---------------------------------------------------------------------Fedora Update Notification
FEDORA-2007-615
2007-07-12
---------------------------------------------------------------------Product     : Fedora Core 6
Name        : httpd
Version     : 2.2.4
Release     : 2.1.fc6
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

---------------------------------------------------------------------Update Information:

The Apache HTTP Server did not verify that a process was an
Apache child process before sending it signals. A local
attacker with the ability to run scripts on the Apache HTTP
Server could manipulate the scoreboard and cause arbitrary
processes to be terminated which could lead to a denial of
service (CVE-2007-3304). This issue is not exploitable on
Fedora if using the default SELinux targeted policy.

A flaw was found in the Apache HTTP Server mod_status
module. On sites where the server-status page is publicly
accessible and ExtendedStatus is enabled this could lead to
a cross-site scripting attack. On Fedora the server-status
page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752)

A bug was found in the Apache HTTP Server mod_cache module.
On sites where caching is enabled, a remote attacker could
send a carefully crafted request that would cause the Apache
child process handling that request to crash. This could
lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-1863)

A bug was found in the mod_mem_cache module. On sites where
caching is enabled using this module, an information leak
could occur which revealed portions of sensitive memory to
remote users. (CVE-2007-1862)
---------------------------------------------------------------------* Tue Jun 26 2007 Joe Orton  2.2.4-2.1.fc6
- add security fixes for CVE-2006-5752, CVE-2007-1862, 
  CVE-2007-1863, CVE-2007-3304 (#244660)

---------------------------------------------------------------------This update can be downloaded from:
    
644a6b15c8d2c633da122bc25184decf0cd47717  SRPMS/httpd-2.2.4-2.1.fc6.src.rpm
644a6b15c8d2c633da122bc25184decf0cd47717  noarch/httpd-2.2.4-2.1.fc6.src.rpm
dbf3dab67955777b7611cb216a96ae107da1e548  ppc/httpd-devel-2.2.4-2.1.fc6.ppc.rpm
271b1f9457d76b225c581b27325efe088ed18984  ppc/httpd-2.2.4-2.1.fc6.ppc.rpm
114fba48de2b98c1b31242f45529c099e477a27b  ppc/debug/httpd-debuginfo-2.2.4-2.1.fc6.ppc.rpm
72a5bddf3fe718facf0895e47a607d9d6f7622d8  ppc/httpd-manual-2.2.4-2.1.fc6.ppc.rpm
f60d7eaa5304f983056440d9ffba8b8e2a0c6715  ppc/mod_ssl-2.2.4-2.1.fc6.ppc.rpm
49ae93c9afdfc4ad133af179bad5d2ffbc70e0e5  x86_64/httpd-2.2.4-2.1.fc6.x86_64.rpm
d57b6b7e75013f4ddfcb525b3318393e2e7adcee  x86_64/mod_ssl-2.2.4-2.1.fc6.x86_64.rpm
ee074a5eaa9665def4ac0a08ddfae2c8bdf1a199  x86_64/httpd-manual-2.2.4-2.1.fc6.x86_64.rpm
34a9cc0ee135997165956da2c01400260d58f412  x86_64/httpd-devel-2.2.4-2.1.fc6.x86_64.rpm
bbbb6d9db26652e2f1a36c46c0b4d319683129ab  x86_64/debug/httpd-debuginfo-2.2.4-2.1.fc6.x86_64.rpm
16463f8bfda309feffea3fce12765d8c97d2cd28  i386/debug/httpd-debuginfo-2.2.4-2.1.fc6.i386.rpm
2e9c12e46c7c8cae93b36f003a091ce45767ca5b  i386/httpd-devel-2.2.4-2.1.fc6.i386.rpm
c977553fd17e321e9ec12b06a72d28ebb2e58ad1  i386/httpd-manual-2.2.4-2.1.fc6.i386.rpm
b346b711fe4374bce467bd75dae0fc9b4dc4f211  i386/mod_ssl-2.2.4-2.1.fc6.i386.rpm
83e94c98be4cc0c5ebf11954791bf811e66a2fa8  i386/httpd-2.2.4-2.1.fc6.i386.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at .
---------------------------------------------------------------------_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-announce

Fedora Core 6 Update: httpd-2.2.4-2.1.fc6

July 12, 2007
The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals

Summary

The Apache HTTP Server is a powerful, efficient, and extensible

web server.

The Apache HTTP Server did not verify that a process was an

Apache child process before sending it signals. A local

attacker with the ability to run scripts on the Apache HTTP

Server could manipulate the scoreboard and cause arbitrary

processes to be terminated which could lead to a denial of

service (CVE-2007-3304). This issue is not exploitable on

Fedora if using the default SELinux targeted policy.

A flaw was found in the Apache HTTP Server mod_status

module. On sites where the server-status page is publicly

accessible and ExtendedStatus is enabled this could lead to

a cross-site scripting attack. On Fedora the server-status

page is not enabled by default and it is best practice to

not make this publicly available. (CVE-2006-5752)

A bug was found in the Apache HTTP Server mod_cache module.

On sites where caching is enabled, a remote attacker could

send a carefully crafted request that would cause the Apache

child process handling that request to crash. This could

lead to a denial of service if using a threaded

Multi-Processing Module. (CVE-2007-1863)

A bug was found in the mod_mem_cache module. On sites where

caching is enabled using this module, an information leak

could occur which revealed portions of sensitive memory to

remote users. (CVE-2007-1862)

- add security fixes for CVE-2006-5752, CVE-2007-1862,

CVE-2007-1863, CVE-2007-3304 (#244660)

644a6b15c8d2c633da122bc25184decf0cd47717 SRPMS/httpd-2.2.4-2.1.fc6.src.rpm

644a6b15c8d2c633da122bc25184decf0cd47717 noarch/httpd-2.2.4-2.1.fc6.src.rpm

dbf3dab67955777b7611cb216a96ae107da1e548 ppc/httpd-devel-2.2.4-2.1.fc6.ppc.rpm

271b1f9457d76b225c581b27325efe088ed18984 ppc/httpd-2.2.4-2.1.fc6.ppc.rpm

114fba48de2b98c1b31242f45529c099e477a27b ppc/debug/httpd-debuginfo-2.2.4-2.1.fc6.ppc.rpm

72a5bddf3fe718facf0895e47a607d9d6f7622d8 ppc/httpd-manual-2.2.4-2.1.fc6.ppc.rpm

f60d7eaa5304f983056440d9ffba8b8e2a0c6715 ppc/mod_ssl-2.2.4-2.1.fc6.ppc.rpm

49ae93c9afdfc4ad133af179bad5d2ffbc70e0e5 x86_64/httpd-2.2.4-2.1.fc6.x86_64.rpm

d57b6b7e75013f4ddfcb525b3318393e2e7adcee x86_64/mod_ssl-2.2.4-2.1.fc6.x86_64.rpm

ee074a5eaa9665def4ac0a08ddfae2c8bdf1a199 x86_64/httpd-manual-2.2.4-2.1.fc6.x86_64.rpm

34a9cc0ee135997165956da2c01400260d58f412 x86_64/httpd-devel-2.2.4-2.1.fc6.x86_64.rpm

bbbb6d9db26652e2f1a36c46c0b4d319683129ab x86_64/debug/httpd-debuginfo-2.2.4-2.1.fc6.x86_64.rpm

16463f8bfda309feffea3fce12765d8c97d2cd28 i386/debug/httpd-debuginfo-2.2.4-2.1.fc6.i386.rpm

2e9c12e46c7c8cae93b36f003a091ce45767ca5b i386/httpd-devel-2.2.4-2.1.fc6.i386.rpm

c977553fd17e321e9ec12b06a72d28ebb2e58ad1 i386/httpd-manual-2.2.4-2.1.fc6.i386.rpm

b346b711fe4374bce467bd75dae0fc9b4dc4f211 i386/mod_ssl-2.2.4-2.1.fc6.i386.rpm

83e94c98be4cc0c5ebf11954791bf811e66a2fa8 i386/httpd-2.2.4-2.1.fc6.i386.rpm

This update can be installed with the 'yum' update program. Use 'yum update

package-name' at the command line. For more information, refer to 'Managing

Software with yum,' available at .

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

http://www.redhat.com/mailman/listinfo/fedora-package-announce

FEDORA-2007-615 2007-07-12 Name : httpd Version : 2.2.4 Release : 2.1.fc6 Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service (CVE-2007-3304). This issue is not exploitable on Fedora if using the default SELinux targeted policy. A flaw was found in the Apache HTTP Server mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. On Fedora the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) A bug was found in the Apache HTTP Server mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-1863) A bug was found in the mod_mem_cache module. On sites where caching is enabled using this module, an information leak could occur which revealed portions of sensitive memory to remote users. (CVE-2007-1862) - add security fixes for CVE-2006-5752, CVE-2007-1862, CVE-2007-1863, CVE-2007-3304 (#244660) 644a6b15c8d2c633da122bc25184decf0cd47717 SRPMS/httpd-2.2.4-2.1.fc6.src.rpm 644a6b15c8d2c633da122bc25184decf0cd47717 noarch/httpd-2.2.4-2.1.fc6.src.rpm dbf3dab67955777b7611cb216a96ae107da1e548 ppc/httpd-devel-2.2.4-2.1.fc6.ppc.rpm 271b1f9457d76b225c581b27325efe088ed18984 ppc/httpd-2.2.4-2.1.fc6.ppc.rpm 114fba48de2b98c1b31242f45529c099e477a27b ppc/debug/httpd-debuginfo-2.2.4-2.1.fc6.ppc.rpm 72a5bddf3fe718facf0895e47a607d9d6f7622d8 ppc/httpd-manual-2.2.4-2.1.fc6.ppc.rpm f60d7eaa5304f983056440d9ffba8b8e2a0c6715 ppc/mod_ssl-2.2.4-2.1.fc6.ppc.rpm 49ae93c9afdfc4ad133af179bad5d2ffbc70e0e5 x86_64/httpd-2.2.4-2.1.fc6.x86_64.rpm d57b6b7e75013f4ddfcb525b3318393e2e7adcee x86_64/mod_ssl-2.2.4-2.1.fc6.x86_64.rpm ee074a5eaa9665def4ac0a08ddfae2c8bdf1a199 x86_64/httpd-manual-2.2.4-2.1.fc6.x86_64.rpm 34a9cc0ee135997165956da2c01400260d58f412 x86_64/httpd-devel-2.2.4-2.1.fc6.x86_64.rpm bbbb6d9db26652e2f1a36c46c0b4d319683129ab x86_64/debug/httpd-debuginfo-2.2.4-2.1.fc6.x86_64.rpm 16463f8bfda309feffea3fce12765d8c97d2cd28 i386/debug/httpd-debuginfo-2.2.4-2.1.fc6.i386.rpm 2e9c12e46c7c8cae93b36f003a091ce45767ca5b i386/httpd-devel-2.2.4-2.1.fc6.i386.rpm c977553fd17e321e9ec12b06a72d28ebb2e58ad1 i386/httpd-manual-2.2.4-2.1.fc6.i386.rpm b346b711fe4374bce467bd75dae0fc9b4dc4f211 i386/mod_ssl-2.2.4-2.1.fc6.i386.rpm 83e94c98be4cc0c5ebf11954791bf811e66a2fa8 i386/httpd-2.2.4-2.1.fc6.i386.rpm This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at . Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-announce

Change Log

References

Update Instructions

Severity
Name : httpd
Version : 2.2.4
Release : 2.1.fc6
Summary : Apache HTTP Server

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved