[Full-disclosure] [USN-173-2] PCRE vulnerability

From: Martin Pitt (martin.pitt_at_canonical.com)
Date: 08/24/05

  • Next message: Gilles DEMARTY: "Re: [Full-disclosure] Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability"
    Date: Wed, 24 Aug 2005 17:26:19 +0200
    To: ubuntu-security-announce@lists.ubuntu.com
    
    
    
    

    ===========================================================
    Ubuntu Security Notice USN-173-2 August 24, 2005
    pcre3, apache2 vulnerabilities
    CAN-2005-2491
    ===========================================================

    A security issue affects the following Ubuntu releases:

    Ubuntu 4.10 (Warty Warthog)
    Ubuntu 5.04 (Hoary Hedgehog):

    The following packages are affected:

    apache2
    apache2-mpm-perchild
    apache2-mpm-prefork
    apache2-mpm-threadpool
    apache2-mpm-worker
    libpcre3

    The problem can be corrected by upgrading the affected package to
    version 2.0.50-12ubuntu4.4 (apache2 for Ubuntu 4.10),
    4.5-1.1ubuntu0.4.10.1 (libpcre3 for Ubuntu4.10), or
    4.5-1.1ubuntu0.5.04.1 (libpcre3 for Ubuntu 5.04).

    A standard system upgrade is NOT SUFFICIENT to effect the necessary
    changes! If you can afford to reboot your machine, this is the easiest
    way to ensure that all services using this library are restarted
    correctly. If not, please manually restart all server processes (exim,
    PHP, etc.). It is advised to also restart your desktop session.

    Details follow:

    USN-173-1 fixed a buffer overflow vulnerability in the PCRE library.
    However, it was determined that this did not suffice to prevent all
    possible overflows, so another update is necessary.

    In addition, it was found that the Ubuntu 4.10 version of Apache 2
    contains a static copy of the library code, so this package needs to
    be updated as well. In Ubuntu 5.04, Apache 2 uses the external library
    from the libpcre3 package.

    Updated packages for Ubuntu 4.10 (Warty Warthog):

      Source archives:

        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4.diff.gz
          Size/MD5: 99437 2ec7366e3b6cb2b5c71181b6548808d5
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4.dsc
          Size/MD5: 1151 1683a2c86a5f8f64cc200c13684c0af8
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50.orig.tar.gz
          Size/MD5: 6321209 9d0767f8a1344229569fcd8272156f8b
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.4.10.1.diff.gz
          Size/MD5: 186473 23255683011d112e0d640005529fdcb6
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.4.10.1.dsc
          Size/MD5: 611 1aa3ef1882be8157f4633a6b969a0f60
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5.orig.tar.gz
          Size/MD5: 476057 a58971177114a3b7a5da0e5a89a43c96

      Architecture independent packages:

        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.50-12ubuntu4.4_all.deb
          Size/MD5: 3178264 a5df71bfa12ecbe37e46173508948b1e
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.50-12ubuntu4.4_all.deb
          Size/MD5: 163816 d5d16be7b8a61b7a1a7150573d0ae1c2
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.50-12ubuntu4.4_all.deb
          Size/MD5: 164576 73dd7539b67d6b39db994a14d88fd767
        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_4.5-1.1ubuntu0.4.10.1_all.deb
          Size/MD5: 770 475394a2acc796700888067434ed1fa3

      amd64 architecture (Athlon64, Opteron, EM64T Xeon)

        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 864696 51e05b5c49dea16124af0291aeddd34a
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 230442 e4d0ab0e0f4e12c1d165f5d0688d2f0e
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 225648 fed779ea47e97f77d8e480461a11bfa2
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 229042 f3932e8a42c725324547bd5fff8687f9
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 229632 a948e60571700bd0130d5b260b6899d1
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 30046 16e716b545d917d5df294432d5635064
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 275550 129e8fdad596ae2885083e7237599022
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.4_amd64.deb
          Size/MD5: 133502 4f42fad8d02976fa9143b608481205ee
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10.1_amd64.deb
          Size/MD5: 106882 3c0e8b8a59d32ae2be91835a2a85cd18
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10.1_amd64.deb
          Size/MD5: 107072 033e5fe0052ac64310edcd86936d94bc
        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10.1_amd64.deb
          Size/MD5: 9162 3d73e3dd0a0bf59f83ddb9c31af88cc8

      i386 architecture (x86 compatible Intel/AMD)

        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 826136 448d8292cd63da6e97c20fb75808aaed
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 209442 fa3613ea6f664c70e603356206074e2c
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 205660 5fd6d83f773a051e1960e40092952d33
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 208318 9a55bea5039f3776d5c1776afbfe6fe7
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 208740 d54a2ca9c5397ed6dc601bb85664ddc3
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 30040 6fc8ef0b828e3a642170c2a568a4e7d0
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 253496 59fcec5f8fe52f02dfafa1f7ad08593c
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.4_i386.deb
          Size/MD5: 124212 4a76225f2129ea76d56ba6b70499fc4e
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10.1_i386.deb
          Size/MD5: 105234 189a4f988570bca3b2365f88a4cf9270
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10.1_i386.deb
          Size/MD5: 106854 99ad2737d3d3fd27fed11765913aacaf
        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10.1_i386.deb
          Size/MD5: 8438 0c7adfb2729a43501c238293e2188155

      powerpc architecture (Apple Macintosh G3/G4/G5)

        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 903896 a2a8b50a1178d9d3118a500190851bbd
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 223112 fd4174be29e547b530a1139d259b2d49
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 218062 41ea2b90a54588035346bca0529185fe
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-threadpool_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 221308 e5642bd8744f3fc8239da9d764e3dfce
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 221898 376dee961786a2a0eea7d6e7248ab134
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 30052 411594b6e4fcba4565fe9abc77e847e7
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 269314 d89744b51bac7c5bcbac2852f7e87225
        http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.50-12ubuntu4.4_powerpc.deb
          Size/MD5: 130824 9111e8dd27a24c8fc0f6a26a05c9cee0
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.4.10.1_powerpc.deb
          Size/MD5: 111252 f58cf5b717e4466d47c276b38ebc55ed
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.4.10.1_powerpc.deb
          Size/MD5: 109924 0cb232a94b4a8f2eba5be80e9c1a3895
        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.4.10.1_powerpc.deb
          Size/MD5: 10684 7afe87ad27a361b835a423adf44f0c65

    Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

      Source archives:

        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.5.04.1.diff.gz
          Size/MD5: 186471 912614b401d34df8c183f58fd15c2a4f
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5-1.1ubuntu0.5.04.1.dsc
          Size/MD5: 611 99a5654a9d99d82cbebf753f35fdfd63
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/pcre3_4.5.orig.tar.gz
          Size/MD5: 476057 a58971177114a3b7a5da0e5a89a43c96

      Architecture independent packages:

        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pgrep_4.5-1.1ubuntu0.5.04.1_all.deb
          Size/MD5: 770 0112a4f8db49e364b511d0913e7db850

      amd64 architecture (Athlon64, Opteron, EM64T Xeon)

        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04.1_amd64.deb
          Size/MD5: 106860 d59d8b1bcf9eddb4dd618234d7afac47
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04.1_amd64.deb
          Size/MD5: 107086 8bec3f336d9d74483d15e16306fa3651
        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04.1_amd64.deb
          Size/MD5: 9160 8fa63c4f1f9998f0b3cfa432037bd525

      i386 architecture (x86 compatible Intel/AMD)

        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04.1_i386.deb
          Size/MD5: 105268 0dcdea19b3d29ef7e87359c239367d54
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04.1_i386.deb
          Size/MD5: 106790 7d1ba079a7ff75967aa432e725bf6899
        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04.1_i386.deb
          Size/MD5: 8394 8f43d61d69a44dead76472421cc7a602

      powerpc architecture (Apple Macintosh G3/G4/G5)

        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3-dev_4.5-1.1ubuntu0.5.04.1_powerpc.deb
          Size/MD5: 111232 96f1afd42831adaa9c5d9af8e6c60f0d
        http://security.ubuntu.com/ubuntu/pool/main/p/pcre3/libpcre3_4.5-1.1ubuntu0.5.04.1_powerpc.deb
          Size/MD5: 109990 71dc3404a424f2449855f8d80bf8f8fd
        http://security.ubuntu.com/ubuntu/pool/universe/p/pcre3/pcregrep_4.5-1.1ubuntu0.5.04.1_powerpc.deb
          Size/MD5: 10678 6f16535e47fe355d683829a1435600cf

    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



  • Next message: Gilles DEMARTY: "Re: [Full-disclosure] Miscrosoft Registry Editor 5.1/XP/2K long string key vulnerability"

    Relevant Pages