Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3635.2 USN-3825-1: mod_perl vulnerability 23 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libapache2-mod-perl2 Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2011-2767 Reference: ESB-2018.2920 ESB-2018.2878 ESB-2018.2784 Original Bulletin: https://usn.ubuntu.com/usn/usn-3825-1 https://usn.ubuntu.com/usn/usn-3825-2 Comment: This bulletin contains two (2) Ubuntu security advisories. Revision History: November 23 2018: Added USN-3825-2 udpate November 22 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- USN-3825-1: mod_perl vulnerability 21 November 2018 libapache2-mod-perl2 vulnerability A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 18.10 o Ubuntu 18.04 LTS o Ubuntu 16.04 LTS o Ubuntu 14.04 LTS Summary mod_perl could be made to run programs contrary to expectations. Software Description o libapache2-mod-perl2 - Integration of perl with the Apache2 web server Details Jan Ingvoldstad discovered that mod_perl incorrectly handled configuration options to disable being used by unprivileged users, contrary to the documentation. A local attacker could possibly use this issue to execute arbitrary Perl code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 libapache2-mod-perl2 - 2.0.10-2ubuntu3.18.10.1 Ubuntu 18.04 LTS libapache2-mod-perl2 - 2.0.10-2ubuntu3.18.04.1 Ubuntu 16.04 LTS libapache2-mod-perl2 - 2.0.9-4ubuntu1.2 Ubuntu 14.04 LTS libapache2-mod-perl2 - 2.0.8+httpd24-r1449661-6ubuntu2.1 To update your system, please follow these instructions: https:// wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References o CVE-2011-2767 (C) 2017 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd. - ----------------------------------------------------------------------------- USN-3825-2: mod_perl vulnerability 22 November 2018 libapache2-mod-perl2 vulnerability A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 12.04 ESM Summary mod_perl could be made to run programs contrary to expectations. Software Description o libapache2-mod-perl2 - Integration of perl with the Apache2 web server Details USN-3825-1 fixed a vulnerability in mod_perl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Jan Ingvoldstad discovered that mod_perl incorrectly handled configuration options to disable being used by unprivileged users, contrary to the documentation. A local attacker could possibly use this issue to execute arbitrary Perl code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM libapache2-mod-perl2 - 2.0.5-5ubuntu1.1 To update your system, please follow these instructions: https:// wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References o USN-3825-1 o CVE-2011-2767 (C) 2017 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW/c+4WaOgq3Tt24GAQgN6RAAof6ajvCDFEh18E8ZMpUL/6K1fA+Kd0u2 KVvaNiL6AAa9QoetrAY6DNCvf/SVF5dHJpMvhizdbxi/Y6QXf+gst0/7saYGJ9d6 mXQ2sqHoOw5Oe9m7MEkBn2b1HsKHVMa4Qcu974PCU+H2krZRIm4MobuhKseMrJ90 7WrPw/wrtzvJGp8FAJU83U1SeE5QwuvqPfBaoDVcvm8F9DVL2Bs8rrfW2CLsDlE9 migu7uwvlQBEVDkVGHmiSooGCAyoZlv6fOUs2UK+Sz8DQAqu/q/JP8tS2WGQ37fY AgBLKk+4waqufu1olOZOF4a72nB9HcA+VO7TIkzyCIL+8Y0KmNQFFHBf3jBdwZT0 8eaJTVxdQbdp7sUiaZhChHfdOTeG00yb+idvi+aU4fudWRCL8XzcQ6kabZ7IZJFv F0/3dhE6yTjl6wuCwyV6/VVoQaErM8wHp0UT7l56eApLFtS4TxJ0wWcJonT6HTz7 sOfcJTUXd67GurfIAZ4vG76m51x46k0oiAP2AIuu8Ha4i0JQeOHwWomPGw0PGaVz Qspub3hySCr2Mla/D72Wvq+qDiy+RvdY/ZMrCsoYm9M9Q3sVWEXC6llXQwrJteYc 2FjO2qmyZdgygnAP/YCUGFwLtUbaC6EOHD1esRXoB94S/BhKNSKkQs7xz7eftRvQ Le2lANvJEWY= =mY8g -----END PGP SIGNATURE-----