[SECURITY] Fedora 7 Update: httpd-2.2.8-1.fc7
updates at fedoraproject.org
updates at fedoraproject.org
Sat Feb 16 02:08:32 UTC 2008
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-1711
2008-02-15 21:17:28
--------------------------------------------------------------------------------
Name : httpd
Product : Fedora 7
Version : 2.2.8
Release : 1.fc7
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
--------------------------------------------------------------------------------
Update Information:
Notes: This update includes the latest release of httpd 2.2, which fixes a
number of minor security issues and other bugs. A flaw was found in the
mod_imagemap module. On sites where mod_imagemap was enabled and an imagemap
file was publicly available, a cross-site scripting attack was possible.
(CVE-2007-5000) A flaw was found in the mod_status module. On sites where
mod_status was enabled and the status pages were publicly accessible, a cross-
site scripting attack was possible. (CVE-2007-6388) A flaw was found in the
mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled, a
cross-site scripting attack against an authorized user was possible.
(CVE-2007-6421) A flaw was found in the mod_proxy_balancer module. On sites
where mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that request
to crash. This could lead to a denial of service if using a threaded Multi-
Processing Module. (CVE-2007-6422) A flaw was found in the mod_proxy_ftp
module. On sites where mod_proxy_ftp was enabled and a forward proxy was
configured, a cross-site scripting attack was possible against browsers which
do not correctly derive the response character set following the rules in RFC
2616. (CVE-2008-0005)
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 24 2008 Joe Orton <jorton at redhat.com> 2.2.8-1.fc7
- update to 2.2.8 (#427982)
* Tue Sep 18 2007 Joe Orton <jorton at redhat.com> 2.2.6-1.fc7
- update to 2.2.6
- require /etc/mime.types (#249223)
* Tue Jun 26 2007 Joe Orton <jorton at redhat.com> 2.2.4-4.1.fc7
- add security fixes for CVE-2007-1863, CVE-2007-3304,
and CVE-2006-5752 (#244665)
- add security fix for CVE-2007-1862 (#242606)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #427229 - CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting
https://bugzilla.redhat.com/show_bug.cgi?id=427229
[ 2 ] Bug #427228 - CVE-2007-6388 apache mod_status cross-site scripting
https://bugzilla.redhat.com/show_bug.cgi?id=427228
[ 3 ] Bug #427230 - CVE-2007-6422 httpd mod_proxy_balancer crash
https://bugzilla.redhat.com/show_bug.cgi?id=427230
[ 4 ] Bug #427739 - CVE-2008-0005 mod_proxy_ftp XSS
https://bugzilla.redhat.com/show_bug.cgi?id=427739
[ 5 ] Bug #419931 - CVE-2007-5000 mod_imagemap XSS
https://bugzilla.redhat.com/show_bug.cgi?id=419931
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update httpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the Fedora-package-announce
mailing list