ESB-2018.3635.2 - UPDATE [Ubuntu] libapache2-mod-perl2: Execute arbitrary code/commands - Existing account 2018-11-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3635.2
                    USN-3825-1: mod_perl vulnerability
                             23 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libapache2-mod-perl2
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-2767  

Reference:         ESB-2018.2920
                   ESB-2018.2878
                   ESB-2018.2784

Original Bulletin: 
   https://usn.ubuntu.com/usn/usn-3825-1
   https://usn.ubuntu.com/usn/usn-3825-2

Comment: This bulletin contains two (2) Ubuntu security advisories.

Revision History:  November 23 2018: Added USN-3825-2 udpate
                   November 22 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-3825-1: mod_perl vulnerability

21 November 2018

libapache2-mod-perl2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 18.10
  o Ubuntu 18.04 LTS
  o Ubuntu 16.04 LTS
  o Ubuntu 14.04 LTS

Summary

mod_perl could be made to run programs contrary to expectations.

Software Description

  o libapache2-mod-perl2 - Integration of perl with the Apache2 web server

Details

Jan Ingvoldstad discovered that mod_perl incorrectly handled configuration
options to disable being used by unprivileged users, contrary to the
documentation. A local attacker could possibly use this issue to execute
arbitrary Perl code.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 18.10
    libapache2-mod-perl2 - 2.0.10-2ubuntu3.18.10.1
Ubuntu 18.04 LTS
    libapache2-mod-perl2 - 2.0.10-2ubuntu3.18.04.1
Ubuntu 16.04 LTS
    libapache2-mod-perl2 - 2.0.9-4ubuntu1.2
Ubuntu 14.04 LTS
    libapache2-mod-perl2 - 2.0.8+httpd24-r1449661-6ubuntu2.1

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

  o CVE-2011-2767

(C) 2017 Canonical Ltd. Ubuntu and Canonical are registered trademarks of
Canonical Ltd.

- -----------------------------------------------------------------------------

USN-3825-2: mod_perl vulnerability

22 November 2018

libapache2-mod-perl2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 12.04 ESM

Summary

mod_perl could be made to run programs contrary to expectations.

Software Description

  o libapache2-mod-perl2 - Integration of perl with the Apache2 web server

Details

USN-3825-1 fixed a vulnerability in mod_perl. This update provides the
corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Jan Ingvoldstad discovered that mod_perl incorrectly handled configuration
options to disable being used by unprivileged users, contrary to the
documentation. A local attacker could possibly use this issue to execute
arbitrary Perl code.

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 12.04 ESM
    libapache2-mod-perl2 - 2.0.5-5ubuntu1.1

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

  o USN-3825-1
  o CVE-2011-2767

(C) 2017 Canonical Ltd. Ubuntu and Canonical are registered trademarks of
Canonical Ltd.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/c+4WaOgq3Tt24GAQgN6RAAof6ajvCDFEh18E8ZMpUL/6K1fA+Kd0u2
KVvaNiL6AAa9QoetrAY6DNCvf/SVF5dHJpMvhizdbxi/Y6QXf+gst0/7saYGJ9d6
mXQ2sqHoOw5Oe9m7MEkBn2b1HsKHVMa4Qcu974PCU+H2krZRIm4MobuhKseMrJ90
7WrPw/wrtzvJGp8FAJU83U1SeE5QwuvqPfBaoDVcvm8F9DVL2Bs8rrfW2CLsDlE9
migu7uwvlQBEVDkVGHmiSooGCAyoZlv6fOUs2UK+Sz8DQAqu/q/JP8tS2WGQ37fY
AgBLKk+4waqufu1olOZOF4a72nB9HcA+VO7TIkzyCIL+8Y0KmNQFFHBf3jBdwZT0
8eaJTVxdQbdp7sUiaZhChHfdOTeG00yb+idvi+aU4fudWRCL8XzcQ6kabZ7IZJFv
F0/3dhE6yTjl6wuCwyV6/VVoQaErM8wHp0UT7l56eApLFtS4TxJ0wWcJonT6HTz7
sOfcJTUXd67GurfIAZ4vG76m51x46k0oiAP2AIuu8Ha4i0JQeOHwWomPGw0PGaVz
Qspub3hySCr2Mla/D72Wvq+qDiy+RvdY/ZMrCsoYm9M9Q3sVWEXC6llXQwrJteYc
2FjO2qmyZdgygnAP/YCUGFwLtUbaC6EOHD1esRXoB94S/BhKNSKkQs7xz7eftRvQ
Le2lANvJEWY=
=mY8g
-----END PGP SIGNATURE-----

« Back to bulletins