LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Why the JMRI decision matters

LWN.net Weekly Edition for August 14, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Fedora alert FEDORA-2007-2214 (httpd)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 7 Update: httpd-2.2.6-1.fc7


Date:
    	      Tue, 18 Sep 2007 19:53:28 -0700


Message-ID:
    	      <200709190253.l8J2roS5020550@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2007-2214
2007-09-18 22:32:08
--------------------------------------------------------------------------------

Name        : httpd
Product     : Fedora 7
Version     : 2.2.6
Release     : 1.fc7
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

--------------------------------------------------------------------------------
Update Information:

This update includes the latest stable release of the Apache HTTP Server.

A flaw was found in the Apache HTTP Server mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that would cause the Apache
child process handling that request to crash. On sites where a forward proxy is configured, an
attacker could cause a similar crash if a user could be persuaded to visit a
malicious site using the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module.  On sites where directory listings are used, and the
AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack
may be possible against browsers which do not correctly derive the response character set following
the rules in RFC 2616. (CVE-2007-4465)
--------------------------------------------------------------------------------
ChangeLog:

* Tue Sep 18 2007 Joe Orton <jorton@redhat.com> 2.2.6-1.fc7
- update to 2.2.6
- require /etc/mime.types (#249223)
* Tue Jun 26 2007 Joe Orton <jorton@redhat.com> 2.2.4-4.1.fc7
- add security fixes for CVE-2007-1863, CVE-2007-3304,
  and CVE-2006-5752 (#244665)
- add security fix for CVE-2007-1862 (#242606)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #209605 - 500 Internal Server Error in cgi is sent with text/plain content-type
(DefaultType) instead of text/html
        https://bugzilla.redhat.com/show_bug.cgi?id=209605
  [ 2 ] Bug #249223 - httpd install dependency missing (mailcap)
        https://bugzilla.redhat.com/show_bug.cgi?id=249223
  [ 3 ] Bug #250755 - CVE-2007-3847 httpd out of bounds read [F7]
        https://bugzilla.redhat.com/show_bug.cgi?id=250755
  [ 4 ] CVE-2007-3847
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200...
  [ 5 ] CVE-2007-1862
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200...
  [ 6 ] CVE-2007-4465
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-200...
--------------------------------------------------------------------------------
Updated packages:

d3dc55a160abd41a5fdbbc689bf76e67cbde0fb3 mod_ssl-2.2.6-1.fc7.ppc64.rpm
b562daa6ae5da6a74d4544cc409bb98228d68f73 httpd-manual-2.2.6-1.fc7.ppc64.rpm
7a6dfad974a0654d24eb0b86126185b1473b9cc0 httpd-devel-2.2.6-1.fc7.ppc64.rpm
c185775aa8f5365d92bccfd2d2120816c411899f httpd-debuginfo-2.2.6-1.fc7.ppc64.rpm
40cf855f357b2fa7ecccc924391d410c7cf5e11b httpd-2.2.6-1.fc7.ppc64.rpm
bfd502227b6ed79919ea57542624e79ee1e9e03a httpd-debuginfo-2.2.6-1.fc7.i386.rpm
35228e52ec153db2369faf4bbce8a2725b9966be httpd-2.2.6-1.fc7.i386.rpm
19b15128544ec142f176466b6702c906e55ea4d5 httpd-manual-2.2.6-1.fc7.i386.rpm
3403ae305ada347f42680c8f2efdad0500162d08 httpd-devel-2.2.6-1.fc7.i386.rpm
d6a992100e0210816d454231ee799904c1640353 mod_ssl-2.2.6-1.fc7.i386.rpm
cb8d2c1e49c178ef746bb163541c661563dec613 httpd-debuginfo-2.2.6-1.fc7.x86_64.rpm
670249aeaad497e1a3724aca07ede36f3dcc4be5 httpd-manual-2.2.6-1.fc7.x86_64.rpm
0112f1ffc5ad2838e07eaad1ab4d6091fce52fc4 mod_ssl-2.2.6-1.fc7.x86_64.rpm
96839c8f4500a5cb3fc19b7bfb6084eb91741a91 httpd-devel-2.2.6-1.fc7.x86_64.rpm
624bd35e9b25ea2ec2c826ed18124381e1cdc146 httpd-2.2.6-1.fc7.x86_64.rpm
95e48ce1ef3989a75ba4b73143a8c4a3fd8a4c2b httpd-manual-2.2.6-1.fc7.ppc.rpm
e34e3a2ba6b3e2b3dfe9ad9255b6d1b94ca3d83f httpd-devel-2.2.6-1.fc7.ppc.rpm
90105174aafd89add6427b3a13d22d141ba27175 httpd-debuginfo-2.2.6-1.fc7.ppc.rpm
1d2531d00259b7e3f068559e88d57cf02407c438 mod_ssl-2.2.6-1.fc7.ppc.rpm
e38b8d541b3a8872e94e85580a8044db3dcb9733 httpd-2.2.6-1.fc7.ppc.rpm
011fe8f7f89bbe992f956c0cc48f50ba8e9dd140 httpd-2.2.6-1.fc7.src.rpm

This update can be installed with the "yum" update program.  Use 
su -c 'yum update httpd' 
at the command line.  For more information, refer to "Managing Software
with yum", available at http://docs.fedoraproject.org/yum/.
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.