[SECURITY] Fedora 7 Update: httpd-2.2.8-1.fc7

updates at fedoraproject.org updates at fedoraproject.org
Sat Feb 16 02:08:32 UTC 2008


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-1711
2008-02-15 21:17:28
--------------------------------------------------------------------------------

Name        : httpd
Product     : Fedora 7
Version     : 2.2.8
Release     : 1.fc7
URL         : http://httpd.apache.org/
Summary     : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

--------------------------------------------------------------------------------
Update Information:

Notes:  This update includes the latest release of httpd 2.2, which fixes a
number of minor security issues and other bugs.    A flaw was found in the
mod_imagemap module. On sites where mod_imagemap was enabled and an imagemap
file was publicly available, a cross-site scripting attack was possible.
(CVE-2007-5000)    A flaw was found in the mod_status module. On sites where
mod_status was enabled and the status pages were publicly accessible, a cross-
site scripting attack was possible. (CVE-2007-6388)    A flaw was found in the
mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, a
cross-site scripting attack against an authorized user was possible.
(CVE-2007-6421)    A flaw was found in the mod_proxy_balancer module. On sites
where mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that request
to crash. This could lead to a denial of service if using a threaded Multi-
Processing Module. (CVE-2007-6422)    A flaw was found in the mod_proxy_ftp
module. On sites where mod_proxy_ftp was enabled and a forward proxy was
configured, a   cross-site scripting attack was possible against browsers which
do not correctly derive the response character set following the rules in RFC
2616. (CVE-2008-0005)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jan 24 2008 Joe Orton <jorton at redhat.com> 2.2.8-1.fc7
- update to 2.2.8 (#427982)
* Tue Sep 18 2007 Joe Orton <jorton at redhat.com> 2.2.6-1.fc7
- update to 2.2.6
- require /etc/mime.types (#249223)
* Tue Jun 26 2007 Joe Orton <jorton at redhat.com> 2.2.4-4.1.fc7
- add security fixes for CVE-2007-1863, CVE-2007-3304,
  and CVE-2006-5752 (#244665)
- add security fix for CVE-2007-1862 (#242606)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #427229 - CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting
        https://bugzilla.redhat.com/show_bug.cgi?id=427229
  [ 2 ] Bug #427228 - CVE-2007-6388 apache mod_status cross-site scripting
        https://bugzilla.redhat.com/show_bug.cgi?id=427228
  [ 3 ] Bug #427230 - CVE-2007-6422 httpd mod_proxy_balancer crash
        https://bugzilla.redhat.com/show_bug.cgi?id=427230
  [ 4 ] Bug #427739 - CVE-2008-0005 mod_proxy_ftp XSS
        https://bugzilla.redhat.com/show_bug.cgi?id=427739
  [ 5 ] Bug #419931 - CVE-2007-5000 mod_imagemap XSS
        https://bugzilla.redhat.com/show_bug.cgi?id=419931
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update httpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the Fedora-package-announce mailing list