*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
We're running Ubuntu 10.04.3 as a server for our monitoring system and it's open to the outside so we can check the status from anywhere using our mobile devices. However, we are bringing our systems up to be PCI Compliant and the server fails PCI Security tests everytime due to vulnerabilities in Apache versions 2.2.18 and below. Currently, Lucid Server only has Apache 2.2.14 in the repos. Since Lucid is LTS, I would expect at some point this would be updated to Apache 2.2.19 since it contains the necessary security updates to bring Apache up to PCI Standards. here's a copy of what was reported to us: Description: vulnerable Apache version: 2.2.14 12.27.211.13312.27.211.133 Aug 16 14:24:06 2011new Severity: Critical Problem CVE: CVE-2010-0425 CVE-2010-0434 CVE-2010-1452 CVE-2010-1623 CVE-2010-2068 CVE-2011-0419 CVE-2011-1928 10.010new11 Impact: A remote attacker could crash the web server or execute arbitrary commands. Background: Apache is a web server which runs on Unix, Linux, Mac OS and Windows systems. Apache web servers support chunked encoding, which is part of the HTTP protocol specification. Chunked encoding is used by a web client to send data to the server in parts, or chunks. After a chunk is received, the server indicates that it is ready to receive the next chunk, until all of the data has been received. Resolution [http://httpd.apache.org/download.cgi] Upgrade Apache 1.x to version 1.3.41-dev or higher, 2.0.x to version 2.0.64-dev or higher when available, or a version higher than 2.2.18. Vulnerability Details: Service: http Received: Server: Apache/2.2.14 (Ubuntu) ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- PCI Security failure Apache 2.2.14 https://bugs.launchpad.net/bugs/827662 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
