[SECURITY] Fedora 7 Update: httpd-2.2.6-1.fc7

updates at fedoraproject.org updates at fedoraproject.org
Wed Sep 19 02:53:28 UTC 2007


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-2214
2007-09-18 22:32:08
--------------------------------------------------------------------------------

Name        : httpd
Product     : Fedora 7
Version     : 2.2.6
Release     : 1.fc7
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

--------------------------------------------------------------------------------
Update Information:

This update includes the latest stable release of the Apache HTTP Server.

A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is configured, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. On sites where a forward proxy is configured, an attacker could cause a similar crash if a user could be persuaded to visit a
malicious site using the proxy. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module.  On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 18 2007 Joe Orton <jorton at redhat.com> 2.2.6-1.fc7
- update to 2.2.6
- require /etc/mime.types (#249223)
* Tue Jun 26 2007 Joe Orton <jorton at redhat.com> 2.2.4-4.1.fc7
- add security fixes for CVE-2007-1863, CVE-2007-3304,
  and CVE-2006-5752 (#244665)
- add security fix for CVE-2007-1862 (#242606)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #209605 - 500 Internal Server Error in cgi is sent with text/plain content-type (DefaultType) instead of text/html
        https://bugzilla.redhat.com/show_bug.cgi?id=209605
  [ 2 ] Bug #249223 - httpd install dependency missing (mailcap)
        https://bugzilla.redhat.com/show_bug.cgi?id=249223
  [ 3 ] Bug #250755 - CVE-2007-3847 httpd out of bounds read [F7]
        https://bugzilla.redhat.com/show_bug.cgi?id=250755
  [ 4 ] CVE-2007-3847
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847
  [ 5 ] CVE-2007-1862
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862
  [ 6 ] CVE-2007-4465
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465
--------------------------------------------------------------------------------
Updated packages:

d3dc55a160abd41a5fdbbc689bf76e67cbde0fb3 mod_ssl-2.2.6-1.fc7.ppc64.rpm
b562daa6ae5da6a74d4544cc409bb98228d68f73 httpd-manual-2.2.6-1.fc7.ppc64.rpm
7a6dfad974a0654d24eb0b86126185b1473b9cc0 httpd-devel-2.2.6-1.fc7.ppc64.rpm
c185775aa8f5365d92bccfd2d2120816c411899f httpd-debuginfo-2.2.6-1.fc7.ppc64.rpm
40cf855f357b2fa7ecccc924391d410c7cf5e11b httpd-2.2.6-1.fc7.ppc64.rpm
bfd502227b6ed79919ea57542624e79ee1e9e03a httpd-debuginfo-2.2.6-1.fc7.i386.rpm
35228e52ec153db2369faf4bbce8a2725b9966be httpd-2.2.6-1.fc7.i386.rpm
19b15128544ec142f176466b6702c906e55ea4d5 httpd-manual-2.2.6-1.fc7.i386.rpm
3403ae305ada347f42680c8f2efdad0500162d08 httpd-devel-2.2.6-1.fc7.i386.rpm
d6a992100e0210816d454231ee799904c1640353 mod_ssl-2.2.6-1.fc7.i386.rpm
cb8d2c1e49c178ef746bb163541c661563dec613 httpd-debuginfo-2.2.6-1.fc7.x86_64.rpm
670249aeaad497e1a3724aca07ede36f3dcc4be5 httpd-manual-2.2.6-1.fc7.x86_64.rpm
0112f1ffc5ad2838e07eaad1ab4d6091fce52fc4 mod_ssl-2.2.6-1.fc7.x86_64.rpm
96839c8f4500a5cb3fc19b7bfb6084eb91741a91 httpd-devel-2.2.6-1.fc7.x86_64.rpm
624bd35e9b25ea2ec2c826ed18124381e1cdc146 httpd-2.2.6-1.fc7.x86_64.rpm
95e48ce1ef3989a75ba4b73143a8c4a3fd8a4c2b httpd-manual-2.2.6-1.fc7.ppc.rpm
e34e3a2ba6b3e2b3dfe9ad9255b6d1b94ca3d83f httpd-devel-2.2.6-1.fc7.ppc.rpm
90105174aafd89add6427b3a13d22d141ba27175 httpd-debuginfo-2.2.6-1.fc7.ppc.rpm
1d2531d00259b7e3f068559e88d57cf02407c438 mod_ssl-2.2.6-1.fc7.ppc.rpm
e38b8d541b3a8872e94e85580a8044db3dcb9733 httpd-2.2.6-1.fc7.ppc.rpm
011fe8f7f89bbe992f956c0cc48f50ba8e9dd140 httpd-2.2.6-1.fc7.src.rpm

This update can be installed with the "yum" update program.  Use 
su -c 'yum update httpd' 
at the command line.  For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------




More information about the Fedora-package-announce mailing list