[SECURITY] Fedora 7 Update: httpd-2.2.4-4.1.fc7

Wed Jun 27 03:52:42 UTC 2007

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-0704
2007-06-26 20:52:39.408741
--------------------------------------------------------------------------------

Name        : httpd
Product     : Fedora 7
Version     : 2.2.4
Release     : 4.1.fc7
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

--------------------------------------------------------------------------------
Update Information:

The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service (CVE-2007-3304). This issue is not exploitable on Fedora if using the default SELinux targeted policy.

A flaw was found in the Apache HTTP Server mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. On Fedora the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

A bug was found in the Apache HTTP Server mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-1863)

A bug was found in the mod_mem_cache module.  On sites where caching is enabled using this module, an information leak could occur which revealed portions of sensitive memory to remote users.  (CVE-2007-1862)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jun 26 2007 Joe Orton <jorton at redhat.com> 2.2.4-4.1.fc7
- add security fixes for CVE-2007-1863, CVE-2007-3304,
  and CVE-2006-5752 (#244665)
- add security fix for CVE-2007-1862 (#242606)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #242606
        https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242606
  [ 2 ] Bug #244659
        https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244659
  [ 3 ] CVE-2007-1862
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862
  [ 4 ] CVE-2007-1863
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863
  [ 5 ] CVE-2007-3304
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304
  [ 6 ] CVE-2006-5752
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
--------------------------------------------------------------------------------
Updated packages:

b5ea5f23cd6d2918b0640a07d95349c5a0c1145d httpd-debuginfo-2.2.4-4.1.fc7.ppc64.rpm
85d65c84ab7512ba7d41694fc2de3734c35b22d0 httpd-devel-2.2.4-4.1.fc7.ppc64.rpm
98dd80b9c08894bb427d3a78a726750d70dfacbd httpd-manual-2.2.4-4.1.fc7.ppc64.rpm
ebda12e8c08ff5fb589d05599d61810b908890a4 mod_ssl-2.2.4-4.1.fc7.ppc64.rpm
751306fa667a9466b7eb8180339840b4f9f8a1e3 httpd-2.2.4-4.1.fc7.ppc64.rpm
369fd68b17f304e0180dda689e26823c745123d0 httpd-devel-2.2.4-4.1.fc7.i386.rpm
c6f6ccf809fa1f135eeaa7b6a1add91ca09ededd mod_ssl-2.2.4-4.1.fc7.i386.rpm
152f01dd4c5d4e0c786b048885b37cb589cd4c54 httpd-debuginfo-2.2.4-4.1.fc7.i386.rpm
915bc527e8fa244cc1253570a5c891fb845cdcb5 httpd-manual-2.2.4-4.1.fc7.i386.rpm
cd09d3200019e439fb0208e4d843671017d6fef7 httpd-2.2.4-4.1.fc7.i386.rpm
23f04a00478cc10d515850febc3941cc687c6425 httpd-devel-2.2.4-4.1.fc7.x86_64.rpm
032e2a4fad00e50d922829a2873b6c54060cd828 httpd-2.2.4-4.1.fc7.x86_64.rpm
2a4f8bf0c96dbd3013ec441467feaee1f72a1abb mod_ssl-2.2.4-4.1.fc7.x86_64.rpm
3a6cfdf3219dd39dd06d5c08bdac1d3a518744f6 httpd-manual-2.2.4-4.1.fc7.x86_64.rpm
184dc0f75f0f582bc650a3c703db7a05a8a152c2 httpd-debuginfo-2.2.4-4.1.fc7.x86_64.rpm
9c0e6f11894fb914f82546acf4e139637d09095e httpd-debuginfo-2.2.4-4.1.fc7.ppc.rpm
7d5ada21848138891784ff48868750df6659ccca mod_ssl-2.2.4-4.1.fc7.ppc.rpm
94671fb37e82134c1558b3bc26d5a3c613f2d58c httpd-devel-2.2.4-4.1.fc7.ppc.rpm
fc4899c40cda8ae35d2520f2a9246fb2265d1b40 httpd-manual-2.2.4-4.1.fc7.ppc.rpm
fe1c96b1d5b2bcf63d0e41217c5d39425e730a14 httpd-2.2.4-4.1.fc7.ppc.rpm
3ce67329f8586a8c189bc2240ad7d087063e9ae8 httpd-2.2.4-4.1.fc7.src.rpm

This update can be installed with the 'yum' update program.  Use 'yum update
package-name' at the command line.  For more information, refer to 'Managing
Software with yum,' available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------