Fedora Legacy Test Update Notification: httpd
Marc Deslauriers
marcdeslauriers at videotron.ca
Tue Aug 2 23:34:44 UTC 2005
---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-157701
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157701
2005-08-02
---------------------------------------------------------------------
Name : httpd
Versions : rh73: apache-1.3.27-8.legacy
Versions : rh9: httpd-2.0.40-21.18.legacy
Versions : fc1: httpd-2.0.51-1.7.legacy
Versions : fc2: httpd-2.0.51-2.9.2.legacy
Summary : The httpd Web server
Description :
This package contains a powerful, full-featured, efficient, and
freely-available Web server based on work done by the Apache Software
Foundation. It is also the most popular Web server on the Internet.
---------------------------------------------------------------------
Update Information:
Updated Apache httpd packages to correct security issues are now
available.
The Apache HTTP Server is a powerful, full-featured, efficient, and
freely-available Web server.
Watchfire reported a flaw that occured when using the Apache server as
an HTTP proxy. A remote attacker could send an HTTP request with both a
"Transfer-Encoding: chunked" header and a "Content-Length" header. This
caused Apache to incorrectly handle and forward the body of the request
in a way that the receiving server processes it as a separate HTTP
request. This could allow the bypass of Web application firewall
protection or lead to cross-site scripting (XSS) attacks. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2005-2088 to this issue.
A buffer overflow was discovered in htdigest that may allow an attacker
to execute arbitrary code. Since htdigest is usually only accessible
locally, the impact of this issue is low. The Common Vulnerabilities and
Exposures project (cve.mitre.org) assigned the name CAN-2005-1344 to
this issue.
Marc Stern reported an off-by-one overflow in the mod_ssl CRL
verification callback. In order to exploit this issue the Apache server
would need to be configured to use a malicious certificate revocation
list (CRL). The Common Vulnerabilities and Exposures project
(cve.mitre.org) assigned the name CAN-2005-1268 to this issue.
Users of Apache httpd should update to these errata packages that
contain backported patches to correct these issues.
---------------------------------------------------------------------
Changelogs
rh73:
* Mon Aug 01 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.3.27-8.legacy
- Added security patch for CAN-2005-2088
* Sun Jul 31 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.3.27-7.legacy
- Added security patch for CAN-2005-1344
rh9:
* Sun Jul 31 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.40-21.18.legacy
- Added security patches for CAN-2005-1268, CAN-2005-1344
and CAN-2005-2088
fc1:
* Sat Jul 30 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.51-1.7.legacy
- Added security patches for CAN-2005-1268, CAN-2005-1344
and CAN-2005-2088
fc2:
* Tue Aug 02 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.51-2.9.2.legacy
- added missing autoconf, libtool, zlib-devel, gdbm-devel BuildRequires
* Sat Jul 30 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.51-2.9.1.legacy
- Added security patches for CAN-2005-1268, CAN-2005-1344
and CAN-2005-2088
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedoralegacy.org/
(sha1sums)
rh73:
0e3755cab97683d75987658b7de6ffe9c80a8b62
redhat/7.3/updates-testing/i386/apache-1.3.27-8.legacy.i386.rpm
b9b201ebe088409ea9d8b0ea8437351744d8b03e
redhat/7.3/updates-testing/i386/apache-devel-1.3.27-8.legacy.i386.rpm
9222e0121f0b39d336d5465967cc5e218a5487de
redhat/7.3/updates-testing/i386/apache-manual-1.3.27-8.legacy.i386.rpm
3a6736e526c94f5e253860636a1986f8ca3cc972
redhat/7.3/updates-testing/SRPMS/apache-1.3.27-8.legacy.src.rpm
rh9:
cb1ae0ad7739bf0cd3eb7c56a8ba96a5bc7825e3
redhat/9/updates-testing/i386/httpd-2.0.40-21.18.legacy.i386.rpm
4468f5beed1cd89f0225bc8e253bfd4a73fb7732
redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.18.legacy.i386.rpm
cf259929dd2acb5423f611dc5955e801f6bc85fe
redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.18.legacy.i386.rpm
40ad84a4a01502aad2bccfbcd7fda81e8b24022b
redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.18.legacy.src.rpm
f34762e151a8cbbe4dcf926c66dce6392dbac970
redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.18.legacy.i386.rpm
fc1:
b19c5d34da8ef263e5b2f2dcfdd23b02a1a2dd36
fedora/1/updates-testing/i386/httpd-2.0.51-1.7.legacy.i386.rpm
3ca9ea9df6b5c4334909b8cbf63ea858385f81de
fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.7.legacy.i386.rpm
d2a69419b943944e0d7557a500f86eb470d2c5e9
fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.7.legacy.i386.rpm
3ff73a6a4607f5c7503ec36d9a3e901ab02131c2
fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.7.legacy.src.rpm
2667ac96d7749d32255702430c0d04cf40620972
fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.7.legacy.i386.rpm
fc2:
6cf82576642dbb991a3253f4c2ef4ca485d7eea4
fedora/2/updates-testing/i386/httpd-2.0.51-2.9.2.legacy.i386.rpm
e8ff1c406b0dd81c2e8f987df5b33dd6e56111e9
fedora/2/updates-testing/i386/httpd-devel-2.0.51-2.9.2.legacy.i386.rpm
d432195a04f5423c0ca82c4fb99eff2a4efa04ee
fedora/2/updates-testing/i386/httpd-manual-2.0.51-2.9.2.legacy.i386.rpm
a041a7db3f6840e490c418856f86448b52769364
fedora/2/updates-testing/SRPMS/httpd-2.0.51-2.9.2.legacy.src.rpm
a1d6ac70df1a9ac0eefa1d8c16078861cd61b282
fedora/2/updates-testing/i386/mod_ssl-2.0.51-2.9.2.legacy.i386.rpm
---------------------------------------------------------------------
Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050802/22b2a964/attachment.sig>
More information about the fedora-legacy-list
mailing list