apache: multiple vulnerabilities [LWN.net]

Package(s):

apache

CVE #(s):

CVE-2007-3304 CVE-2006-5752

Created:

June 27, 2007

Updated:

February 18, 2008

Description:

The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker who has the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated, which could lead to a denial of service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)

Alerts:

Fedora	FEDORA-2008-1711	2008-02-15
SuSE	SUSE-SA:2007:061	2007-11-19
Fedora	FEDORA-2007-2214	2007-09-18
rPath	rPSA-2007-0182-1	2007-09-14
Ubuntu	USN-499-1	2007-08-16
Red Hat	RHSA-2007:0662-01	2007-07-13
Red Hat	RHSA-2007:0557-01	2007-07-13
Fedora	FEDORA-2007-615	2007-07-12
Mandriva	MDKSA-2007:142	2007-07-04
Mandriva	MDKSA-2007:141	2007-07-04
Mandriva	MDKSA-2007:140	2007-07-04
Fedora	FEDORA-2007-617	2007-07-02
rPath	rPSA-2007-0136-1	2007-06-27
Red Hat	RHSA-2007:0556-01	2007-06-26
Red Hat	RHSA-2007:0534-01	2007-06-26
Red Hat	RHSA-2007:0533-01	2007-06-27
Red Hat	RHSA-2007:0532-01	2007-06-26

(Log in to post comments)

Fixed in Debian 4.0r3

Posted Feb 21, 2008 22:26 UTC (Thu) by kmccarty (subscriber, #12085) [Link]

FYI, these were fixed in the latest Debian "Etch" release, 4.0r3, in apache version 1.3.34-4.1+etch1. For some reason it was not deemed necessary to issue a Debian Security Advisory, but people with the usual lines in their sources.list should get the update automatically on their next APT update and upgrade.