FSA/F7/FEDORA-2007-0704

[SECURITY] Fedora 7 Update: httpd-2.2.4-4.1.fc7
Fedora Update Notification FEDORA-2007-0704 2007-06-26 20:52:39.408741

Name       : httpd Product    : Fedora 7 Version    : 2.2.4 Release    : 4.1.fc7 Summary    : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server.

Update Information:

The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service (CVE-2007-3304). This issue is not exploitable on Fedora if using the default SELinux targeted policy.

A flaw was found in the Apache HTTP Server mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. On Fedora the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

A bug was found in the Apache HTTP Server mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-1863)

A bug was found in the mod_mem_cache module. On sites where caching is enabled using this module, an information leak could occur which revealed portions of sensitive memory to remote users. (CVE-2007-1862)

ChangeLog:

- add security fixes for CVE-2007-1863, CVE-2007-3304, and CVE-2006-5752 (#244665) - add security fix for CVE-2007-1862 (#242606)
 * Tue Jun 26 2007 Joe Orton  2.2.4-4.1.fc7

References:

[ 1 ] Bug #242606 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242606 [ 2 ] Bug #244659 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244659 [ 3 ] CVE-2007-1862 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862 [ 4 ] CVE-2007-1863 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863 [ 5 ] CVE-2007-3304 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304 [ 6 ] CVE-2006-5752 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752

Updated packages:

b5ea5f23cd6d2918b0640a07d95349c5a0c1145d httpd-debuginfo-2.2.4-4.1.fc7.ppc64.rpm 85d65c84ab7512ba7d41694fc2de3734c35b22d0 httpd-devel-2.2.4-4.1.fc7.ppc64.rpm 98dd80b9c08894bb427d3a78a726750d70dfacbd httpd-manual-2.2.4-4.1.fc7.ppc64.rpm ebda12e8c08ff5fb589d05599d61810b908890a4 mod_ssl-2.2.4-4.1.fc7.ppc64.rpm 751306fa667a9466b7eb8180339840b4f9f8a1e3 httpd-2.2.4-4.1.fc7.ppc64.rpm 369fd68b17f304e0180dda689e26823c745123d0 httpd-devel-2.2.4-4.1.fc7.i386.rpm c6f6ccf809fa1f135eeaa7b6a1add91ca09ededd mod_ssl-2.2.4-4.1.fc7.i386.rpm 152f01dd4c5d4e0c786b048885b37cb589cd4c54 httpd-debuginfo-2.2.4-4.1.fc7.i386.rpm 915bc527e8fa244cc1253570a5c891fb845cdcb5 httpd-manual-2.2.4-4.1.fc7.i386.rpm cd09d3200019e439fb0208e4d843671017d6fef7 httpd-2.2.4-4.1.fc7.i386.rpm 23f04a00478cc10d515850febc3941cc687c6425 httpd-devel-2.2.4-4.1.fc7.x86_64.rpm 032e2a4fad00e50d922829a2873b6c54060cd828 httpd-2.2.4-4.1.fc7.x86_64.rpm 2a4f8bf0c96dbd3013ec441467feaee1f72a1abb mod_ssl-2.2.4-4.1.fc7.x86_64.rpm 3a6cfdf3219dd39dd06d5c08bdac1d3a518744f6 httpd-manual-2.2.4-4.1.fc7.x86_64.rpm 184dc0f75f0f582bc650a3c703db7a05a8a152c2 httpd-debuginfo-2.2.4-4.1.fc7.x86_64.rpm 9c0e6f11894fb914f82546acf4e139637d09095e httpd-debuginfo-2.2.4-4.1.fc7.ppc.rpm 7d5ada21848138891784ff48868750df6659ccca mod_ssl-2.2.4-4.1.fc7.ppc.rpm 94671fb37e82134c1558b3bc26d5a3c613f2d58c httpd-devel-2.2.4-4.1.fc7.ppc.rpm fc4899c40cda8ae35d2520f2a9246fb2265d1b40 httpd-manual-2.2.4-4.1.fc7.ppc.rpm fe1c96b1d5b2bcf63d0e41217c5d39425e730a14 httpd-2.2.4-4.1.fc7.ppc.rpm 3ce67329f8586a8c189bc2240ad7d087063e9ae8 httpd-2.2.4-4.1.fc7.src.rpm

This update can be installed with the 'yum' update program. Use 'yum update package-name' at the command line. For more information, refer to 'Managing Software with yum,' available at http://docs.fedoraproject.org/yum/.