===================================================================== CERT-Renater Note d'Information No. 2006/VULN131 _____________________________________________________________________ DATE : 03/04/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Apache2::Request. ====================================================================== - -------------------------------------------------------------------------- Debian Security Advisory DSA 1000-2 security@debian.org http://www.debian.org/security/ Martin Schulze April 3rd, 2006 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : libapreq2-perl Vulnerability : design error Problem type : remote Debian-specific: no CVE ID : CVE-2006-0042 BugTraq ID : 16710 Debian Bug : 354060 358689 Gunnar Wolf noticed that the correction for the following problem was not complete and requires an update. For completeness we're providing the original problem description: An algorithm weakness has been discovered in Apache2::Request, the generic request library for Apache2 which can be exploited remotely and cause a denial of service via CPU consumption. The old stable distribution (woody) does not contain this package. For the stable distribution (sarge) this problem has been fixed in version 2.04-dev-1sarge2. For the unstable distribution (sid) this problem has been fixed in version 2.07-1. We recommend that you upgrade your libapreq2, libapache2-mod-apreq2 and libapache2-request-perl packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapreq2-perl_2.04-dev-1sarge2.dsc Size/MD5 checksum: 840 d921e859c2f3fcaee6ff743e3be04f14 http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapreq2-perl_2.04-dev-1sarge2.diff.gz Size/MD5 checksum: 21397 ca778b4a0db433123c90eed21f9db6ec http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapreq2-perl_2.04-dev.orig.tar.gz Size/MD5 checksum: 592748 1f5dd762c877b716f3774d502f575196 Alpha architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_alpha.deb Size/MD5 checksum: 237982 a41165a7dedd6214d2be3336010c2c81 AMD64 architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_amd64.deb Size/MD5 checksum: 219068 f3c7668fad70feee6f1a45bbe86918ec ARM architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_arm.deb Size/MD5 checksum: 214954 9bdf3e1f3c88b7ae62789181e6b765ad Intel IA-32 architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_i386.deb Size/MD5 checksum: 215940 5af4bba9feece136ac1d14b7cac75036 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_ia64.deb Size/MD5 checksum: 259660 2af6ef8ce8eed5af6685020345c9b733 HP Precision architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_hppa.deb Size/MD5 checksum: 234884 3cfef4e73e4e2142800aaec7284b809a Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_m68k.deb Size/MD5 checksum: 205078 f94764785df55aec13426bed78b40a21 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_mips.deb Size/MD5 checksum: 215416 3f103828272d4dd87a011939a6bbca14 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_mipsel.deb Size/MD5 checksum: 215652 304e2cdc70aed7005ff89495e23e3ad9 PowerPC architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_powerpc.deb Size/MD5 checksum: 227406 fc01e8ac8b2ec606d6fd0da416d6872f IBM S/390 architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_s390.deb Size/MD5 checksum: 220860 896222b3361c62b5f216dec66516fca1 Sun Sparc architecture: http://security.debian.org/pool/updates/main/liba/libapreq2-perl/libapache2-request-perl_2.04-dev-1sarge2_sparc.deb Size/MD5 checksum: 215140 4bc8e83c1a331859fe757e8f3581612c These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================