This bug was fixed in the package apache2 - 2.2.16-1ubuntu3.5
---
apache2 (2.2.16-1ubuntu3.5) maverick-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/215_CVE-2011-3607.dpatch: validate length
This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.8
---
apache2 (2.2.14-5ubuntu8.8) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/215_CVE-2011-3607.dpatch: validate length in
This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.23
---
apache2 (2.2.8-1ubuntu0.23) hardy-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/220_CVE-2011-3607.dpatch: validate length in
This bug was fixed in the package apache2 - 2.2.17-1ubuntu1.5
---
apache2 (2.2.17-1ubuntu1.5) natty-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/patches/215_CVE-2011-3607.dpatch: validate length in
** Also affects: apache2 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: apache2 (Ubuntu Precise)
Importance: Low
Assignee: Jamie Strandboge (jdstrand)
Status: Incomplete
** Also affects: apache2 (Ubuntu Oneiric)
Importance: Undecided
Status:
CVE-2011-3607 is fixed upstream in trunk, but not yet released:
http://svn.apache.org/viewvc?view=revisionrevision=1198940
Another CVE-2011-4415 was assigned by mitre to the resource consumption,
NULL-dereference issue
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4415
Information Joe Orton:
We'd prefer to discuss the appropriate fix for this on the public
mailing list, so could you publish your advisory as soon as is
convenient. We'll follow up with public discussion and patches as
appropriate.
Please use the CVE name CVE-2011-3607 for this issue.
Very