Fedora Legacy Test Update Notification: httpd

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Feb 9 01:35:50 UTC 2006 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-175406
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175406
2006-02-08
---------------------------------------------------------------------

Name        : httpd
Versions    : rh73: apache-1.3.27-9.legacy
Versions    : rh9: httpd-2.0.40-21.21.legacy
Versions    : fc1: httpd-2.0.51-1.10.legacy
Versions    : fc2: httpd-2.0.51-2.9.5.legacy
Versions    : fc3: httpd-2.0.53-3.4.legacy
Summary     : The httpd Web server
Description :
This package contains a powerful, full-featured, efficient, and
freely-available Web server based on work done by the Apache Software
Foundation. It is also the most popular Web server on the Internet.

---------------------------------------------------------------------
Update Information:

Updated Apache httpd packages that correct three security issues are now
available.

The Apache HTTP Server is a popular and freely-available Web server.

A memory leak in the worker MPM could allow remote attackers to cause a
denial of service (memory consumption) via aborted connections, which
prevents the memory for the transaction pool from being reused for other
connections. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-2970 to this issue. This vulnerability only affects
users who are using the non-default worker MPM.

A flaw in mod_imap when using the Referer directive with image maps was
discovered. With certain site configurations, a remote attacker could
perform a cross-site scripting attack if a victim can be forced to visit
a malicious URL using certain web browsers. (CVE-2005-3352)

A NULL pointer dereference flaw in mod_ssl was discovered affecting
server configurations where an SSL virtual host is configured with
access control and a custom 400 error document. A remote attacker could
send a carefully crafted request to trigger this issue which would lead
to a crash. This crash would only be a denial of service if using the
non-default worker MPM. (CVE-2005-3357)

Users of httpd should update to these erratum packages which contain
backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
1.3.27-9.legacy
- mod_imap: add security fix for XSS issue (CVE-2005-3352)

rh9:
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.40-21.21.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

fc1:
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.51-1.10.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

fc2:
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.51-2.9.5.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

fc3:
* Sun Jan 22 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
2.0.53-3.4.legacy
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
  and bug fixes for handling resource allocation failures (#171759)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
c55d929dd5acbf4b0191a28b0ad128f1064810f8
redhat/7.3/updates-testing/i386/apache-1.3.27-9.legacy.i386.rpm
aae52f7966d03dd6e81f8b8b5a090bf60fa8e601
redhat/7.3/updates-testing/i386/apache-devel-1.3.27-9.legacy.i386.rpm
fafcea3e68311223b5a814a482927cd645c4356a
redhat/7.3/updates-testing/i386/apache-manual-1.3.27-9.legacy.i386.rpm
db23f5e77a78f78a346104038a564f0197ee9414
redhat/7.3/updates-testing/SRPMS/apache-1.3.27-9.legacy.src.rpm

rh9:
8e6ca52b5fb88a43322a38966ffeb0285b0699e1
redhat/9/updates-testing/i386/httpd-2.0.40-21.21.legacy.i386.rpm
be601feefd0483b24e3ce5efdfadcef6b5d7d040
redhat/9/updates-testing/i386/httpd-devel-2.0.40-21.21.legacy.i386.rpm
8816478ae2287a3d2d4c9ca91d55662efcae2b87
redhat/9/updates-testing/i386/httpd-manual-2.0.40-21.21.legacy.i386.rpm
2d565db0d6fa0756c51ca7aef8211b463c5f5348
redhat/9/updates-testing/i386/mod_ssl-2.0.40-21.21.legacy.i386.rpm
e05115a5178fbf853dfe8fdc75b962c44a787316
redhat/9/updates-testing/SRPMS/httpd-2.0.40-21.21.legacy.src.rpm

fc1:
d34d8993fa09ebc2c017c98ac459688a913593f6
fedora/1/updates-testing/i386/httpd-2.0.51-1.10.legacy.i386.rpm
1598bdf136a0ab14195df7d9f4425ab6442ab3f7
fedora/1/updates-testing/i386/httpd-devel-2.0.51-1.10.legacy.i386.rpm
e5d6b42924b9fd81869cbe07f410abd2ecaa106e
fedora/1/updates-testing/i386/httpd-manual-2.0.51-1.10.legacy.i386.rpm
56c59eec43c7d87f9f59f7068f80e2774de1784a
fedora/1/updates-testing/i386/mod_ssl-2.0.51-1.10.legacy.i386.rpm
4294e34c392cc90465d35dbfda88f95aae87c291
fedora/1/updates-testing/SRPMS/httpd-2.0.51-1.10.legacy.src.rpm

fc2:
3572be6a040d0efe5e71186578b42bb991328254
fedora/2/updates-testing/i386/httpd-2.0.51-2.9.5.legacy.i386.rpm
3d75ef3d7720894c886c4d1a1e52f97f2b4bb345
fedora/2/updates-testing/i386/httpd-devel-2.0.51-2.9.5.legacy.i386.rpm
74c6d5286da4daf697f041d3084cab0a2fda46c6
fedora/2/updates-testing/i386/httpd-manual-2.0.51-2.9.5.legacy.i386.rpm
72050bf7341db26b0d72b8565102bb55eb9be250
fedora/2/updates-testing/i386/mod_ssl-2.0.51-2.9.5.legacy.i386.rpm
32a2bfe031fcbb40ed1db4a84bacc5ad78a7b7a4
fedora/2/updates-testing/SRPMS/httpd-2.0.51-2.9.5.legacy.src.rpm

fc3:
563dd27fb0e74e13d1b8960e189f05af60926333
fedora/3/updates-testing/i386/httpd-2.0.53-3.4.legacy.i386.rpm
3673bec7d02bd1972c20cbca6d77bccf4c08f516
fedora/3/updates-testing/i386/httpd-devel-2.0.53-3.4.legacy.i386.rpm
d004815e520338f6565e0f18d21847c6439c841f
fedora/3/updates-testing/i386/httpd-manual-2.0.53-3.4.legacy.i386.rpm
48eac837da227883d681aa23e182ebb00174980f
fedora/3/updates-testing/i386/httpd-suexec-2.0.53-3.4.legacy.i386.rpm
ffdb283132cdf0e0de7026709087781a4f2eabb0
fedora/3/updates-testing/i386/mod_ssl-2.0.53-3.4.legacy.i386.rpm
b6698d717f8dd6b028ee32184bcc778724695a83
fedora/3/updates-testing/SRPMS/httpd-2.0.53-3.4.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060208/2626fc87/attachment.sig>

More information about the fedora-legacy-list mailing list