Ubuntu – Does CVE-2012-0883 apply to Ubuntu

Apache2Security

Does the Apache vulnerability CVE-2012-0883 affect Ubuntu? Have tried searching for it at ubuntu.com but with no hits.

I note that Ubuntu releases an Ubuntu Security Notice (USN) when it issues an update for the vulnerability e.g. USN-1627-1 for CVE-2012-2687 and CVE-2012-4929. However I cannot find any corresponding USN for CVE-2012-0883 although I did find this:

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-0883.html

And if Ubuntu is not affected by the vulnerability, what version of Apache contains the fix?

Best Answer

It's clearly written in the page you have linked:

Upstream:                               released (2.4.2)
Ubuntu 8.04 LTS (Hardy Heron):          not-affected
Ubuntu 10.04 LTS (Lucid Lynx):          not-affected
Ubuntu 11.04 (Natty Narwhal):           not-affected
Ubuntu 11.10 (Oneiric Ocelot):          not-affected
Ubuntu 12.04 LTS (Precise Pangolin):    not-affected

Also, in the same page, there's written:

jdstrand> Debian/Ubuntu packages contain 038_no_LD_LIBRARY_PATH (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=276670 for more information)

And if you look at the changelog included in the bug you can see:

apache2 (2.0.52-2) unstable; urgency=high
[...]
  * Move envvars to /etc/apache2/ and add patch 038_no_LD_LIBRARY_PATH to
    remove the extraneous LD_LIBRARY_PATH from envvars (closes: #276670)

This means that the bug has been fixed in Debian since version 2.0.52.

Last but not least, if you look at your /etc/apache2/envvars or /usr/share/apache2/build/envvars-std, you'll see that they don't contain any malicious LD_LIBRARY_PATH.

Related Solutions

Ubuntu – Does java security flaw affects ubuntu also

From here they said it was reported as CVE-2012-4681 for Oracle Java 7 Update 6, and possibly other versions ,

It seems that it has not been reported or accounted for Ubuntu yet but can be seen reported for Debian as here for packages openjdk-6 and openjdk-7 , so i guess it applies here too.

enter image description here

If i am guessing it right ,same version exists for Ubuntu here

enter image description here

So please disable it , to be assured for safer side .

Edit (1-9-2012) It is now addressed by Ubuntu Security team as can be seen here . Security update for the package will soon be provided ,i guess.

Icetea-Web package includes the Plugin , which seems to have not being affected as here.

enter image description here

You can click the Ubuntu link as above to see the packages in it .So i guess , you are safe to use it.

Ubuntu – Patch OpenSSL CVE-2014-0160 on ubuntu 12.04

Why don't you update? If Ubuntu says you need 5.12, and that heartbleed site says you're vulnerable, what's the problem?

I have the following installed, which was updated yesterday or today on my machine.

ii  openssl                                  1.0.1-4ubuntu5.12

Best Answer

Related Solutions

Ubuntu – Does java security flaw affects ubuntu also

Ubuntu – Patch OpenSSL CVE-2014-0160 on ubuntu 12.04

Related Question