Fedora alert FEDORA-2008-1711 (httpd)
| From: | updates@fedoraproject.org | |
| To: | fedora-package-announce@redhat.com | |
| Subject: | [SECURITY] Fedora 7 Update: httpd-2.2.8-1.fc7 | |
| Date: | Fri, 15 Feb 2008 19:08:32 -0700 | |
| Message-ID: | <200802160208.m1G27pl9027710@bastion.fedora.phx.redhat.com> |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-1711 2008-02-15 21:17:28 -------------------------------------------------------------------------------- Name : httpd Product : Fedora 7 Version : 2.2.8 Release : 1.fc7 URL : http://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. -------------------------------------------------------------------------------- Update Information: Notes: This update includes the latest release of httpd 2.2, which fixes a number of minor security issues and other bugs. A flaw was found in the mod_imagemap module. On sites where mod_imagemap was enabled and an imagemap file was publicly available, a cross-site scripting attack was possible. (CVE-2007-5000) A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly accessible, a cross- site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, a cross-site scripting attack against an authorized user was possible. (CVE-2007-6421) A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi- Processing Module. (CVE-2007-6422) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) -------------------------------------------------------------------------------- ChangeLog: * Thu Jan 24 2008 Joe Orton <jorton@redhat.com> 2.2.8-1.fc7 - update to 2.2.8 (#427982) * Tue Sep 18 2007 Joe Orton <jorton@redhat.com> 2.2.6-1.fc7 - update to 2.2.6 - require /etc/mime.types (#249223) * Tue Jun 26 2007 Joe Orton <jorton@redhat.com> 2.2.4-4.1.fc7 - add security fixes for CVE-2007-1863, CVE-2007-3304, and CVE-2006-5752 (#244665) - add security fix for CVE-2007-1862 (#242606) -------------------------------------------------------------------------------- References: [ 1 ] Bug #427229 - CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting https://bugzilla.redhat.com/show_bug.cgi?id=427229 [ 2 ] Bug #427228 - CVE-2007-6388 apache mod_status cross-site scripting https://bugzilla.redhat.com/show_bug.cgi?id=427228 [ 3 ] Bug #427230 - CVE-2007-6422 httpd mod_proxy_balancer crash https://bugzilla.redhat.com/show_bug.cgi?id=427230 [ 4 ] Bug #427739 - CVE-2008-0005 mod_proxy_ftp XSS https://bugzilla.redhat.com/show_bug.cgi?id=427739 [ 5 ] Bug #419931 - CVE-2007-5000 mod_imagemap XSS https://bugzilla.redhat.com/show_bug.cgi?id=419931 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update httpd' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-ann...