Ubuntu 4.10 / 5.04 / 5.10 : apache2, apache vulnerabilities (USN-241-1)

Ubuntu Security Notice (C) 2006-2013 Canonical, Inc. / NASL script (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

The 'mod_imap' module (which provides support for image maps) did not
properly escape the 'referer' URL which rendered it vulnerable against
a cross-site scripting attack. A malicious web page (or HTML email)
could trick a user into visiting a site running the vulnerable
mod_imap, and employ cross-site-scripting techniques to gather
sensitive user information from that site. (CVE-2005-3352)

Hartmut Keil discovered a Denial of Service vulnerability in the SSL
module ('mod_ssl') that affects SSL-enabled virtual hosts with a
customized error page for error 400. By sending a specially crafted
request to the server, a remote attacker could crash the server. This
only affects Apache 2, and only if the 'worker' implementation
(apache2-mpm-worker) is used. (CVE-2005-3357).

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.4
(CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C)

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 20788 ()

Bugtraq ID:

CVE ID: CVE-2005-3352
CVE-2005-3357