Linux Today - Advisories: September 7, 2005

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices

Technology Jobs

LinuxToday Newsletters

Server Daily
IT Management Daily
Subscribe News
Subscribe PR
Subscribe Security

internet.com

Internet News
Small Business

Advertise
Newsletters
Tech Jobs
E-mail Offers

Current Newswire:

20 popular Ubuntu Linux apps you may want to try

A Selection of the Very Best Open Source Tutorials and Tools

Android Ice Cream Sandwich ported to x86 tablets, netbooks and notebooks

SECURITY: Google Chrome 17 Improves Security

How to read a CSV file in Perl?

Red Hat Brings Gluster to Amazon Cloud

New Linux kernel fixes power-saving issues

Using Wii remote with Android Device- Taking Gaming to the Next Level

Commercial Support now available for the open-source NGINX Web server

Linux Top 5: Linux's New Fellow

Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Post A Job | Post A Resume

:Advisories: September 7, 2005

Advisories: September 7, 2005
Sep 8, 2005, 05 :30 UTC (0 Talkback[s]) (3404 reads)

Debian GNU/Linux

Debian Security Advisory DSA 802-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 7th, 2005 http://www.debian.org/security/faq

Package : cvs
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-2693
Debian Bug : 325106

Marcus Meissner discovered that the cvsbug program from CVS, which serves the popular Concurrent Versions System, uses temporary files in an insecure fashion.

For the old stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-13.

In the stable distribution (sarge) the cvs package does not expose the cvsbug program anymore.

In the unstable distribution (sid) the cvs package does not expose the cvsbug program anymore.

We recommend that you upgrade your cvs package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

    http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13.dsc
      Size/MD5 checksum: 683 db16b937ddd5274dbcba38cd4fcd5888
    http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13.diff.gz
      Size/MD5 checksum: 57477 0f11d7ca8cb7b35bf4a12a8c4ad2716d
    http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz
      Size/MD5 checksum: 2621658 500965ab9702b31605f8c58aa21a6205

Alpha architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_alpha.deb
Size/MD5 checksum: 1179406 05f69db4383e65beda9af4fa5dc33481

ARM architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_arm.deb
Size/MD5 checksum: 1106388 916e15a512c7010791a726ad60a758a5

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_i386.deb
Size/MD5 checksum: 1085478 94dfd853806b5f4e17343184fa8b3a1e

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_ia64.deb
Size/MD5 checksum: 1272636 1966842db5aa4b4b73d70fb94cd53e82

HP Precision architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_hppa.deb
Size/MD5 checksum: 1148570 7d984ac4ba3ae1c98e1b31d09bc17b5e

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_m68k.deb
Size/MD5 checksum: 1067076 1c32e3d2af7669d06152c1586b2ab9be

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_mips.deb
Size/MD5 checksum: 1130904 622e68d86b8ae619b6d014bb91cf8b33

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_mipsel.deb
Size/MD5 checksum: 1132312 e6af9436fbd30a273abb8eeeef7cff80

PowerPC architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_powerpc.deb
Size/MD5 checksum: 1117418 a45eb850d4e47f4f26162dc50060e8a2

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_s390.deb
Size/MD5 checksum: 1098166 fd9bea393a0d256e01b0c7c22933af6e

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-13_sparc.deb
Size/MD5 checksum: 1108092 68aa285e827a0ce5b10733c6d0fb37bf

These files will probably be moved into the stable distribution on its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Fedora Core

Fedora Update Notification
FEDORA-2005-848
2005-09-07

Product : Fedora Core 3
Name : httpd
Version : 2.0.53
Release : 3.3
Summary : Apache HTTP Server

Description :
Apache is a powerful, full-featured, efficient, and freely-available Web server. Apache is also the most popular Web server on the Internet.

Update Information:

This update includes two security fixes. An issue was discovered in mod_ssl where "SSLVerifyClient require" would not be honoured in location context if the virtual host had "SSLVerifyClient optional" configured (CAN-2005-2700). An issue was discovered in memory consumption of the byterange filter for dynamic resources such as PHP or CGI script (CAN-2005-2728).

Fri Sep 2 2005 Joe Orton <jorton@redhat.com> 2.0.53-3.3
- mod_ssl: add security fix for SSLVerifyClient (#167196, CVE CAN-2005-2700)
- add security fix for byterange filter DoS (#167104, CVE CAN-2005-2728)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

05dc67efda902897af31c7e62dcc66a2 SRPMS/httpd-2.0.53-3.3.src.rpm
67407cda524517254da65caff34d1030 x86_64/httpd-2.0.53-3.3.x86_64.rpm
2924ba7fd423ec96c77b0cd0aefe2a71 x86_64/httpd-devel-2.0.53-3.3.x86_64.rpm
f733310d4c8e6d444f185e055918d7cf x86_64/httpd-manual-2.0.53-3.3.x86_64.rpm
c7ab61bc84334772e400d641959cd85e x86_64/mod_ssl-2.0.53-3.3.x86_64.rpm
447aae779dc5640c1923925816c50985 x86_64/httpd-suexec-2.0.53-3.3.x86_64.rpm
43192fc61302fe1b52eb6719d05f0b45 x86_64/debug/httpd-debuginfo-2.0.53-3.3.x86_64.rpm
01f2bcf97e7759e17ac711009d433bfe i386/httpd-2.0.53-3.3.i386.rpm
65e794a48057d6d3d80f887488b4c03a i386/httpd-devel-2.0.53-3.3.i386.rpm
7f237c80786870bd9f9d300a67aa23fe i386/httpd-manual-2.0.53-3.3.i386.rpm
57895adf47af7a01ddb5e79d3258a790 i386/mod_ssl-2.0.53-3.3.i386.rpm
fcaa78659c375778eb357e88bd367004 i386/httpd-suexec-2.0.53-3.3.i386.rpm
55a427b5a760daee39eb972c9ca03c4d i386/debug/httpd-debuginfo-2.0.53-3.3.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-849
2005-09-07

Product : Fedora Core 4
Name : httpd
Version : 2.0.54
Release : 10.2
Summary : Apache HTTP Server

Description :
The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. The Apache HTTP Server is also the most popular Web server on the Internet.

Update Information:

Fri Sep 2 2005 Joe Orton <jorton@redhat.com> 2.0.54-10.2
- mod_ssl: add security fix for SSLVerifyClient (#167196, CVE CAN-2005-2700)
- add security fix for byterange filter DoS (#167104, CVE CAN-2005-2728)
- add fix for dummy connection handling (#167425)
- mod_ldap/mod_auth_ldap: add fixes from 2.0.x branch (upstream #34209 etc)
- mod_ssl: add fix for handling non-blocking reads

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

de712a893989b4a89a96f3239ffe9359 SRPMS/httpd-2.0.54-10.2.src.rpm
f5c47d9a1fd604a9c9f27cb52b687134 ppc/httpd-2.0.54-10.2.ppc.rpm
3fe32aacb961746f97cb239580645542 ppc/httpd-devel-2.0.54-10.2.ppc.rpm
0231bd287c86eee34823bd5de7309840 ppc/httpd-manual-2.0.54-10.2.ppc.rpm
89fc732f2caae3ec8c4fca897a57f28c ppc/mod_ssl-2.0.54-10.2.ppc.rpm
9185b402e4ebf58c362557d08f1e1e56 ppc/debug/httpd-debuginfo-2.0.54-10.2.ppc.rpm
5597e26e50c206b6292fb6a481264074 x86_64/httpd-2.0.54-10.2.x86_64.rpm
e0cdb0d7c15b7882e7f446e120e8f20e x86_64/httpd-devel-2.0.54-10.2.x86_64.rpm
26dcb24b83a0528202dfe6ca343a3909 x86_64/httpd-manual-2.0.54-10.2.x86_64.rpm
5c01b4d973491f2be019bfb526199142 x86_64/mod_ssl-2.0.54-10.2.x86_64.rpm
4284f8fe2b0c85c36a87c8cd0c05f1a4 x86_64/debug/httpd-debuginfo-2.0.54-10.2.x86_64.rpm
8e1b97f27ce4a41eb7eb01c15d8eab81 i386/httpd-2.0.54-10.2.i386.rpm
9e32079613629b690beb02e91120998b i386/httpd-devel-2.0.54-10.2.i386.rpm
04bad4ac9e45412e658d82d7af66fafc i386/httpd-manual-2.0.54-10.2.i386.rpm
cbe81b8781314a53962ac1b84ebc7349 i386/mod_ssl-2.0.54-10.2.i386.rpm
7b0f8b83a6f021702135942aa6159a98 i386/debug/httpd-debuginfo-2.0.54-10.2.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Fedora Update Notification
FEDORA-2005-858
2005-09-07

Product : Fedora Core 3
Name : openssh
Version : 3.9p1
Release : 8.0.3
Summary : The OpenSSH implementation of SSH protocol versions 1 and 2.

Description :
OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSH replaces rlogin and rsh, to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. Public key authentication may be used for "passwordless" access to servers.

This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both.

Update Information:

This security update fixes CAN-2005-2798 and resolves a problem with X forwarding binding only on IPv6 address on certain circumstances.

Wed Sep 7 2005 Tomas Mraz <tmraz@redhat.com> 3.9p1-8.0.3
- destroy creds if gssapi authentication fails - CAN-2005-2798 (#167444)
- don't use X11 port which can't be bound on all IP families (#163732)

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

c42c4bf11075a5bc6787427f6f1bbdb7 SRPMS/openssh-3.9p1-8.0.3.src.rpm
65e54cc979b888208a1783018fa2141f x86_64/openssh-3.9p1-8.0.3.x86_64.rpm
aa95f00bd8aee18f1d7709a655dd2900 x86_64/openssh-clients-3.9p1-8.0.3.x86_64.rpm
4c0fdd9c8c8239b47500344fe2a36eae x86_64/openssh-server-3.9p1-8.0.3.x86_64.rpm
c136972b79ba963b8982e90d941a6d25 x86_64/openssh-askpass-3.9p1-8.0.3.x86_64.rpm
6cbf80015a4189468f81e0e58847fe75 x86_64/openssh-askpass-gnome-3.9p1-8.0.3.x86_64.rpm
0fee7f443f1fe6c9e481ac5fb848d83d x86_64/debug/openssh-debuginfo-3.9p1-8.0.3.x86_64.rpm
b2be46aac023e5a2acb035abe299ff51 i386/openssh-3.9p1-8.0.3.i386.rpm
225aa0a619a500eef68c50dc6904584e i386/openssh-clients-3.9p1-8.0.3.i386.rpm
1f961d9889ca730e41094c68df4576fe i386/openssh-server-3.9p1-8.0.3.i386.rpm
abb099c7505111ea5504066413bad8e8 i386/openssh-askpass-3.9p1-8.0.3.i386.rpm
58e19672af45d282ffd664280c77572d i386/openssh-askpass-gnome-3.9p1-8.0.3.i386.rpm
d1a3004d2cdf7b6f89ba2aa4e6d2fbd3 i386/debug/openssh-debuginfo-3.9p1-8.0.3.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200509-06

http://security.gentoo.org/

Severity: Normal
Title: Squid: Denial of Service vulnerabilities
Date: September 07, 2005
Bugs: #104603
ID: 200509-06

Synopsis

Squid contains several bugs when handling certain malformed requests resulting in a Denial of Service.

Background

Squid is a full-featured Web proxy cache designed to run on Unix-like systems. It supports proxying and caching of HTTP, FTP, and other protocols, as well as SSL support, cache hierarchies, transparent caching, access control lists and many more features.

Affected packages


     Package          /   Vulnerable   /                    Unaffected

  1  www-proxy/squid      < 2.5.10-r2                     >= 2.5.10-r2

Description

Certain malformed requests result in a segmentation fault in the sslConnectTimeout function, handling of other certain requests trigger assertion failures.

Impact

By performing malformed requests an attacker could cause Squid to crash by triggering an assertion failure or invalid memory reference.

Workaround

There is no known workaround at this time.

Resolution

All Squid users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-proxy/squid-2.5.10-r2"

References

[ 1 ] Squid Patches

http://www.squid-cache.org/Versions/v2/2.5/bugs/

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200509-06.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Ubuntu Linux

Ubuntu Security Notice USN-160-2 September 07, 2005
apache vulnerability
CAN-2005-2088

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

apache
apache-perl
apache-ssl

The problem can be corrected by upgrading the affected package to version 1.3.31-6ubuntu0.8 (for Ubuntu 4.10), or 1.3.33-4ubuntu1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

USN-160-1 fixed two vulnerabilities in the Apache 2 server. The old Apache 1 server was also vulnerable to one of the vulnerabilities (CAN-2005-2088). Please note that Apache 1 is not officially supported in Ubuntu (it is in the "universe" component of the archive).

For reference, this is the relevant part of the original advisory:

Watchfire discovered that Apache insufficiently verified the "Transfer-Encoding" and "Content-Length" headers when acting as an HTTP proxy. By sending a specially crafted HTTP request, a remote attacker who is authorized to use the proxy could exploit this to bypass web application firewalls, poison the HTTP proxy cache, and conduct cross-site scripting attacks against other proxy users. (CAN-2005-2088)

Updated packages for Ubuntu 4.10 (Warty Warthog):

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31-6ubuntu0.8.diff.gz
      Size/MD5: 372493 c5001a1196912f3edfc785b5e2a5ebbc
    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31-6ubuntu0.8.dsc
      Size/MD5: 1102 c0f99d722fd5092be8c6cc800bc98020
    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache_1.3.31.orig.tar.gz
      Size/MD5: 3104170 ca475fbb40087eb157ec51334f260d1b

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-dev_1.3.31-6ubuntu0.8_all.deb
      Size/MD5: 329846 42899fed4f93fc9aa98743ca8d6bbea1
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.31-6ubuntu0.8_all.deb
      Size/MD5: 1186908 e1bf21edf1a8dd848d6fff0ed9c15319

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.8_amd64.deb
      Size/MD5: 873716 c70369c55517959829b6596efa3ac295
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.8_amd64.deb
      Size/MD5: 9131484 42174cf7f3b4054f1586e6ac0328180e
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.8_amd64.deb
      Size/MD5: 520854 389333cfe500df5fa2ddbb05acd39268
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.8_amd64.deb
      Size/MD5: 510938 856eb92f93f481c054b473699507b9e7
    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.8_amd64.deb
      Size/MD5: 271648 1a4f48aa2a3218d148e11a8e83134326
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.8_amd64.deb
      Size/MD5: 398398 9af432f952f18349223abdc14efbe5af
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2.0-6ubuntu0.8_amd64.deb
      Size/MD5: 491788 f5b1f7a21c419a2db9b8f8ecc8b00ada

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.8_i386.deb
      Size/MD5: 838714 e50241ee55e408f5be6ee0ca528191f4
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.8_i386.deb
      Size/MD5: 9080744 0ddc1d368aceb07f7046d80d77e160b7
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.8_i386.deb
      Size/MD5: 494480 d0f38faf557c5606da32377bf860bc2d
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.8_i386.deb
      Size/MD5: 484248 932390c88b13b14a2d39ae85d4eb2c2c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.8_i386.deb
      Size/MD5: 265448 5349d926e161a16b3416f273591454ef
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.8_i386.deb
      Size/MD5: 377652 ccf175352ec693f8dcde9ee0b9005fbe
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2.0-6ubuntu0.8_i386.deb
      Size/MD5: 485142 09118f966d87a9ed22a00f8d641fae48

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-common_1.3.31-6ubuntu0.8_powerpc.deb
      Size/MD5: 917796 42513834c278d8313e8ca1496a13a88b
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.31-6ubuntu0.8_powerpc.deb
      Size/MD5: 9226168 03fe292aac21254f752010e827ef82b7
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.31-6ubuntu0.8_powerpc.deb
      Size/MD5: 511502 4982e1ffb129cca49974208619502834
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.31-6ubuntu0.8_powerpc.deb
      Size/MD5: 507376 30d6000a4eebf427f18f9963d9bc94da
    http://security.ubuntu.com/ubuntu/pool/main/a/apache/apache-utils_1.3.31-6ubuntu0.8_powerpc.deb
      Size/MD5: 278778 36a97646fdb52d9ef8ea93691aad2ab2
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.31-6ubuntu0.8_powerpc.deb
      Size/MD5: 395824 7c4e799a6d4254614819de0a447bf4db
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.2.0-6ubuntu0.8_powerpc.deb
      Size/MD5: 489118 ee494dbef77278e641ab54a4154de599

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

Source archives:

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu1.diff.gz
      Size/MD5: 364482 4fa62ef8a41a30d49f41f3248b0671d0
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu1.dsc
      Size/MD5: 1121 cd89b81f9fc67b4d25cdc8b482e14bf8
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33.orig.tar.gz
      Size/MD5: 3105683 1a34f13302878a8713a2ac760d9b6da8

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dev_1.3.33-4ubuntu1_all.deb
      Size/MD5: 331086 5dbb29add5c15b72a1901b653d22affd
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-doc_1.3.33-4ubuntu1_all.deb
      Size/MD5: 1189152 f55d0f105549e660ff785b4f983df80d
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-utils_1.3.33-4ubuntu1_all.deb
      Size/MD5: 211854 84bd3cb878b4c8125fc17b42497db935

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-4ubuntu1_amd64.deb
      Size/MD5: 875046 c6bdfa39ba3a12c70b82824b955cb6ed
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-4ubuntu1_amd64.deb
      Size/MD5: 9163882 d0e9ec7f9d9a49a431f5fd97f93f6b87
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-4ubuntu1_amd64.deb
      Size/MD5: 522170 c54f45b7938d50f70a966aad92a673a0
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-4ubuntu1_amd64.deb
      Size/MD5: 512346 8a0bf2edac677b390b9f8c9b43c38c79
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu1_amd64.deb
      Size/MD5: 399826 cde2880823c45ae1a57f3bd748d298b3
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-4ubuntu1_amd64.deb
      Size/MD5: 492232 27674bfd322d2832e750d416d0159289

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-4ubuntu1_i386.deb
      Size/MD5: 839554 6b29480273d1006da2515b2e0573e9d2
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-4ubuntu1_i386.deb
      Size/MD5: 9104572 b9d31e4995d51b303e99cf0268ca0f76
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-4ubuntu1_i386.deb
      Size/MD5: 495148 45ab419a9a5bc9d722f05b61d0e85628
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-4ubuntu1_i386.deb
      Size/MD5: 485346 20658ea1db74678ebb640fcabaa95359
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu1_i386.deb
      Size/MD5: 378756 b6eb23b11d150e41ad0520595963dc12
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-4ubuntu1_i386.deb
      Size/MD5: 485640 e9665bcc49dba12bb88d0dbbc91dc2ca

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-common_1.3.33-4ubuntu1_powerpc.deb
      Size/MD5: 919468 1acb3a95dc392908764366eb7a9cf837
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-dbg_1.3.33-4ubuntu1_powerpc.deb
      Size/MD5: 9253540 b79b964d8b328168a5e84141369591b6
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-perl_1.3.33-4ubuntu1_powerpc.deb
      Size/MD5: 513098 e3731ecc291e9f4a1b33909991973a5a
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache-ssl_1.3.33-4ubuntu1_powerpc.deb
      Size/MD5: 508990 f93f9393257bfeb010757eca85067f77
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/apache_1.3.33-4ubuntu1_powerpc.deb
      Size/MD5: 397092 ec577980cf93a5de6f8ec7e5db0316a9
    http://security.ubuntu.com/ubuntu/pool/universe/a/apache/libapache-mod-perl_1.29.0.3-4ubuntu1_powerpc.deb
      Size/MD5: 490332 6a06c0a6a65c34b48e99e5d666b35500

Ubuntu Security Notice USN-176-1 September 07, 2005
kdebase vulnerability
CAN-2005-2494

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

kdebase-bin

The problem can be corrected by upgrading the affected package to version 4:3.4.0-0ubuntu18.1. In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Ilja van Sprundel discovered a flaw in the lock file handling of kcheckpass. A local attacker could exploit this to execute arbitrary code with root privileges.

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/k/kdebase/kdebase_3.4.0-0ubuntu18.1.diff.gz
      Size/MD5: 189597 ef9b4ad4f1e4340a2ecdaad471670b63
    http://security.ubuntu.com/ubuntu/pool/main/k/kdebase/kdebase_3.4.0-0ubuntu18.1.dsc
      Size/MD5: 1622 2a0d3a6c1e146f5b54b5e7a20bf58cea
    http://security.ubuntu.com/ubuntu/pool/main/k/kdebase/kdebase_3.4.0.orig.tar.gz
      Size/MD5: 26947670 31334d21606078a1f1eab1c3a25317e9

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/k/kdebase/kdebase-data_3.4.0-0ubuntu18.1_all.deb
      Size/MD5: 4608912 0113ee173e4da0e4d3c233c4288ec667
    http://security.ubuntu.com/ubuntu/pool/main/k/kdebase/kdebase-doc_3.4.0-0ubuntu18.1_all.deb
      Size/MD5: 1084404 5715fca77f5f4224c63f78cb1e1b418d
    http://security.ubuntu.com/ubuntu/pool/main/k/kdebase/kdebase_3.4.0-0ubuntu18.1_all.deb
      Size/MD5: 22020 a5cbdaa9f938a786b3cd74a6396d5e20
    http://security.ubuntu.com/ubuntu/pool/universe/k/kdebase/xfonts-konsole_3.4.0-0ubuntu18.1_all.deb
      Size/MD5: 37918 0440a29214683017d1548827d23216ef

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

i386 architecture (x86 compatible Intel/AMD)

powerpc architecture (Apple Macintosh G3/G4/G5)

Ubuntu Security Notice USN-177-1 September 07, 2005
apache2, libapache-mod-ssl vulnerabilities
CAN-2005-2700, CAN-2005-2728

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

apache2-mpm-perchild
apache2-mpm-prefork
apache2-mpm-threadpool
apache2-mpm-worker
libapache-mod-ssl

The problem can be corrected by upgrading the affected package to version 2.0.50-12ubuntu4.8 (for Ubuntu 4.10), or 2.0.53-5ubuntu5.3 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Apache did not honour the "SSLVerifyClient require" directive within a <Location> block if the surrounding <VirtualHost> block contained a directive "SSLVerifyClient optional". This allowed clients to bypass client certificate validation on servers with the above configuration. (CAN-2005-2700)

Filip Sneppe discovered a Denial of Service vulnerability in the byte range filter handler. By requesting certain large byte ranges, a remote attacker could cause memory exhaustion in the server. (CAN-2005-2728)

The updated libapache-mod-ssl also fixes two older Denial of Service vulnerabilities: A format string error in the ssl_log() function which could be exploited to crash the server (CAN-2004-0700), and a flaw in the SSL cipher negotiation which could be exploited to terminate a session (CAN-2004-0885). Please note that Apache 1.3 and libapache-mod-ssl are not officially supported (they are in the "universe" component of the Ubuntu archive).

Updated packages for Ubuntu 4.10 (Warty Warthog):

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8.diff.gz
      Size/MD5: 101542 107c0d44c3668596c431b922cef7108e
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.8.dsc
      Size/MD5: 1152 e46ab252f55b3cddca6eff7411e6310c
    http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz
      Size/MD5: 6321209 9d0767f8a1344229569fcd8272156f8b
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1.diff.gz
      Size/MD5: 31850 278b1fcaebc9890ac6a667c5fe59adf2
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18-1ubuntu1.dsc
      Size/MD5: 779 007a277c901888314ed8e4990ff2af2d
    http://security.ubuntu.com/ubuntu/pool/universe/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.18.orig.tar.gz
      Size/MD5: 754214 4e966d62bb9304fef153b03868756543