apache2, apr vulnerabilities

24 May 2011

apache2, apr vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 11.04
• Ubuntu 10.10
• Ubuntu 10.04 LTS
• Ubuntu 8.04 LTS
• Ubuntu 6.06 LTS

Summary

A denial of service issue exists that affects the Apache web server.

Software Description

• apr - The Apache Portable Runtime Library
• apache2 - a scalable, extensible web server

Details

Maksymilian Arciemowicz reported that a flaw in the fnmatch() implementation in the Apache Portable Runtime (APR) library could allow an attacker to cause a denial of service. This can be demonstrated in a remote denial of service attack against mod_autoindex in the Apache web server. (CVE-2011-0419)

Is was discovered that the fix for CVE-2011-0419 introduced a different flaw in the fnmatch() implementation that could also result in a denial of service. (CVE-2011-1928)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 11.04

libapr1 - 1.4.2-7ubuntu2.1

Ubuntu 10.10

libapr1 - 1.4.2-3ubuntu1.1

Ubuntu 10.04 LTS

libapr1 - 1.3.8-1ubuntu0.3

Ubuntu 8.04 LTS

libapr1 - 1.2.11-1ubuntu0.2

Ubuntu 6.06 LTS

libapr0 - 2.0.55-4ubuntu2.13

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart the Apache web server or any other service that depends on the APR library to make all the necessary changes.

References

• CVE-2011-0419
• CVE-2011-1928