===================================================================== CERT-Renater Note d'Information No. 2006/VULN481 _____________________________________________________________________ DATE : 05/09/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Apache. ====================================================================== - -------------------------------------------------------------------------- Debian Security Advisory DSA 1167-1 security@debian.org http://www.debian.org/security/ Steve Kemp September 4th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : apache Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-3918 CVE-2005-3352 Debian Bug : 381381 343466 Several remote vulnerabilities have been discovered in the Apache, the worlds most popular webserver, which may lead to the execution of arbitrary web script. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-3352 A cross-site scripting (XSS) flaw exists in the mod_imap component of the Apache server. CVE-2006-3918 Apache does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks. For the stable distribution (sarge) these problems have been fixed in version 1.3.33-6sarge3. For the unstable distribution (sid) these problems have been fixed in version 1.3.34-3. We recommend that you upgrade your apache package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3.dsc Size/MD5 checksum: 1119 38df6fe54a784dfcbf3e1510e099865e http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3.diff.gz Size/MD5 checksum: 373584 2af62cfb3d6523134bf52d32567d396a http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33.orig.tar.gz Size/MD5 checksum: 3105683 1a34f13302878a8713a2ac760d9b6da8 Architecture independent components: http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.33-6sarge3_all.deb Size/MD5 checksum: 334696 494bae0fb839c498146119864a215a45 http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.33-6sarge3_all.deb Size/MD5 checksum: 1333060 d580b14b6d0dcd625d2e5d8cd052e172 http://security.debian.org/pool/updates/main/a/apache/apache-utils_1.3.33-6sarge3_all.deb Size/MD5 checksum: 212750 62b603132ddffa8f1d209e25efaf710b Alpha architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_alpha.deb Size/MD5 checksum: 428394 f046f50e83b2001911b075426a00496e http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_alpha.deb Size/MD5 checksum: 904410 11ab4e174f28b2ad55a4b8fe9164ec70 http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_alpha.deb Size/MD5 checksum: 9223374 18af7b52030a8235808f758c9adc2233 http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_alpha.deb Size/MD5 checksum: 569796 3df0cdde9f4293b732b00535e288638d http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_alpha.deb Size/MD5 checksum: 542832 a76d1fe52c6c7b604a4406b09b553dfb http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_alpha.deb Size/MD5 checksum: 505212 cd448b4a36c588e832fb3450ee568383 AMD64 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_amd64.deb Size/MD5 checksum: 401596 25172b26459154f43f6d6a30ca984223 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_amd64.deb Size/MD5 checksum: 876800 90566c369fb5bd3aef95cb1a982c4673 http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_amd64.deb Size/MD5 checksum: 9163050 0039650aceb91734f4d28d71ed03b0b7 http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_amd64.deb Size/MD5 checksum: 524552 974a82bc6cad36fceca1beb7e6e8a751 http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_amd64.deb Size/MD5 checksum: 513922 cee41d6c34a440aa2641c6298afaec78 http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_amd64.deb Size/MD5 checksum: 492634 a42522ddd4b1b0df67c214fe8fe30702 ARM architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_arm.deb Size/MD5 checksum: 384426 562d9db8c2d0c08e8ef3a5ac3c066991 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_arm.deb Size/MD5 checksum: 841502 b59f5bd9cd60afad9511e8d32234b605 http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_arm.deb Size/MD5 checksum: 8986156 f297c94b1571043f0758a114f4cffacb http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_arm.deb Size/MD5 checksum: 496134 3b1126c47884892ab32dabd4ee7fa724 http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_arm.deb Size/MD5 checksum: 489830 06f770b97e273e91684b90b98cb9416c http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_arm.deb Size/MD5 checksum: 479416 e1de8c552383fab6a73a2a2a33033392 HP Precision architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_hppa.deb Size/MD5 checksum: 406792 500ae39ef6507daec78c6cb98fc5fa6b http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_hppa.deb Size/MD5 checksum: 905596 ba4e1b726c573a28cabe4f192ec47a7e http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_hppa.deb Size/MD5 checksum: 9100666 3afce64bfeb0d49d87acbebfad937aa2 http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_hppa.deb Size/MD5 checksum: 536310 0ed71b8af8923bbe73743f87a5b0d15d http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_hppa.deb Size/MD5 checksum: 518938 f60b6a4fe07eddc4ae9ad2907e9a10de http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_hppa.deb Size/MD5 checksum: 508866 e7166be9bedc95e600b8e6f99c6a0773 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_i386.deb Size/MD5 checksum: 386824 316be5f99dbce3d7a99b423bf6aad4f0 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_i386.deb Size/MD5 checksum: 860258 a5739eae75197bcdfefb3f88357046fa http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_i386.deb Size/MD5 checksum: 9125070 44dac7aa9af92c2d35805600d9942f56 http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_i386.deb Size/MD5 checksum: 505036 d3507dbad7cc29b5d5f48838d37788f2 http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_i386.deb Size/MD5 checksum: 493906 6cddd1409210e44d146e562437fe9b0e http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_i386.deb Size/MD5 checksum: 486920 7a4ebd8d698d8b27d86cde501b2e37ea Intel IA-64 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_ia64.deb Size/MD5 checksum: 463582 d6727fb64033b7e9e5fec02c99ddccb4 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_ia64.deb Size/MD5 checksum: 972070 993bc5598b3f8d3b323d7142f0af068a http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_ia64.deb Size/MD5 checksum: 9356472 4f04357801f9adf640b923ba55141d06 http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_ia64.deb Size/MD5 checksum: 627670 67723ecb16c6354f9917cfb2994688ce http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_ia64.deb Size/MD5 checksum: 586218 9d531536098a6132db6e5e55c8c61f7d http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_ia64.deb Size/MD5 checksum: 532970 2b4d80404ec866768b13eea9cccba0c8 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_m68k.deb Size/MD5 checksum: 371224 11e27383df4c492e780b602b5a691177 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_m68k.deb Size/MD5 checksum: 847290 bda6118d92b6f4266a68e5c769915d77 http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_m68k.deb Size/MD5 checksum: 8973936 d5f3af955891e755a6f82ad2ddc4251f http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_m68k.deb Size/MD5 checksum: 448792 7cc02085c7a8854f7f99bf0486db8ef1 http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_m68k.deb Size/MD5 checksum: 477488 9f1961a7b2298f33ca700f65b598a575 http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_m68k.deb Size/MD5 checksum: 489430 2db034e4701a55c718919dad83f2c570 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_mips.deb Size/MD5 checksum: 403474 c2078bea81d4674b94cc6928c818d91f http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_mips.deb Size/MD5 checksum: 851594 7adcef101424558b208e458a7f26e5bb http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_mips.deb Size/MD5 checksum: 9049020 ad184b1edc27be6777add8a2dcee59bb http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_mips.deb Size/MD5 checksum: 485348 b067dad315f0eb43e35ef310ffcd8f11 http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_mips.deb Size/MD5 checksum: 510036 11237943a107b9e5aab03b164946f192 http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_mips.deb Size/MD5 checksum: 443674 cb61d4a7fb04bdfb149e91e6f162e3a5 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_mipsel.deb Size/MD5 checksum: 403812 544f672fc2fcc2386f0dfc52270370c2 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_mipsel.deb Size/MD5 checksum: 850096 1c86bed17e26ab9a0d7fabde05f54496 http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_mipsel.deb Size/MD5 checksum: 9054440 6dfa3da28646f6ef2cda58e6583bd42a http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_mipsel.deb Size/MD5 checksum: 485576 1e22bdda682380f75e383ef6daa9810d http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_mipsel.deb Size/MD5 checksum: 510906 e8cc83ab983be776b2b8d5efa966cc93 http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_mipsel.deb Size/MD5 checksum: 443550 df9c83e96b60d05415de5e7437c85c4d PowerPC architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_powerpc.deb Size/MD5 checksum: 398792 fde3379aa1722e4928b0dcebacde8cd3 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_powerpc.deb Size/MD5 checksum: 921430 1752e1761d599f75bec0a5440a0c5000 http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_powerpc.deb Size/MD5 checksum: 9252778 6598265b624c8081d067b51a4a2bd7b2 http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_powerpc.deb Size/MD5 checksum: 515538 bed60fc9b7535fb76df1dc47b3b75d31 http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_powerpc.deb Size/MD5 checksum: 510564 c6d6fa3c927fba3205d4d8cd7255f946 http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_powerpc.deb Size/MD5 checksum: 490806 bd21c1a2c18c159f9be20147bd56a033 IBM S/390 architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_s390.deb Size/MD5 checksum: 403296 cdb74b97915f5bba992d43aa5072bf69 http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_s390.deb Size/MD5 checksum: 868460 0af306030af56192e6a4a0ddbc857fbd http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_s390.deb Size/MD5 checksum: 9183208 92aa1ac6e882540971f228ccb7b8581e http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_s390.deb Size/MD5 checksum: 490244 d70328a7357a3f0d0f4750ac44f14b7a http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_s390.deb Size/MD5 checksum: 514702 ceb61f369cccf94aa44aa43675eaf715 http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_s390.deb Size/MD5 checksum: 460598 505caef969194a36e151a2ad11436c09 Sun Sparc architecture: http://security.debian.org/pool/updates/main/a/apache/apache_1.3.33-6sarge3_sparc.deb Size/MD5 checksum: 385712 1b7269518bb8477b617e80e4441e346c http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.33-6sarge3_sparc.deb Size/MD5 checksum: 849494 119987a73dc8781ba2f11db3b38fa32d http://security.debian.org/pool/updates/main/a/apache/apache-dbg_1.3.33-6sarge3_sparc.deb Size/MD5 checksum: 9046496 53bb97f85c73563d247165532dac13c5 http://security.debian.org/pool/updates/main/a/apache/apache-perl_1.3.33-6sarge3_sparc.deb Size/MD5 checksum: 504378 ca133fd06dd62da415ef8382453cf657 http://security.debian.org/pool/updates/main/a/apache/apache-ssl_1.3.33-6sarge3_sparc.deb Size/MD5 checksum: 492194 b97d2a3cd2d95a8b77dc9ab54f52bd13 http://security.debian.org/pool/updates/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge3_sparc.deb Size/MD5 checksum: 490386 1dca7784debdba341f27d1b388bb0eb2 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================