LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: July 18th, 2014
Linux Advisory Watch: July 13th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Fedora Core 6 Update: httpd-2.2.4-2.1.fc6 Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Fedora The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service (CVE-2007-3304). This issue is not exploitable on Fedora if using the default SELinux targeted policy.
---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-615
2007-07-12
---------------------------------------------------------------------

Product     : Fedora Core 6
Name        : httpd
Version     : 2.2.4
Release     : 2.1.fc6
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

---------------------------------------------------------------------
Update Information:

The Apache HTTP Server did not verify that a process was an
Apache child process before sending it signals. A local
attacker with the ability to run scripts on the Apache HTTP
Server could manipulate the scoreboard and cause arbitrary
processes to be terminated which could lead to a denial of
service (CVE-2007-3304). This issue is not exploitable on
Fedora if using the default SELinux targeted policy.

A flaw was found in the Apache HTTP Server mod_status
module. On sites where the server-status page is publicly
accessible and ExtendedStatus is enabled this could lead to
a cross-site scripting attack. On Fedora the server-status
page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752)

A bug was found in the Apache HTTP Server mod_cache module.
On sites where caching is enabled, a remote attacker could
send a carefully crafted request that would cause the Apache
child process handling that request to crash. This could
lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-1863)

A bug was found in the mod_mem_cache module. On sites where
caching is enabled using this module, an information leak
could occur which revealed portions of sensitive memory to
remote users. (CVE-2007-1862)
---------------------------------------------------------------------
* Tue Jun 26 2007 Joe Orton  2.2.4-2.1.fc6
- add security fixes for CVE-2006-5752, CVE-2007-1862, 
  CVE-2007-1863, CVE-2007-3304 (#244660)

---------------------------------------------------------------------
This update can be downloaded from:
    http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/

644a6b15c8d2c633da122bc25184decf0cd47717  SRPMS/httpd-2.2.4-2.1.fc6.src.rpm
644a6b15c8d2c633da122bc25184decf0cd47717  noarch/httpd-2.2.4-2.1.fc6.src.rpm
dbf3dab67955777b7611cb216a96ae107da1e548  ppc/httpd-devel-2.2.4-2.1.fc6.ppc.rpm
271b1f9457d76b225c581b27325efe088ed18984  ppc/httpd-2.2.4-2.1.fc6.ppc.rpm
114fba48de2b98c1b31242f45529c099e477a27b  ppc/debug/httpd-debuginfo-2.2.4-2.1.fc6.ppc.rpm
72a5bddf3fe718facf0895e47a607d9d6f7622d8  ppc/httpd-manual-2.2.4-2.1.fc6.ppc.rpm
f60d7eaa5304f983056440d9ffba8b8e2a0c6715  ppc/mod_ssl-2.2.4-2.1.fc6.ppc.rpm
49ae93c9afdfc4ad133af179bad5d2ffbc70e0e5  x86_64/httpd-2.2.4-2.1.fc6.x86_64.rpm
d57b6b7e75013f4ddfcb525b3318393e2e7adcee  x86_64/mod_ssl-2.2.4-2.1.fc6.x86_64.rpm
ee074a5eaa9665def4ac0a08ddfae2c8bdf1a199  x86_64/httpd-manual-2.2.4-2.1.fc6.x86_64.rpm
34a9cc0ee135997165956da2c01400260d58f412  x86_64/httpd-devel-2.2.4-2.1.fc6.x86_64.rpm
bbbb6d9db26652e2f1a36c46c0b4d319683129ab  x86_64/debug/httpd-debuginfo-2.2.4-2.1.fc6.x86_64.rpm
16463f8bfda309feffea3fce12765d8c97d2cd28  i386/debug/httpd-debuginfo-2.2.4-2.1.fc6.i386.rpm
2e9c12e46c7c8cae93b36f003a091ce45767ca5b  i386/httpd-devel-2.2.4-2.1.fc6.i386.rpm
c977553fd17e321e9ec12b06a72d28ebb2e58ad1  i386/httpd-manual-2.2.4-2.1.fc6.i386.rpm
b346b711fe4374bce467bd75dae0fc9b4dc4f211  i386/mod_ssl-2.2.4-2.1.fc6.i386.rpm
83e94c98be4cc0c5ebf11954791bf811e66a2fa8  i386/httpd-2.2.4-2.1.fc6.i386.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://fedora.redhat.com/docs/yum/.
---------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-announce
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Router hacking competition announced for Defcon
EFF wants hackers to help build an open, secure router
Hackers Could Take Control of Your Car. This Device Can Stop Them
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.