229578 9086ac3033e0425ecd150b31b377ee76
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 224594 85a4480344a072868758c466f6a98747
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 229128 446b52088b9744fb776e53155403a474
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 172850 17e4cd95ecb9d0390274fca9625c2e5e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 173636 b501407d01fa07e5807c28cd1db16cd7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 95454 a06ee30ec14b35003ebcb821624bc2af
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 37510 4c063b1b8d831ea8a02d5ec691995dec
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 287048 9cdc7502ebc526d4bc7df9b59a9d8925
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_amd64.deb
Size/MD5: 145624 4b613a57da2ca57678e8c8f0c1628556
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 787870 67b1855dc984e5296ac9580e2a2f0a0c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 204122 edf40b0ff5c1824b2d6232da247ce480
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 200060 6267a56fcef78f6300372810ce36ea41
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 203580 c487929bbf45b5a4dc3d035d86f7b3a0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 172876 bae257127c3d137e407a7db744f3d57a
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 173660 9dd0e108ab4d3382799b29d901bf4502
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 93410 d5d602c75a28873f1cd7523857e0dd80
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 37508 22049e1ea8ea88259ff3f6e94482cfb3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 263066 43fa2ae3b43c4743c98c45ac22fb0250
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_i386.deb
Size/MD5: 133484 e70b7f81859cb92e0c50084e92216526
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 860622 6d386da8da90d363414846dbc7fa7f08
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 221470 8c207b379f7ba646c94759d3e9079dd4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 217132 069cab77278b101c3c4a5b172f36ba9b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 220968 2f6ba65769fc964eb6dfec8a842f7621
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 172874 89137c84b5a33f526daf3f8b4c047a7e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 173662 23e576721faccb4aef732cf98e2358d4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 105198 44f9e698567784555db7d7d971b9fce2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 37518 fe7caa2a3cf6d4227ac34692de30635e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 282644 ec0306c04778cf8c8edd622aabb0363c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_powerpc.deb
Size/MD5: 142730 d43356422176ca29440f3e0572678093
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 805078 0f1f6a9b04ad5ce4ea29fd0e44bf18a4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 211674 eb19532b9b759c806e9a95a4ffbfad9b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 207344 9e5770a4c94cbc4f9bc8cc11a6a038f1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 210948 6d1d2357cec5b88c1c2269e5c16724bc
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 172882 d04dd123def1bc4cfbf2ac0095432eea
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 173662 6be46bbb9e92224020da49d657cb4cd4
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 94510 9df6ae07a9218d6159b1eebde5d58606
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 37506 89856bb1433e67fb23c8d34423d3e0a5
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 269070 bf585dec777b0306cd80663c11b020df
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.9_sparc.deb
Size/MD5: 131466 340eaf2d2c1f129c7676a152776cfcf3
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14.diff.gz
Size/MD5: 141838 37d5c93b425758839cbef5afea5353a2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14.dsc
Size/MD5: 1381 78c9a13cc2af0dbf3958a3fc98aeea84
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz
Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 1929318 d4faaf64c2c0af807848ea171a4efa90
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 72920 065d63c19b22f0f7a8f7c28952b0b408
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 6258048 33c48a093bbb868ea108a50c051437cf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.14_all.deb
Size/MD5: 45850 07a9463a8e4fdf1a48766d5ad08b9a3c
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 253080 3c6467ee604002a5b8ebffff8554c568
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 248676 3c83ce9eb0a27f18b9c3a8c3e651cafa
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 252490 cf379a515d967d89d2009be9e06d4833
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 205592 af6cb62114d2e70bf859c32008a66433
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 206350 9c3d5ef8e55eee98cc3e75f2ed9ffaff
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 141660 958585d6391847cd5a618464054f7d37
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_amd64.deb
Size/MD5: 803974 76d23bd94465a2f96711dc1c41b31af0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 236060 ad4c00dc10b406cc312982b7113fa468
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 231580 07ae6a192e6c859e49d48f2b2158df40
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 235308 18a44bbffcebde8f2d66fe3a6bdbab6d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 205594 73ec71599d4c8a42a69ac3099b9d50cf
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 206374 c1524e4fa8265e7eaac046b114b8c463
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 140644 379a125b8b5b51ff8033449755ab87b8
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_i386.deb
Size/MD5: 755574 9de96c8719740c2525e3c0cf7836d60b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 235578 0265d4f6ccee2d7b5ee10cfff48fed08
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 231234 611499fb33808ecdd232e2c5350f6838
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 234738 d7757d2da2e542ce0fdad5994be1d8bd
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 205592 c10ac9eb401184c379b7993b6a62cde3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 206358 fc91c0159b096e744c42014e6e5f8909
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 141212 f87d5f443e5d8e1c3eda6f976b3ceb06
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_lpia.deb
Size/MD5: 749716 86ae389b81b057288ff3c0b69ef68656
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 254134 4337f858972022fa196c9a1f9bb724fb
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 249596 44a6e21ff8fa81d09dab19cab4caffdb
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 253698 f101a1709f21320716d4c9afb356f24f
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 205604 3f4d4f6733257a7037e35101ef792352
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 206386 06402188459de8dab5279b5bfef768fa
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 158390 0acffbdb7e5602b434c4f2805f8dc4d0
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_powerpc.deb
Size/MD5: 906022 28c3e8b63d123a4ca0632b3fed6720b5
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 237422 5651f53b09c0f36e1333c569980a0eb0
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 233152 1165607c64c57c84212b6b106254e885
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 236606 bbe00d0707c279a16eca35258dd8f13a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 205598 76afcd4085fa6f39055a5a3f1ef34a43
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 206372 5c67270e0a19d1558cf17cb21a114833
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 143838 28e9c3811feeac70b846279e82c23430
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.14_sparc.deb
Size/MD5: 765398 92c5b054b80b6258a1c4caac8248a40a
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5.diff.gz
Size/MD5: 137715 0e8a6128ff37a1c064d4ce881b5d3df9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5.dsc
Size/MD5: 1788 5e3c3d53b68ea3053bcca3a5e19f5911
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9.orig.tar.gz
Size/MD5: 6396996 80d3754fc278338033296f0d41ef2c04
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 2041786 cd1e98fb2064bad51f7845f203a07d79
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 6538578 32e07db65f1e7b3002aedc3afce1748c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.5_all.deb
Size/MD5: 45474 0f1b4fb499af61a596241bd4f0f4d35d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 254968 f2004f847cc5cbc730599352ad1f7dc6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 249196 fb001fc4f192e9b8ae1bb7161925413c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 254360 419b942bad4cf4d959afcfa3ce4314e2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 208524 0d87bf6acbf1ab5dc48c68debe7c0d26
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 84490 2a4df4b619debe549f48ac3e9e764305
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 82838 215665711684d5b5dd04cdfa23d36462
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 209550 496d387e315370c0cd83489db663a356
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 147762 48061b9015c78b39b7afd834f4c81ae0
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_amd64.deb
Size/MD5: 820242 3497441009bc9db76a87fd2447ba433c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 241376 488812d1a311fd67dafd5b18b6813920
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 236082 9256681808703f40e822c81b53f4ce3e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 240668 2b6b7c11a88ed5a280f603305bee880e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 208532 e0eccceba6cae5fb12f431ff0283a23e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 83922 ea5f69f36e344e493cce5d9c0bc69c46
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 82320 0d9b2f9afff4b9efe924b59e9bb039ea
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 209554 f4e53148ae30d5c4f060d455e4f11f95
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 146596 5ed6a4af9378bacfb7d4a034d9923915
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_i386.deb
Size/MD5: 778564 ffd7752394933004094c13b00113b263
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 238358 4955c7d577496ea4f3573345fad028a4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 232964 76aecf38baba17a8a968329b818ec74a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 237626 83f32bd08e2e206bbdb9f92cfb1a37e5
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 208528 6672fb116e108687669c89197732fbb0
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 83870 b8f875f197017aec0fe8203c203065d7
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 82296 d6724391ed540b351e2b660ba98af1ca
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 209550 263b43fb11c6d954d5a4bf7839e720a4
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 146282 a225b8d0f48e141eea28b2369d4595c0
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_lpia.deb
Size/MD5: 766494 454c737e191429c43ad3f28c9e0294a0
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 261510 d3e1155682726cc28859156e647d97b3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 256082 e49d894a6e9ab612a3cbd2f189ca3d8d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 260850 bc3cd7677cd630ac00424e73a3a6b343
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 208542 ae1cc6b1323832528ad8f0e7130ec87d
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 84558 68452b686e89320007e9c5367ce36345
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 82908 2b8c5fc4bdec1017735dc16eba41d0a6
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 209562 a8da7487e3dcd1bdff008956728b8dd3
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 161030 a5ffe07d5e3050c8a54c4fccd3732263
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_powerpc.deb
Size/MD5: 926240 8282583e86e84bd256959540f39a515d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 246720 e54b4b9b354001a910ec9027dc90b0d2
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 241280 1eea25472875056e34cd2c3283c60171
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 246024 5709e7421814ecfb83fff5804d429971
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 208528 25cdfd0177da7e5484d3d44f93257863
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 84096 3ffbacffcc23ffc640a2ce05d35437bf
http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 82470 17d1ca84f9455c492013f4f754a1d365
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 209546 696ef3652703523aea6208a4e51e48f1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 150932 44c89e0249c85eed09b6f3a6a23db59d
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.5_sparc.deb
Size/MD5: 783902 773a80d7a85a452016da3b10b1f3ae43
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5.diff.gz
Size/MD5: 141023 50d6737005a6d4fe601e223a39293f99
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5.dsc
Size/MD5: 1795 59720f4d7ad291c986d92ec120750c3d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11.orig.tar.gz
Size/MD5: 6806786 03e0a99a5de0f3f568a0087fb9993af9
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 2219326 d29c903489b894ddf88b23a0fec23e5c
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 46636 ee03585b00f277ed98c0de07a683317a
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-src_2.2.11-2ubuntu2.5_all.deb
Size/MD5: 6948222 a3505a83c13cf36c86248079127dd84d
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 259028 5e9bddefad4c58c3ef9fd15d7a06988d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 253218 ee1bfbb759ffade3a52a6782e2f4b66d
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 258414 8ef063026de9790bac1965427ce1b584
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 213294 09701d434bd102e4205e551b4525afd1
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 214258 e98de48ea01e1132c5f1248a9a018745
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 151140 2f7c7f14b843b2c24de8c67356406449
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 826834 28abdf1c7be886e9be2825d351abaec7
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 87818 670c62615e107920c45893b3377ab2a0
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_amd64.deb
Size/MD5: 86094 5a7c68fd37066287b4819cba4cfed1f2
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 245538 952540b7679ebc8d3ffc953f32d3be0f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 240048 08a7fd4888ffd9188890e57c613c4be7
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 244914 955bb5121da808d44aa994386d90723f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 213308 dd16143608ff8c41cb2d5cd27212a57e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 214280 1e1f5d6feef40413f823a19126a018e3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 150046 0769d86d26282d1d31615050ae5b8915
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 784198 8760e9c37147d0472dbbfe941c058829
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 87182 21980cb1035d05f69b857870bbcbc085
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_i386.deb
Size/MD5: 85572 6a1b8a5e4cb19e815e88335757b06cf3
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 242386 859ad63822b7e82c81cd6dcaca088c4a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 236924 200538ce94218c9d8af8532636bfd40a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 241822 3a3183ea4ee77d2677919d3b698f92a1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 213286 bf81273b1db0a4a621085171c2b2b421
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 214264 ed278dab71289d2baae2ea409382fbf8
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 149758 75f6e2d7bd1cdfe5b1806062c3c859df
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 773424 c7cdc26051bd9443ae25b73776537fb5
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 87132 32e7ea89c96a0afce7ce1da457d947fb
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_lpia.deb
Size/MD5: 85550 1d9b5963aa6ea5c01492ec417ab8510a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 265476 5d03fe6b2da8de98c876941ff78b066f
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 260478 3e3aeaaf496cc86c62a831c59994c1f2
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 265154 5eae30e7a33c09b37483f3aab595d0e9
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 213314 879534ebabbb8be86b606e1800dc9cf8
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 214286 922033231a6aa67ecca1c400d47f09c1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 164444 74faf68f0baeffcd011155ca9b201039
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 932416 2911758e4ad1b3b401369621301ea76f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 87876 1d45c033ec5498c092f30188cf1d481e
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_powerpc.deb
Size/MD5: 86154 52c1d8806d52fef6f43ab53662953953
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 250786 4e8e98dcba5543394ed5f07d141ce408
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 245094 a82bf04fc92b8c275b0c0f25cc81ff91
http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 250110 092cf734813ae1d127d7b4f498f936c1
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 213312 98d7062a6bdb58637f7e850b76bfbc80
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 214286 a378e2e0418631cec0f398379a446172
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 154284 ce8b7bbccd359675b70426df15becfed
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 789298 11f088b18425b97367d5bc141da2ef2f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 87384 477b6594866c8c73a8a3603e7e646c68
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.5_sparc.deb
Size/MD5: 85686 5562ea5a0e6f01ba12adda3afb65c1b0
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1.diff.gz
Size/MD5: 185244 1ef59f9642bd9efa35e0808ea804cd0b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1.dsc
Size/MD5: 1888 d3bfdecefdd8b1adec8ab35dcf85d2b3
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12.orig.tar.gz
Size/MD5: 6678149 17f017b571f88aa60abebfe2945d7caf
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2246560 be12bcc117bf165ffd3401486186762e
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2336 009d381342b0be5280835a46c91f01d9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2374 7545a3750acea08e95bee86f6a3247e2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2314 17719223d92d46821098ce178b5947d6
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 284782 4321e3201d8e8d1a9e3c6fbe6864102b
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 1424 7b4d96008368549d5600a8c1f64a7559
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-mpm-itk_2.2.12-1ubuntu2.1_all.deb
Size/MD5: 2366 46add3d428c97fa69a8848a3e4025bb0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 137080 91e4f72d0f1f0abe91555e1497558fc2
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 138176 5fd6a5ed536306528f9f2c1a0281ad70
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 156646 cfa55666363303b3f44a24fa2929bf01
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 1399630 82b36d57faa29a646e72a1125600c11c
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 92488 ddebef9d1a537520380f85b63c512bef
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_amd64.deb
Size/MD5: 90880 c6d163edf145da8ff6d102dc0dd1f8d7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 137102 69dcd0519ca612e02102f52dcb50bf7f
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 138200 17221b53903d664823a55faa1ec4d9a9
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 155166 4347806710edff47fc051b4a68d5b448
http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 1309136 d9a7df212b315fc6f77fc87fa8eb4a04
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 91876 289bf732dd4750a2ce61ab121b04b079
http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_i386.deb
Size/MD5: 90316 add7f446f6b524343c0066a486dd299a
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 137088 571e9f0370b5687acff25f71c4efe33e
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 138192 816a6e033f02114553bbb3627b9c6f9c
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 155090 af8272dc794250c30cd2f66b82486dc2
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 1290606 4c51de07f5a6fe9612de45369e6f35a5
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 91830 06866386df811127f4fd71d6fb2a9e2a
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_lpia.deb
Size/MD5: 90312 9e68bd8111503135a4eae7265b0084ae
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 137096 61b24dbeb12d7998e5d7014c26410a99
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 138202 599898ff374bde8bfa388e2615064c5a
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 161058 fea8f5b9a80bef9c4cb3405bc37160af
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 1390150 fb1a244728a509586b77d02930fcf10f
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 92400 572c3b0aa5ab717e8c4e4e8248aff1ff
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_powerpc.deb
Size/MD5: 90774 82011ebc757d31e690698cf9913e3adc
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 137098 7f566dfade1678c72eac7dd923ab5987
http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 138202 09fbc3145d768cf1f204d47b50e21528
http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 159488 7cb6c81588adaee162b8c85a1f69e7a7
http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 1297936 106b0b71f5e928c1d543973b5b1f015b
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 92166 28899fe31226880dfa961d8b05e8fa43
http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.1_sparc.deb
Size/MD5: 90554 f207de0099ed259e2af736e8c82f91c2
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:323
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apache
Date : December 7, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in apache:
Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c
in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to
cause a denial of service (memory consumption) via multiple calls, as
demonstrated by initial SSL client handshakes to the Apache HTTP Server
mod_ssl that specify a compression algorithm (CVE-2008-1678). Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the
mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c
in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions,
allows remote attackers to inject arbitrary web script or HTML via
wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this
security issue was initially addressed with MDVSA-2008:195 but the
patch fixing the issue was added but not applied in 2009.0.
The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not
properly handle Options=IncludesNOEXEC in the AllowOverride directive,
which allows local users to gain privileges by configuring (1) Options
Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a
.htaccess file, and then inserting an exec element in a .shtml file
(CVE-2009-1195).
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy
module in the Apache HTTP Server before 2.3.3, when a reverse proxy
is configured, does not properly handle an amount of streamed data
that exceeds the Content-Length value, which allows remote attackers
to cause a denial of service (CPU consumption) via crafted requests
(CVE-2009-1890).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891). NOTE: as of 20090903,
this disclosure has no actionable information. However, because the
VulnDisco Pack author is a reliable researcher, the issue is being
assigned a CVE identifier for tracking purposes (CVE-2009-3095).
Apache is affected by SSL injection or man-in-the-middle attacks
due to a design flaw in the SSL and/or TLS protocols. A short term
solution was released Sat Nov 07 2009 by the ASF team to mitigate
these problems. Apache will now reject in-session renegotiation
(CVE-2009-3555).
Packages for 2008.0 are being provided due to extended support for
Corporate products.
This update provides a solution to these vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
dd2bebdd6726d2d865331d37068a90b7 2008.0/i586/apache-base-2.2.6-8.3mdv2008.0.i586.rpm
6de9d36a91b125cc03bafe911b7a38a2 2008.0/i586/apache-devel-2.2.6-8.3mdv2008.0.i586.rpm
ab7963efad1b7951c94a24075a2070e7 2008.0/i586/apache-htcacheclean-2.2.6-8.3mdv2008.0.i586.rpm
42a53b597d5547fb88b7427cacd617a1 2008.0/i586/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.i586.rpm
1dff9d313e93c94e907d8c72348ed2e0 2008.0/i586/apache-mod_cache-2.2.6-8.3mdv2008.0.i586.rpm
b575ede2978ad47e41d355bd8b192725 2008.0/i586/apache-mod_dav-2.2.6-8.3mdv2008.0.i586.rpm
8ff3dee24d2d2d9a8d13e567cf1eaced 2008.0/i586/apache-mod_dbd-2.2.6-8.3mdv2008.0.i586.rpm
7bae541dfec14b21700878514750de83 2008.0/i586/apache-mod_deflate-2.2.6-8.3mdv2008.0.i586.rpm
19cab766a26ce53bd7e7973ed92f0db4 2008.0/i586/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.i586.rpm
a1336e4ab4f282c388d7565bde4557fd 2008.0/i586/apache-mod_file_cache-2.2.6-8.3mdv2008.0.i586.rpm
6b2f2eb949977349390fa3b06cf257e7 2008.0/i586/apache-mod_ldap-2.2.6-8.3mdv2008.0.i586.rpm
3640bbef5262ec0407126e31dd5ddde3 2008.0/i586/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.i586.rpm
98793747365606baabc08f22e36a0a04 2008.0/i586/apache-mod_proxy-2.2.6-8.3mdv2008.0.i586.rpm
d7fe4d88f25d2a01b0809ab5292b0999 2008.0/i586/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.i586.rpm
4c9f48adbd0b1d45a874f06b9275ebe3 2008.0/i586/apache-mod_ssl-2.2.6-8.3mdv2008.0.i586.rpm
e5a1d9476316ccc9f183cb1ae5bbcf31 2008.0/i586/apache-modules-2.2.6-8.3mdv2008.0.i586.rpm
44f7810695a40519c68930695829f124 2008.0/i586/apache-mod_userdir-2.2.6-8.3mdv2008.0.i586.rpm
d6f666e9954422664d1f029fc147b591 2008.0/i586/apache-mpm-event-2.2.6-8.3mdv2008.0.i586.rpm
75e205ddbc9313b8d02519e57919923a 2008.0/i586/apache-mpm-itk-2.2.6-8.3mdv2008.0.i586.rpm
6d68e8fa7baccc2ad090c703fb33458e 2008.0/i586/apache-mpm-prefork-2.2.6-8.3mdv2008.0.i586.rpm
331f18ce48403472fc7f8af6d5daee8e 2008.0/i586/apache-mpm-worker-2.2.6-8.3mdv2008.0.i586.rpm
c75e69bcabc104938cb9033e591d1de8 2008.0/i586/apache-source-2.2.6-8.3mdv2008.0.i586.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
3d4afe3f8da8369d80b6c195e132c5c0 2008.0/x86_64/apache-base-2.2.6-8.3mdv2008.0.x86_64.rpm
37034ee7c7eb813de2a00a6945a10248 2008.0/x86_64/apache-devel-2.2.6-8.3mdv2008.0.x86_64.rpm
ba296f9aa229a616a2c406d1a16912c3 2008.0/x86_64/apache-htcacheclean-2.2.6-8.3mdv2008.0.x86_64.rpm
77fa75d36e7a4bbe154c846e3271e7a3 2008.0/x86_64/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
ca29e2db08b29e319f2392b46ea4c3fe 2008.0/x86_64/apache-mod_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
3fbf5a0276adaa2d887a92482d81313f 2008.0/x86_64/apache-mod_dav-2.2.6-8.3mdv2008.0.x86_64.rpm
9c66e471c2d2d3e43462302d0cc6f1c9 2008.0/x86_64/apache-mod_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
05020102a26a28b96319b23e3b6e43d6 2008.0/x86_64/apache-mod_deflate-2.2.6-8.3mdv2008.0.x86_64.rpm
7191542417b30ed77334f1b8366628aa 2008.0/x86_64/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
f4177dbdcfd2e3dc8e66be731ad731c4 2008.0/x86_64/apache-mod_file_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
fea417664f0a2689fa12308bd80c2fe4 2008.0/x86_64/apache-mod_ldap-2.2.6-8.3mdv2008.0.x86_64.rpm
9cf956fa426e6bdf6497337b6e26a2ab 2008.0/x86_64/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
0d9d04ca878bb3f19f4764152da42d82 2008.0/x86_64/apache-mod_proxy-2.2.6-8.3mdv2008.0.x86_64.rpm
dbbcd75dd83779f54f98fa3e16b59f13 2008.0/x86_64/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.x86_64.rpm
dce8db6742ba28a71e18b86bb38688c8 2008.0/x86_64/apache-mod_ssl-2.2.6-8.3mdv2008.0.x86_64.rpm
2ff69d6e9c2cd3250f6746d4a7d921fd 2008.0/x86_64/apache-modules-2.2.6-8.3mdv2008.0.x86_64.rpm
f298827d4dfa631a77907f7f5733fa29 2008.0/x86_64/apache-mod_userdir-2.2.6-8.3mdv2008.0.x86_64.rpm
6f02fb080e308ca0826fdb1ef00a1489 2008.0/x86_64/apache-mpm-event-2.2.6-8.3mdv2008.0.x86_64.rpm
b886d30d73c60a515b3ed36d7f186378 2008.0/x86_64/apache-mpm-itk-2.2.6-8.3mdv2008.0.x86_64.rpm
62d7754a5aa7af596cc06cd540d4025f 2008.0/x86_64/apache-mpm-prefork-2.2.6-8.3mdv2008.0.x86_64.rpm
d3438e0967978e580be896bd85f1d953 2008.0/x86_64/apache-mpm-worker-2.2.6-8.3mdv2008.0.x86_64.rpm
e72af335ec7c3c02b5a494fbd6e99e0e 2008.0/x86_64/apache-source-2.2.6-8.3mdv2008.0.x86_64.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLHQcamqjQ0CJFipgRAsJgAKDf5oc5UbEz3j+qsMn3tL6F8cujygCfY+cu
MUj4lK2Wsb+qzbv2V+Ih30U=
=VdZS
-----END PGP SIGNATURE-----
.
Patch kit installation instructions are provided in the file SSRT090244 Apache CVE-2009-3094, CVE-2009-3095.txt .
The patch kits and installation instructions are available from the following location using ftp:
Host Account Password
ftp.usa.hp.com ewt01 Welcome1
CSWS version 2.1-1 patch kits are available for both ALPHA and ITANIUM platforms.
Itanium Images
mod_proxy.exe_ia64
mod_proxy_ftp.exe_ia64
Alpha Images
mod_proxy.exe_axp
mod_proxy_ftp.exe_axp
The patch images will be provided in the next regularly scheduled update of CSWS 2.1-1. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02160663
Version: 1
HPSBUX02531 SSRT100108 rev.1 - HP-UX Running Apache-based Web Server, Remote Denial of Service (DoS), Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-06-02
Last Updated: 2010-06-02
- -----------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS), unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS) or unauthorized access.
References: CVE-2009-3094, CVE-2009-3095, CVE-2010-0408, CVE-2010-0740, CVE-2010-0433, CVE-2010-0434
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before v2.2.8.09
HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server versions before v2.0.59.15
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-3094 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 5.4
CVE-2009-3095 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-0408 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0740 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0433 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2010-0434 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
Note: CVE-2009-3094, CVE-2009-3095 and 2010-0740 affect only HP-UX Web Server Suite v2.30;
CVE-2010-0408, CVE-2010-0433 and CVE-2010-0434 affect only HP-UX Web Server Suite v3.09.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For Web Server Suite before v3.09
HP-UX B.11.23
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
action: install revision B.2.2.8.09 or subsequent
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
action: install revision B.2.2.8.09 or subsequent
For Web Server Suite before v2.30
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.23
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.31
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 June 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwG2+IACgkQ4B86/C0qfVm3LACfZ2twc1MNibwpLscDC7giyJJv
nksAnR0xfycsdI9Z5RyDC/o+Dnt4Q100
=/Gfl
-----END PGP SIGNATURE-----
.
BAC v8.07 supplies Apache 2.2.17. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com
VAR-200909-0801 | CVE-2009-3094 | Apache HTTP Server of ap_proxy_ftp_handler Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command. The Apache 'mod_proxy_ftp' module is prone to a denial-of-service vulnerability because of a NULL-pointer dereference.
Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the
mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c
in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions,
allows remote attackers to inject arbitrary web script or HTML via
wildcards in a pathname in an FTP URI (CVE-2008-2939). Note that this
security issue was initially addressed with MDVSA-2008:195 but the
patch fixing the issue was added but not applied in 2009.0.
The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not
properly handle Options=IncludesNOEXEC in the AllowOverride directive,
which allows local users to gain privileges by configuring (1) Options
Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a
.htaccess file, and then inserting an exec element in a .shtml file
(CVE-2009-1195).
Fix a potential Denial-of-Service attack against mod_deflate or other
modules, by forcing the server to consume CPU time in compressing a
large file after a client disconnects (CVE-2009-1891). NOTE: as of 20090903,
this disclosure has no actionable information. However, because the
VulnDisco Pack author is a reliable researcher, the issue is being
assigned a CVE identifier for tracking purposes (CVE-2009-3095).
Apache is affected by SSL injection or man-in-the-middle attacks
due to a design flaw in the SSL and/or TLS protocols. A short term
solution was released Sat Nov 07 2009 by the ASF team to mitigate
these problems. Apache will now reject in-session renegotiation
(CVE-2009-3555).
Packages for 2008.0 are being provided due to extended support for
Corporate products.
This update provides a solution to these vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1890
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
dd2bebdd6726d2d865331d37068a90b7 2008.0/i586/apache-base-2.2.6-8.3mdv2008.0.i586.rpm
6de9d36a91b125cc03bafe911b7a38a2 2008.0/i586/apache-devel-2.2.6-8.3mdv2008.0.i586.rpm
ab7963efad1b7951c94a24075a2070e7 2008.0/i586/apache-htcacheclean-2.2.6-8.3mdv2008.0.i586.rpm
42a53b597d5547fb88b7427cacd617a1 2008.0/i586/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.i586.rpm
1dff9d313e93c94e907d8c72348ed2e0 2008.0/i586/apache-mod_cache-2.2.6-8.3mdv2008.0.i586.rpm
b575ede2978ad47e41d355bd8b192725 2008.0/i586/apache-mod_dav-2.2.6-8.3mdv2008.0.i586.rpm
8ff3dee24d2d2d9a8d13e567cf1eaced 2008.0/i586/apache-mod_dbd-2.2.6-8.3mdv2008.0.i586.rpm
7bae541dfec14b21700878514750de83 2008.0/i586/apache-mod_deflate-2.2.6-8.3mdv2008.0.i586.rpm
19cab766a26ce53bd7e7973ed92f0db4 2008.0/i586/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.i586.rpm
a1336e4ab4f282c388d7565bde4557fd 2008.0/i586/apache-mod_file_cache-2.2.6-8.3mdv2008.0.i586.rpm
6b2f2eb949977349390fa3b06cf257e7 2008.0/i586/apache-mod_ldap-2.2.6-8.3mdv2008.0.i586.rpm
3640bbef5262ec0407126e31dd5ddde3 2008.0/i586/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.i586.rpm
98793747365606baabc08f22e36a0a04 2008.0/i586/apache-mod_proxy-2.2.6-8.3mdv2008.0.i586.rpm
d7fe4d88f25d2a01b0809ab5292b0999 2008.0/i586/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.i586.rpm
4c9f48adbd0b1d45a874f06b9275ebe3 2008.0/i586/apache-mod_ssl-2.2.6-8.3mdv2008.0.i586.rpm
e5a1d9476316ccc9f183cb1ae5bbcf31 2008.0/i586/apache-modules-2.2.6-8.3mdv2008.0.i586.rpm
44f7810695a40519c68930695829f124 2008.0/i586/apache-mod_userdir-2.2.6-8.3mdv2008.0.i586.rpm
d6f666e9954422664d1f029fc147b591 2008.0/i586/apache-mpm-event-2.2.6-8.3mdv2008.0.i586.rpm
75e205ddbc9313b8d02519e57919923a 2008.0/i586/apache-mpm-itk-2.2.6-8.3mdv2008.0.i586.rpm
6d68e8fa7baccc2ad090c703fb33458e 2008.0/i586/apache-mpm-prefork-2.2.6-8.3mdv2008.0.i586.rpm
331f18ce48403472fc7f8af6d5daee8e 2008.0/i586/apache-mpm-worker-2.2.6-8.3mdv2008.0.i586.rpm
c75e69bcabc104938cb9033e591d1de8 2008.0/i586/apache-source-2.2.6-8.3mdv2008.0.i586.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
3d4afe3f8da8369d80b6c195e132c5c0 2008.0/x86_64/apache-base-2.2.6-8.3mdv2008.0.x86_64.rpm
37034ee7c7eb813de2a00a6945a10248 2008.0/x86_64/apache-devel-2.2.6-8.3mdv2008.0.x86_64.rpm
ba296f9aa229a616a2c406d1a16912c3 2008.0/x86_64/apache-htcacheclean-2.2.6-8.3mdv2008.0.x86_64.rpm
77fa75d36e7a4bbe154c846e3271e7a3 2008.0/x86_64/apache-mod_authn_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
ca29e2db08b29e319f2392b46ea4c3fe 2008.0/x86_64/apache-mod_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
3fbf5a0276adaa2d887a92482d81313f 2008.0/x86_64/apache-mod_dav-2.2.6-8.3mdv2008.0.x86_64.rpm
9c66e471c2d2d3e43462302d0cc6f1c9 2008.0/x86_64/apache-mod_dbd-2.2.6-8.3mdv2008.0.x86_64.rpm
05020102a26a28b96319b23e3b6e43d6 2008.0/x86_64/apache-mod_deflate-2.2.6-8.3mdv2008.0.x86_64.rpm
7191542417b30ed77334f1b8366628aa 2008.0/x86_64/apache-mod_disk_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
f4177dbdcfd2e3dc8e66be731ad731c4 2008.0/x86_64/apache-mod_file_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
fea417664f0a2689fa12308bd80c2fe4 2008.0/x86_64/apache-mod_ldap-2.2.6-8.3mdv2008.0.x86_64.rpm
9cf956fa426e6bdf6497337b6e26a2ab 2008.0/x86_64/apache-mod_mem_cache-2.2.6-8.3mdv2008.0.x86_64.rpm
0d9d04ca878bb3f19f4764152da42d82 2008.0/x86_64/apache-mod_proxy-2.2.6-8.3mdv2008.0.x86_64.rpm
dbbcd75dd83779f54f98fa3e16b59f13 2008.0/x86_64/apache-mod_proxy_ajp-2.2.6-8.3mdv2008.0.x86_64.rpm
dce8db6742ba28a71e18b86bb38688c8 2008.0/x86_64/apache-mod_ssl-2.2.6-8.3mdv2008.0.x86_64.rpm
2ff69d6e9c2cd3250f6746d4a7d921fd 2008.0/x86_64/apache-modules-2.2.6-8.3mdv2008.0.x86_64.rpm
f298827d4dfa631a77907f7f5733fa29 2008.0/x86_64/apache-mod_userdir-2.2.6-8.3mdv2008.0.x86_64.rpm
6f02fb080e308ca0826fdb1ef00a1489 2008.0/x86_64/apache-mpm-event-2.2.6-8.3mdv2008.0.x86_64.rpm
b886d30d73c60a515b3ed36d7f186378 2008.0/x86_64/apache-mpm-itk-2.2.6-8.3mdv2008.0.x86_64.rpm
62d7754a5aa7af596cc06cd540d4025f 2008.0/x86_64/apache-mpm-prefork-2.2.6-8.3mdv2008.0.x86_64.rpm
d3438e0967978e580be896bd85f1d953 2008.0/x86_64/apache-mpm-worker-2.2.6-8.3mdv2008.0.x86_64.rpm
e72af335ec7c3c02b5a494fbd6e99e0e 2008.0/x86_64/apache-source-2.2.6-8.3mdv2008.0.x86_64.rpm
23fcdf29e21b0146fb5646baca2fa63b 2008.0/SRPMS/apache-2.2.6-8.3mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLHQcamqjQ0CJFipgRAsJgAKDf5oc5UbEz3j+qsMn3tL6F8cujygCfY+cu
MUj4lK2Wsb+qzbv2V+Ih30U=
=VdZS
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1934-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
November 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : apache2
Vulnerability : multiple issues
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3094 CVE-2009-3095 CVE-2009-3555
A design flaw has been found in the TLS and SSL protocol that allows
an attacker to inject arbitrary content at the beginning of a TLS/SSL
connection. The attack is related to the way how TLS and SSL handle
session renegotiations. CVE-2009-3555 has been assigned to this
vulnerability.
As a partial mitigation against this attack, this apache2 update
disables client-initiated renegotiations. This should fix the
vulnerability for the majority of Apache configurations in use.
NOTE: This is not a complete fix for the problem. The attack is
still possible in configurations where the server initiates the
renegotiation. This is the case for the following configurations
(the information in the changelog of the updated packages is
slightly inaccurate):
- - The "SSLVerifyClient" directive is used in a Directory or Location
context.
- - The "SSLCipherSuite" directive is used in a Directory or Location
context.
As a workaround, you may rearrange your configuration in a way that
SSLVerifyClient and SSLCipherSuite are only used on the server or
virtual host level.
A complete fix for the problem will require a protocol change. Further
information will be included in a separate announcement about this
issue.
CVE-2009-3095: Insufficient input validation in the mod_proxy_ftp
module allowed remote authenticated attackers to bypass intended access
restrictions and send arbitrary FTP commands to an FTP server.
For the stable distribution (lenny), these problems have been fixed in
version 2.2.9-10+lenny6. This version also includes some non-security
bug fixes that were scheduled for inclusion in the next stable point
release (Debian 5.0.4).
The oldstable distribution (etch), these problems have been fixed in
version 2.2.3-4+etch11.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed in version 2.2.14-2.
This advisory also provides updated apache2-mpm-itk packages which
have been recompiled against the new apache2 packages.
Updated apache2-mpm-itk packages for the armel architecture are not
included yet. They will be released as soon as they become available.
We recommend that you upgrade your apache2 and apache2-mpm-itk packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch (oldstable)
- -------------------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.dsc
Size/MD5 checksum: 1071 dff8f31d88ede35bb87f92743d2db202
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3.orig.tar.gz
Size/MD5 checksum: 6342475 f72ffb176e2dc7b322be16508c09f63c
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11.diff.gz
Size/MD5 checksum: 124890 c9b197b2a4bade4e92f3c65b88eea614
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 2247064 357f2daba8360eaf00b0157326c4d258
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 6668542 043a6a14dc48aae5fa8101715f4ddf81
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 41626 27661a99c55641d534a5ffe4ea828c4b
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch11_all.deb
Size/MD5 checksum: 275872 8ff0ac120a46e235a9253df6be09e4d5
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 346016 02b337e48ef627e13d79ad3919bc380d
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407682 f01d7e23f206baed1e42c60e15fe240f
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 1017408 1c8dccbed0a309ed0b74b83667f1d587
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 449704 b227ff8c9bceaa81488fec48b81f18f6
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 450266 766ba095925ee31c175716084f41b3cf
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 444898 3b1d9a9531c82872d36ce295d6cba581
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_alpha.deb
Size/MD5 checksum: 407030 eedabbc4930b3c14012f57ec7956847b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_alpha.deb
Size/MD5 checksum: 184920 2d152290678598aeacd32564c2ec37c2
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 409010 15d5dda7eb1e9e8d406cd9ff4b25e60f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 408330 0bf271280295146f4ded8c02335e8fc1
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 1000068 f92b3deafb9ce263d0d66b753231a003
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 436268 9ef6b02f0ecf9905c14114a464c86f80
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 432320 b734b0c2f1d2177a828cff7d8e34d17c
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 342152 ef061f914027b41b788a31758d7c4e96
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_amd64.deb
Size/MD5 checksum: 436766 deb97a3637ae8be3e016e37c038bc470
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_amd64.deb
Size/MD5 checksum: 172802 0550f661c804ef0c0ec31e1928f5f97d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 421056 b55b215aee8398e6388a73b421229db7
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 408940 8782732ef6487ef268abf2856ec5e2c0
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 408140 f3627e52eaf7a011a5a624ea25fa058b
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 968448 ac1354c562e7969e47561f4cba3a859b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 346166 a8729d03737330075908c2b8b2f5ce0b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_arm.deb
Size/MD5 checksum: 157634 53c277ca7e52e7e60a523183e87beec3
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 421782 b17f7ce0bfd6fee4877d9bccaf82770e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_arm.deb
Size/MD5 checksum: 417026 03b845039bf49fba64f064acda350f43
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 444058 16fb9ac5807fcf161321ffc8467e963d
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_hppa.deb
Size/MD5 checksum: 179532 b1f7b89ac1e830b72e30c9476b813263
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 352116 f34f19a1bf40a37695ac0aeb3f5b6d10
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 443324 e7106e9195fcd9f34ced7bccb009cbb7
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 1078948 29a60062b3f7676f768dda1d4cdb78fd
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 439968 6ff5b95ba06596c04f2fc7dc3adac7ac
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 410880 28ce1d24c4e152624c38330d34781636
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_hppa.deb
Size/MD5 checksum: 409994 2ce21d9fc51fbbeb5e05ac7c418d7e11
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 409776 04bafa059e90c14851f290c02fc7a29e
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 963818 f2755fd250837dd878a24ffc8527855d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 425034 fc0b075a77853494886719b1bf4d7092
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 421206 d2758678dc6dcfb2298a5e69dbd199d0
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 425510 5df035120241567d62ba4154a7ade25f
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_i386.deb
Size/MD5 checksum: 161256 614f006996e6309829bf7c80bb95e3ed
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 410518 833b5256083de5f76d83354f63916af2
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_i386.deb
Size/MD5 checksum: 343876 435638e472ccb187c7713f96840cf156
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 407664 9929d570df08ea81c10235d8cfad8cec
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_ia64.deb
Size/MD5 checksum: 231808 505ed0109a851680126951f228f4ed40
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 491120 d1ef23e9bbd457b1c30d50234050b112
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 498202 f430c9b4231122f996799b45d68596a3
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 407018 f721b04b90b8b2b5ec76916488395bdd
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 360664 08763e41786b3c5b28cf3e27d234419d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 497388 6ef80d442fbf5046e78b9b2a0637adb9
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_ia64.deb
Size/MD5 checksum: 1204566 d1cc5f38e5683c539db6673611585b67
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 430112 01c3cf5fc888bff3967c95736b3caf40
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 407674 688656128f0f46e8b35da61d731e244f
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 434122 791a223b58a6a3a00fdd5517decc6ff2
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 951736 68a93c433a24dd42b461907c2b61c6d2
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 407022 10cf7a6fa3ad60183a80b7fddc08ed98
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 350066 ab3498abf9ddc41f0665be9c2912beab
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_mips.deb
Size/MD5 checksum: 434784 2d07f9376a7c7eb6229e0c5238e604fc
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_mips.deb
Size/MD5 checksum: 169932 db0ecd6b89594ecbff3bacd9d184f808
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 428958 3c7b9e69ccbeb0db17d437ece3717b65
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 407040 61a67a76dd0acfaeb747d5ee745cb3fa
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 433736 74adf126949edfd4b1af734b3a8255f8
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 951730 3c9d5a12163e7d1c939d26829a4454f1
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 407694 0297490b8b4aff5e1a4527a9c897fbee
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 350302 843a3c227ba43dc4b882c96cad62a6eb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_mipsel.deb
Size/MD5 checksum: 434220 b18b6688a18a11d7bfa20d486c13ae64
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_mipsel.deb
Size/MD5 checksum: 168814 6eedc4fb9e8027cf6d11c427a1cc4f8c
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 1061292 0a43b7054755c361229d5e14db9c3156
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 432806 ebe9b3113da3361dabf67acd291f9d93
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_powerpc.deb
Size/MD5 checksum: 168374 ab7eb4de4a4c224a94698ebb67f627ea
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 433416 0c53941e7e8765780e4e4a71f81a592b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 354920 0682a419e0d59ff5a2af1f322991b157
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 410150 69ddc8b0b8ec235e65eabde0adbc1db7
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 428826 f556fd9726b4c66bbe6fdc05b84d9918
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_powerpc.deb
Size/MD5 checksum: 409396 d4b779470977873916bff7353829f172
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 437364 0d844765789f2fcc4cf0c24e755b4c3d
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 994710 63d476187cc9eed384ff792ce8b6f471
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 443278 114375b6439d8a9cf344dd4829c7b6d2
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 407682 e0db3031b4bb381a0f3178569d4c514a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 442268 219d9f7f67d2a53a3c3e700c68a6d682
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 348624 ac97c9840e0cb11a1cf1e44fd1875015
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_s390.deb
Size/MD5 checksum: 407026 6233c65e8860b416d7a6265ae2c2eda4
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_s390.deb
Size/MD5 checksum: 177986 634687237fd58d539bc9492415a94b77
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 418896 96bdf44ad9d8c1d86ee3aaf383c9dcce
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 412078 c9aab17ccba1846ea02df78f636a28a6
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 342696 7dd353d553f6a495c506b22f60ff2a0d
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch4+b1_sparc.deb
Size/MD5 checksum: 158054 60de9a240c905bdb6ffa0ab6c032096d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 422966 edb7194c73d08c0bdb1eed6bd19ceb53
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 422444 ad0a85ada33d687e1fc67b0fa3c40244
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 960150 0dae013a3e07502409918ff649cb1375
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch11_sparc.deb
Size/MD5 checksum: 411290 88e769a08329b6728c6fd0770d241874
Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9.orig.tar.gz
Size/MD5 checksum: 6396996 80d3754fc278338033296f0d41ef2c04
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6.dsc
Size/MD5 checksum: 1673 f6846ac2d9cbd7887629a9c503154310
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6.diff.gz
Size/MD5 checksum: 145719 fd456ef168b7f1ca1055ffbca1df53db
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 2060318 c2499fa1040a9ace89c1a969de4db870
http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 6736558 e09131a305cf2e51d3c14ed7c1beaf5d
http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.9-10+lenny6_all.deb
Size/MD5 checksum: 45238 922ce7e9d14885bab9c9cbbfab99fbd3
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 209720 29861b61a3ae0912a7eb1ba2096b0421
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 84444 af60f321516a06fc9588433ba2c1a88e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 256598 730d50c0f57ba7aad84e6897217bf42d
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 2402082 b932e642a152e30f948437d7313d2dcf
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 82728 bb04bbeae7865acad1ae89e943702623
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_alpha.deb
Size/MD5 checksum: 198236 61b2f1529a056145d9ea8a87c5c5e8c0
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 208690 f6d15e0b6fa15a3738e9130b4044ce37
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 849014 dddd323a55b010c29a8626194b71a7a1
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 147844 40f11b60e0f5154680f16c1c67943101
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 261662 7b88269d9ce2877809a0f47daa4e756d
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_alpha.deb
Size/MD5 checksum: 262336 eced46181f89a7f8ee636c0dce4789f7
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 210246 bb629f54f383bfcce66a6bf0bc1a2b6d
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 825462 051201fb8baa9a7a961961dd5082929a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 257694 3b8c5bff06a870ccd062ce53771a43a4
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 211268 5e07756440fecd3a3ee3815a6cff3ff5
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 258424 92c5467fbef1d4da6803507b679df099
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 82532 40718aa8ebb6532404fad4b5ee2a1e09
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 84140 743b1e0fd988539a7346bddbcd573767
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 253708 bcc5c9f767c1e62913af45827f04b83f
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_amd64.deb
Size/MD5 checksum: 195214 42f4650b895a51b853c253bbbd1e2cc0
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 2455308 9b8792a5defa5193d825d31dc47b43f2
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_amd64.deb
Size/MD5 checksum: 144980 240232c2f4932579c60ecee786c0af26
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 224760 9615e8207a01d2759de57b58cd885286
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 83230 c840cb7342a3a83e0587fd3baacce760
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 2327178 39819fd5f56728620aaefdbe10887c2b
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 147202 f7ebf064272389cf2dd7db7bfe3ff267
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_arm.deb
Size/MD5 checksum: 161596 b7a2763998f12394ecae68df6ec73fbb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 223898 fbd3f6bc3340643f55862e5b14947345
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 786918 a142a6fbee216aaa87378bdc53773eb2
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 209812 2e4b61b494abdd8e52b219456a82e499
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 219946 4ac3564788d25b492a833e2df463b41e
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 81412 abe1efff8619aac89534c3f4d57c5356
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_arm.deb
Size/MD5 checksum: 211008 865b518f1a18de1020feb2212b137a6c
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 212612 2b8654bdda7346a2a7804800e9a11d8e
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 802766 535b466511548a5264b0da3a3a348381
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 226068 8921ab3294cf45178f3b90fd51fbafc3
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 213694 38498cbd15341da4279e4193a4708c6c
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 226354 57f22f55c3ca485b5974e1f2a4ef1414
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 83934 6a6a2de840f638874d8ae05611f142b9
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 82284 b225eb7806650013baccae619ad08f2b
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 2340926 83bb45aa97542f6f796780c8a2d24c8b
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 221894 872e3f1df2080a84cca36f48e6c8e575
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_armel.deb
Size/MD5 checksum: 151226 3172e8ba667991da2881ea6a7b2781cc
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 84022 f603a1c369bbc7d05efe1ad99325e020
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 153048 0568fcb47c9cad398c7fd7abe2276828
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 82214 f27d31e710ba6640471c47a6fc240aad
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 246406 f18257777ba62d65ceb3aa4842415c74
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 241578 e71e710d7889e79b85e4c20b539a4d26
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 211730 a9913999aac5559db1e75835d87a2efd
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 896810 e8e2d9459750e5d9be76c00923a25696
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 245816 6a876fb502903c7bfcb5a4b8dad71a7a
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 213028 f072f0ca44edc122c1b3e1da847f1c8c
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_hppa.deb
Size/MD5 checksum: 183316 41a32b0fd061c4f2afbd740af5e8325a
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_hppa.deb
Size/MD5 checksum: 2385020 366e6e9bd1dec0ba6a784813785f13d3
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 82366 ab10d1ab26c914777c5296fe9ccfe027
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 241326 2ee9101bf92fcac69249094b3ca11e2a
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 240776 43a654cf0439fc97997a57baec5e2995
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 84104 f73a1bff0a8a4426e63803c4e5c67c60
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 783440 053ba7ef4fbb56547200c32c35ac8a0e
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 143414 c20c10a3eadac1c494a5750888875800
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 237396 06841f14531fab0adb92177af849c8be
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 211420 69c67bd0052c70322924b901ba5f5428
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 2324892 87c51cc1fb8ae2532adcfa601a7b5af4
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_i386.deb
Size/MD5 checksum: 212726 11b86a68880fa98a130e449dec0fbbcc
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_i386.deb
Size/MD5 checksum: 179396 4ae5716372fe19991b0d8a4cc751d45f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 162732 0a9a153e3703f9dbd33e325d67373bce
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_ia64.deb
Size/MD5 checksum: 247068 39445ee73d2076bfa589a5840a3d6024
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 1036624 80b366704dc888c2bea8d84c316faf33
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 208668 c2b06d3c767fa737fbf5e1c3d50d001c
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 311692 77ff8879c2853c4b33903299ec3120c8
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 312616 1c20b667ebbd43b0ee1b01cd1cdd991d
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 83920 a383c7aef1758f963c019793af7b5f92
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 2317952 803f0b941814cbbc49f4e37bc3b9ca95
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 209700 59ab45d2c7c2168a941ff2fc842268e1
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 304670 067ece69f8b9518f9b18cd948c4df971
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_ia64.deb
Size/MD5 checksum: 85802 9294d252435e8026d6135bf8efdfaf46
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 2465158 a36366e07810785cd1f2dc3b020d3486
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 780460 a5daeb91029f3b027a810ee22456ebd3
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 233408 ec9001ee4c996d0b14a9e67d9ce380ec
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 82082 1fc55f0526e3bf90c2156364055a1627
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_mips.deb
Size/MD5 checksum: 171444 789208a77578e49ebca9be904c99aff3
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 83688 8612d0c31dee19c557723b08354c20d7
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 149712 ac8ddf3ab4a3b0fb255adbc588e57305
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 209718 8af3815f7794f4e60d72ba52d3bd19c4
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 229494 c2ef345862009f2a2b979205fec22567
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 208698 246c0001aaa98be577f6c5f004330285
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_mips.deb
Size/MD5 checksum: 233980 ce7b3760443a98b0ddc0607a7a9842bf
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 228110 e45b1c3294102e26eee671b860f4aabc
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 208710 1403636fff03ab43353cdffdef62ffd7
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 83708 9b1c257025920f6dd0a7a2b231c97141
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 209740 546504d6f0a2a449e9bcd618f4700ce5
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 82128 31209b35ecb423f2d88347df6c08eddb
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 2420074 b57ff2a01ee7f29d0dcba4214dc7fc21
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 232140 3dfff4c54077cb221e19533f19538834
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 778974 d9d0084ea48aaa56d2f99c632711d084
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_mipsel.deb
Size/MD5 checksum: 169470 f04a239ba4f1d6ae4ff8ce0960f784fd
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 232796 8ced513dc28d7165fd76076803b98188
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_mipsel.deb
Size/MD5 checksum: 150024 c2a66c2c63eeb66df98b136cceadc780
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 84570 b43f074242385089dda2aae2e9ae1595
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 915976 723f3349b829894595b913099f06ecc2
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 257408 c4bab781417526a0dfdb2240ab2fef07
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 2495210 6fb817120bcb095006fd09d2318f28ee
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_powerpc.deb
Size/MD5 checksum: 195192 6b4d950e48c6cdfd00d403e42b719b40
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 208684 ece82cc979cff6832d51a6caf51f38b5
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 82908 c54a24103b503b5de1b27993ee33610f
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 160960 361e2bae65d5f1303073d8e4d88ccdb7
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 209714 81fbc6671b2d4137dc52232e9d572ea9
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 258234 6dbd57dc907e93b5e9dcd3058e99b30f
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_powerpc.deb
Size/MD5 checksum: 253294 696e2e9219d6e029c0c6f024045a4d5f
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 82544 4e332ccedffd13b1e7b866fe71cf8a9b
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_s390.deb
Size/MD5 checksum: 197642 e32a924a47b90452356956e3fe39d34e
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 255970 197eea5c422ecf37ec592bf9612c3b2f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 208694 33dddaec24eb4475411eb55abb5d5e71
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 150912 2aa00b2fb3b84a536030f5b5635115bc
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 209726 cf54089c8a33087820f8c9359e461625
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 2409108 1b6e40f5d2772a0a1f26424f4b470136
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 824586 ff52926d953f8b5cbde82ac31176dedb
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 259924 655aca8f56383ebd106ded50d8f557ea
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 260610 12751082d3f1466735d1b3d395d63690
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_s390.deb
Size/MD5 checksum: 84310 9aa451ccb1513c05f4ccc0319124181e
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/apache2/apache2-dbg_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 2231018 fcdbb08c45ff474592590fac0aa78dac
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec-custom_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 84568 6dcf4195e216a22ef2919806d55d5098
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 237224 9bf96cc5f932643b1c55c6a9fa238af1
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-event_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 241474 ed8557af547d9d55a075fca5cf88488d
http://security.debian.org/pool/updates/main/a/apache2/apache2-suexec_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 82888 bde0baf83e2e972b398be6a500f77125
http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.6-02-1+lenny2+b2_sparc.deb
Size/MD5 checksum: 177562 09cbb49296407c83ef1575b003dfb129
http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 241014 2c10b920cdfec918af3eb148e29fca0f
http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 212798 28edff7612bb824fc20d88c29b8b7e1f
http://security.debian.org/pool/updates/main/a/apache2/apache2.2-common_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 781748 63e7003956d73b1a04e544c00eaa7728
http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 213976 b7e758d0a2e6574944d27e2d6e40f60c
http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.9-10+lenny6_sparc.deb
Size/MD5 checksum: 146596 c37cea33bed94a68326b511a66bf050e
These files will probably be moved into the stable distribution on
its next update.
Patch kit installation instructions are provided in the file SSRT090244 Apache CVE-2009-3094, CVE-2009-3095.txt .
The patch kits and installation instructions are available from the following location using ftp:
Host Account Password
ftp.usa.hp.com ewt01 Welcome1
CSWS version 2.1-1 patch kits are available for both ALPHA and ITANIUM platforms.
Itanium Images
mod_proxy.exe_ia64
mod_proxy_ftp.exe_ia64
Alpha Images
mod_proxy.exe_axp
mod_proxy_ftp.exe_axp
The patch images will be provided in the next regularly scheduled update of CSWS 2.1-1. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02160663
Version: 1
HPSBUX02531 SSRT100108 rev.1 - HP-UX Running Apache-based Web Server, Remote Denial of Service (DoS), Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-06-02
Last Updated: 2010-06-02
- -----------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS), unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS) or unauthorized access. Apache-based Web Server is contained in the Apache Web Server Suite.
References: CVE-2009-3094, CVE-2009-3095, CVE-2010-0408, CVE-2010-0740, CVE-2010-0433, CVE-2010-0434
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before v2.2.8.09
HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server versions before v2.0.59.15
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-3094 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 5.4
CVE-2009-3095 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-0408 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0740 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2010-0433 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2010-0434 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
Note: CVE-2009-3094, CVE-2009-3095 and 2010-0740 affect only HP-UX Web Server Suite v2.30;
CVE-2010-0408, CVE-2010-0433 and CVE-2010-0434 affect only HP-UX Web Server Suite v3.09.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL http://software.hp.com
Note: HP-UX Web Server Suite v3.09 contains HP-UX Apache-based Web Server v2.2.8.09
Note: HP-UX Web Server Suite v2.30 contains HP-UX Apache-based Web Server v2.0.59.15
Web Server Suite Version / HP-UX Release / Depot name
Web Server v3.09 / B.11.23 and B.11.31 PA-32 / HPUXWS22ATW-B309-32.depot
Web Server v3.09 / B.11.23 and B.11.31 IA-64 / HPUXWS22ATW-B309-64.depot
Web Server v2.30 / B.11.11 PA-32 / HPUXWSATW-B230-1111.depot
Web Server v2.30 / B.11.23 PA-32 / HPUXWSATW-B230-32.depot
Web Server v2.30 / B.11.23 IA-64 / HPUXWSATW-B230-64.depot
Web Server v2.30 / B.11.31 IA-32 / HPUXWSATW-B230-32-1131.depot
Web Server v2.30 / B.11.31 IA-64 / HPUXWSATW-B230-64-1131.depot
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server from the Apache Web Server Suite v2.30 or subsequent
or
Install Apache-based Web Server from the Apache Web Server Suite v3.09 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For Web Server Suite before v3.09
HP-UX B.11.23
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
action: install revision B.2.2.8.09 or subsequent
HP-UX B.11.31
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
action: install revision B.2.2.8.09 or subsequent
For Web Server Suite before v2.30
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.23
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
HP-UX B.11.31
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
action: install revision B.2.0.59.15 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 June 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkwG2+IACgkQ4B86/C0qfVm3LACfZ2twc1MNibwpLscDC7giyJJv
nksAnR0xfycsdI9Z5RyDC/o+Dnt4Q100
=/Gfl
-----END PGP SIGNATURE-----
.
BAC v8.07 supplies Apache 2.2.17. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com
VAR-200908-0535 | No CVE | Issue of Access Control Failure in Hitachi Device Manager Server |
CVSS V2: 6.8 CVSS V3: - Severity: Medium |
Hitachi Device Manager servers contain a vulnerability in which access control settings would be rendered invalid in the following cases: - IPv6 format is used for communications between a Hitachi Device Manager server and its clients. - Access controls for Hitachi Device Manager clients are set by the range of IP addresses written in the CIDR format.An unauthorized client may gain access to the Hitachi Device Manager server.
Very few technical details are available. We will update this BID when more information emerges. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Hitachi Device Manager Server IPv6 Security Bypass Vulnerability
SECUNIA ADVISORY ID:
SA36526
VERIFY ADVISORY:
http://secunia.com/advisories/36526/
DESCRIPTION:
A vulnerability has been reported in multiple Hitachi products, which
can be exploited by malicious people to bypass certain security
restrictions.
Successful exploitation requires that the application is running in
an IPv6 environment and that the CIDR format is used in rules
restricting network access.
SOLUTION:
Apply vendor patches (please see vendor advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS09-013/index.html
OTHER REFERENCES:
JVN:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-001931.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200908-0332 | CVE-2009-3016 | Apple Safari Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple Safari 4.0.3 does not properly block javascript: and data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains a javascript: URI, (2) entering a javascript: URI when specifying the content of a Refresh header, (3) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. Safari is prone to a cross-site scripting vulnerability
VAR-200909-0349 | CVE-2009-2957 | dnsmasq of tftp_request Vulnerability in arbitrary code execution in function |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request. Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.
Remote attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer.
Versions *prior to* Dnsmasq 2.50 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1876-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
September 01, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : dnsmasq
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2957 CVE-2009-2958
Several remote vulnerabilities have been discovered in the TFTP
component of dnsmasq.
CVE-2009-2958
Malicious TFTP clients may crash dnsmasq, leading to denial of
service.
The old stable distribution is not affected by these problems.
For the stable distribution (lenny), these problems have been fixed in
version 2.45-1+lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 2.50-1.
We recommend that you upgrade your dnsmasq packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45.orig.tar.gz
Size/MD5 checksum: 377466 59106495260bb2d0f184f0d4ae88d740
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.diff.gz
Size/MD5 checksum: 14514 c841708d86ea6a13f4f168d311638ff5
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.dsc
Size/MD5 checksum: 1006 377658fb3cb46cc670a86e475ff70533
Architecture independent packages:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1_all.deb
Size/MD5 checksum: 12110 716c6f4f6e478f5a0f248725e4544dda
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_alpha.deb
Size/MD5 checksum: 267294 d7ba6bd2b7363246587cf4ab8b78f721
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_amd64.deb
Size/MD5 checksum: 258118 3b5fc290f6bfacd7450fbc138e63bcb7
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_arm.deb
Size/MD5 checksum: 250676 0011c21826ab5f3b9c64444113acc97f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_armel.deb
Size/MD5 checksum: 252830 5999eff243a849fe31fba765e92228d0
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_hppa.deb
Size/MD5 checksum: 258292 cadea4880ef01292affd271cde276226
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_i386.deb
Size/MD5 checksum: 251182 cdad8cd873dc28fd69fdd7ca2e59cec1
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_ia64.deb
Size/MD5 checksum: 301522 2723ddacd61bf4378115a1701848fa2c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mips.deb
Size/MD5 checksum: 256426 0873691aa0b37c2873e93e1132d0db95
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mipsel.deb
Size/MD5 checksum: 257982 dd6342a053fc0bb9a3be6ec5b4aa3b2f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_powerpc.deb
Size/MD5 checksum: 257426 58e705f584e41b2598a6d62bfc7e2671
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_s390.deb
Size/MD5 checksum: 255328 3abfb764f944344064aed16352156b04
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_sparc.deb
Size/MD5 checksum: 252234 4a6db5969b47698346b59828928dc0b5
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKnXmhAAoJEL97/wQC1SS+BPQIAK1x7nctuD1BkdIVjSt5BXRG
cBlfdwgsyjXLoLocyN6A1lsHwcAcFPZI189aqLD2MU8MBJmugDdgReF4d6GTLI/T
zv2G0fkj9rggJXAeqpFOlMK/nhUNxRDAn8h/ZgXcFuTkY0zm1M2D1qhqKpvOjByC
U7im5+V/rp9VAFOaTdMnnvnBJX2nRnXULj85eIAaJYZSahX544UfKi6GLkjN0wji
b/FJvtn9yOT6Rkzgs528icZ3ZoDslTV8xQhuBgILhCcP5Dmp7JokbdzZ7h3zH1YV
8b0WwxEIF/mhmhlNVYDP6n2k2jLw+zLBF2c5jSIlHa67vChsLGeU3auqXAHMpq0=
=h2eE
-----END PGP SIGNATURE-----
. ===========================================================
Ubuntu Security Notice USN-827-1 September 01, 2009
dnsmasq vulnerabilities
CVE-2009-2957, CVE-2009-2958
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
dnsmasq-base 2.41-2ubuntu2.2
Ubuntu 8.10:
dnsmasq-base 2.45-1ubuntu1.1
Ubuntu 9.04:
dnsmasq-base 2.47-3ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartA\xadn Coco,
Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not
properly validate its input when processing TFTP requests for files with
long names. Dnsmasq runs as the 'dnsmasq' user by
default on Ubuntu. (CVE-2009-2957)
Steve Grubb discovered that Dnsmasq could be made to dereference a NULL
pointer when processing certain TFTP requests. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Ubuntu update for dnsmasq
SECUNIA ADVISORY ID:
SA36563
VERIFY ADVISORY:
http://secunia.com/advisories/36563/
DESCRIPTION:
Ubuntu has issued an update for dnsmasq. This fixes two
vulnerabilities, which can be exploited by malicious people to cause
a DoS (Denial of Service) and potentially compromise a vulnerable
system.
For more information:
SA36394
SOLUTION:
Apply updated packages.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Dnsmasq: Multiple vulnerabilities
Date: September 20, 2009
Bugs: #282653
ID: 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Dnsmasq might result in the remote
execution of arbitrary code, or a Denial of Service.
Background
==========
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It includes support for Trivial FTP (TFTP).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/dnsmasq < 2.5.0 >= 2.5.0
Description
===========
Multiple vulnerabilities have been reported in the TFTP functionality
included in Dnsmasq:
* Pablo Jorge and Alberto Solino discovered a heap-based buffer
overflow (CVE-2009-2957).
* An anonymous researcher reported a NULL pointer reference
(CVE-2009-2958).
Impact
======
A remote attacker in the local network could exploit these
vulnerabilities by sending specially crafted TFTP requests to a machine
running Dnsmasq, possibly resulting in the remote execution of
arbitrary code with the privileges of the user running the daemon, or a
Denial of Service. NOTE: The TFTP server is not enabled by default.
Workaround
==========
You can disable the TFTP server either at buildtime by not enabling the
"tftp" USE flag, or at runtime. Make sure "--enable-tftp" is not set in
the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and
"enable-tftp" is not set in /etc/dnsmasq.conf, either of which would
enable TFTP support if it is compiled in.
Resolution
==========
All Dnsmasq users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =net-dns/dnsmasq-2.5.0
References
==========
[ 1 ] CVE-2009-2957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957
[ 2 ] CVE-2009-2958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200909-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-200909-0342 | CVE-2009-2958 | dnsmasq of tftp_request Service disruption in functions (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a TFTP read (aka RRQ) request with a malformed blksize option. dnsmasq of tftp_request Functions include --enable-tftp If you use blksize Service operation disruption due to incomplete processing of requests with options (DoS) There is a vulnerability that becomes a condition.Service operation disruption to a third party (DoS) There is a possibility of being put into a state. Dnsmasq is prone to a NULL-pointer dereference vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
NOTE: The TFTP service must be enabled for this issue to be exploitable; this is not the default.
Versions *prior to* Dnsmasq 2.50 are vulnerable. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1876-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
September 01, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : dnsmasq
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2957 CVE-2009-2958
Several remote vulnerabilities have been discovered in the TFTP
component of dnsmasq. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2009-2957
A buffer overflow in TFTP processing may enable arbitrary code
execution to attackers which are permitted to use the TFTP service.
CVE-2009-2958
Malicious TFTP clients may crash dnsmasq, leading to denial of
service.
The old stable distribution is not affected by these problems.
For the stable distribution (lenny), these problems have been fixed in
version 2.45-1+lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 2.50-1.
We recommend that you upgrade your dnsmasq packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45.orig.tar.gz
Size/MD5 checksum: 377466 59106495260bb2d0f184f0d4ae88d740
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.diff.gz
Size/MD5 checksum: 14514 c841708d86ea6a13f4f168d311638ff5
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.dsc
Size/MD5 checksum: 1006 377658fb3cb46cc670a86e475ff70533
Architecture independent packages:
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1_all.deb
Size/MD5 checksum: 12110 716c6f4f6e478f5a0f248725e4544dda
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_alpha.deb
Size/MD5 checksum: 267294 d7ba6bd2b7363246587cf4ab8b78f721
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_amd64.deb
Size/MD5 checksum: 258118 3b5fc290f6bfacd7450fbc138e63bcb7
arm architecture (ARM)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_arm.deb
Size/MD5 checksum: 250676 0011c21826ab5f3b9c64444113acc97f
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_armel.deb
Size/MD5 checksum: 252830 5999eff243a849fe31fba765e92228d0
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_hppa.deb
Size/MD5 checksum: 258292 cadea4880ef01292affd271cde276226
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_i386.deb
Size/MD5 checksum: 251182 cdad8cd873dc28fd69fdd7ca2e59cec1
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_ia64.deb
Size/MD5 checksum: 301522 2723ddacd61bf4378115a1701848fa2c
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mips.deb
Size/MD5 checksum: 256426 0873691aa0b37c2873e93e1132d0db95
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mipsel.deb
Size/MD5 checksum: 257982 dd6342a053fc0bb9a3be6ec5b4aa3b2f
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_powerpc.deb
Size/MD5 checksum: 257426 58e705f584e41b2598a6d62bfc7e2671
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_s390.deb
Size/MD5 checksum: 255328 3abfb764f944344064aed16352156b04
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_sparc.deb
Size/MD5 checksum: 252234 4a6db5969b47698346b59828928dc0b5
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKnXmhAAoJEL97/wQC1SS+BPQIAK1x7nctuD1BkdIVjSt5BXRG
cBlfdwgsyjXLoLocyN6A1lsHwcAcFPZI189aqLD2MU8MBJmugDdgReF4d6GTLI/T
zv2G0fkj9rggJXAeqpFOlMK/nhUNxRDAn8h/ZgXcFuTkY0zm1M2D1qhqKpvOjByC
U7im5+V/rp9VAFOaTdMnnvnBJX2nRnXULj85eIAaJYZSahX544UfKi6GLkjN0wji
b/FJvtn9yOT6Rkzgs528icZ3ZoDslTV8xQhuBgILhCcP5Dmp7JokbdzZ7h3zH1YV
8b0WwxEIF/mhmhlNVYDP6n2k2jLw+zLBF2c5jSIlHa67vChsLGeU3auqXAHMpq0=
=h2eE
-----END PGP SIGNATURE-----
. ===========================================================
Ubuntu Security Notice USN-827-1 September 01, 2009
dnsmasq vulnerabilities
CVE-2009-2957, CVE-2009-2958
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
dnsmasq-base 2.41-2ubuntu2.2
Ubuntu 8.10:
dnsmasq-base 2.45-1ubuntu1.1
Ubuntu 9.04:
dnsmasq-base 2.47-3ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartA\xadn Coco,
Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not
properly validate its input when processing TFTP requests for files with
long names. Dnsmasq runs as the 'dnsmasq' user by
default on Ubuntu. (CVE-2009-2957)
Steve Grubb discovered that Dnsmasq could be made to dereference a NULL
pointer when processing certain TFTP requests. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Ubuntu update for dnsmasq
SECUNIA ADVISORY ID:
SA36563
VERIFY ADVISORY:
http://secunia.com/advisories/36563/
DESCRIPTION:
Ubuntu has issued an update for dnsmasq. This fixes two
vulnerabilities, which can be exploited by malicious people to cause
a DoS (Denial of Service) and potentially compromise a vulnerable
system.
For more information:
SA36394
SOLUTION:
Apply updated packages.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Dnsmasq: Multiple vulnerabilities
Date: September 20, 2009
Bugs: #282653
ID: 200909-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Dnsmasq might result in the remote
execution of arbitrary code, or a Denial of Service.
Background
==========
Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP
server. It includes support for Trivial FTP (TFTP).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/dnsmasq < 2.5.0 >= 2.5.0
Description
===========
Multiple vulnerabilities have been reported in the TFTP functionality
included in Dnsmasq:
* Pablo Jorge and Alberto Solino discovered a heap-based buffer
overflow (CVE-2009-2957).
* An anonymous researcher reported a NULL pointer reference
(CVE-2009-2958).
Impact
======
A remote attacker in the local network could exploit these
vulnerabilities by sending specially crafted TFTP requests to a machine
running Dnsmasq, possibly resulting in the remote execution of
arbitrary code with the privileges of the user running the daemon, or a
Denial of Service.
Workaround
==========
You can disable the TFTP server either at buildtime by not enabling the
"tftp" USE flag, or at runtime. Make sure "--enable-tftp" is not set in
the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and
"enable-tftp" is not set in /etc/dnsmasq.conf, either of which would
enable TFTP support if it is compiled in.
Resolution
==========
All Dnsmasq users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =net-dns/dnsmasq-2.5.0
References
==========
[ 1 ] CVE-2009-2957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957
[ 2 ] CVE-2009-2958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200909-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5