LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Moderate: httpd security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated httpd packages that fix two security issues are now available for Red Hat Application Stack. A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. This update has been rated as having moderate security impact by the Red Hat Security Response Team.
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: httpd security update
Advisory ID:       RHSA-2007:0911-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0911.html
Issue date:        2007-10-25
Updated on:        2007-10-25
Product:           Red Hat Application Stack
CVE Names:         CVE-2007-3847 CVE-2007-4465 
- ---------------------------------------------------------------------

1. Summary:

Updated httpd packages that fix two security issues are now available for
Red Hat Application Stack.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64
Red Hat Application Stack v2 for Enterprise Linux (v.5)  	 - i386, x86_64

3. Problem description:

The Apache HTTP Server is a popular and freely-available Web server.

A flaw was found in the Apache HTTP Server mod_proxy module. On sites where
a reverse proxy is configured, a remote attacker could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. On sites where a forward proxy is configured, an attacker
could cause a similar crash if a user could be persuaded to visit a
malicious site using the proxy. This could lead to a denial of service if
using a threaded Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module.  On sites where directory
listings are used, and the AddDefaultCharset directive has been removed
from the configuration, a cross-site-scripting attack may be possible
against browsers which do not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465)

Users of httpd should upgrade to these updated packages which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

250731 - CVE-2007-3847 httpd out of bounds read
289511 - CVE-2007-4465 mod_autoindex XSS

6. RPMs required:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4):

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/httpd-2.0.59-1.el4s1.8.src.rpm
b22d942398339ba1cc053714f1245559  httpd-2.0.59-1.el4s1.8.src.rpm

i386:
23b907a015f7b4968a0f2ebe68ddb9bb  httpd-2.0.59-1.el4s1.8.i386.rpm
dfe9025cfcb1e3f5ee617481267281ac  httpd-debuginfo-2.0.59-1.el4s1.8.i386.rpm
d29093f7086e36831697065af1ace33b  httpd-devel-2.0.59-1.el4s1.8.i386.rpm
d7e801938aa2ade0ec8b6de4e38a4191  httpd-manual-2.0.59-1.el4s1.8.i386.rpm
2364d43a57752986156c38a2b2cf1a4d  mod_ssl-2.0.59-1.el4s1.8.i386.rpm

x86_64:
2692e4c6b432a195b05fabf7c479af69  httpd-2.0.59-1.el4s1.8.x86_64.rpm
2e57ee08b75d10fa8a560658b57504b5  httpd-debuginfo-2.0.59-1.el4s1.8.x86_64.rpm
8f71efc4adbb9d16a8d6575097d54ef1  httpd-devel-2.0.59-1.el4s1.8.x86_64.rpm
e5f1af974d7203f476c6592f02f9a640  httpd-manual-2.0.59-1.el4s1.8.x86_64.rpm
e99210762a5307b09fff744537ffe14d  mod_ssl-2.0.59-1.el4s1.8.x86_64.rpm

Red Hat Application Stack v1 for Enterprise Linux ES (v.4):

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/httpd-2.0.59-1.el4s1.8.src.rpm
b22d942398339ba1cc053714f1245559  httpd-2.0.59-1.el4s1.8.src.rpm

i386:
23b907a015f7b4968a0f2ebe68ddb9bb  httpd-2.0.59-1.el4s1.8.i386.rpm
dfe9025cfcb1e3f5ee617481267281ac  httpd-debuginfo-2.0.59-1.el4s1.8.i386.rpm
d29093f7086e36831697065af1ace33b  httpd-devel-2.0.59-1.el4s1.8.i386.rpm
d7e801938aa2ade0ec8b6de4e38a4191  httpd-manual-2.0.59-1.el4s1.8.i386.rpm
2364d43a57752986156c38a2b2cf1a4d  mod_ssl-2.0.59-1.el4s1.8.i386.rpm

x86_64:
2692e4c6b432a195b05fabf7c479af69  httpd-2.0.59-1.el4s1.8.x86_64.rpm
2e57ee08b75d10fa8a560658b57504b5  httpd-debuginfo-2.0.59-1.el4s1.8.x86_64.rpm
8f71efc4adbb9d16a8d6575097d54ef1  httpd-devel-2.0.59-1.el4s1.8.x86_64.rpm
e5f1af974d7203f476c6592f02f9a640  httpd-manual-2.0.59-1.el4s1.8.x86_64.rpm
e99210762a5307b09fff744537ffe14d  mod_ssl-2.0.59-1.el4s1.8.x86_64.rpm

Red Hat Application Stack v2 for Enterprise Linux (v.5)  	:

SRPMS:
ftp://updates.redhat.com/enterprise//en/RHWAS/SRPMS/httpd-2.2.4-7.el5s2.src.rpm
5b24a23198e69394837c1bffc9a092bd  httpd-2.2.4-7.el5s2.src.rpm

i386:
e24b96db9a4fa7e549685674cf7712fe  httpd-2.2.4-7.el5s2.i386.rpm
a865d1e5d2c8c3ddfc231559d1f29f59  httpd-debuginfo-2.2.4-7.el5s2.i386.rpm
5f28a8daf0d46d53f4d32fe9e4203da9  httpd-devel-2.2.4-7.el5s2.i386.rpm
5d5a7bb9acc85554a9fc43a3fe91a97d  httpd-manual-2.2.4-7.el5s2.i386.rpm
a90655c1d69d20a46b81f3ee491a6b36  mod_ssl-2.2.4-7.el5s2.i386.rpm

x86_64:
7702abea501f3817ebf45787656acfd9  httpd-2.2.4-7.el5s2.x86_64.rpm
a865d1e5d2c8c3ddfc231559d1f29f59  httpd-debuginfo-2.2.4-7.el5s2.i386.rpm
1947e49d5aa632c97b17c5ab7e7239b7  httpd-debuginfo-2.2.4-7.el5s2.x86_64.rpm
5f28a8daf0d46d53f4d32fe9e4203da9  httpd-devel-2.2.4-7.el5s2.i386.rpm
bb87b357ca2f0f85dfa2d10fafc80f24  httpd-devel-2.2.4-7.el5s2.x86_64.rpm
2f8bdb1f247c766e46070718e2332144  httpd-manual-2.2.4-7.el5s2.x86_64.rpm
3bde4cb28d3a52c34083fea4225870c1  mod_ssl-2.2.4-7.el5s2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Canadians arrest a Heartbleed hacker
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.