[SECURITY] Fedora 8 Update: httpd-2.2.8-1.fc8
updates at fedoraproject.org
updates at fedoraproject.org
Sat Feb 16 02:11:16 UTC 2008
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-1695
2008-02-15 21:15:53
--------------------------------------------------------------------------------
Name : httpd
Product : Fedora 8
Version : 2.2.8
Release : 1.fc8
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.
--------------------------------------------------------------------------------
Update Information:
This update includes the latest release of httpd 2.2, which fixes a number of
minor security issues and other bugs. A flaw was found in the mod_imagemap
module. On sites where mod_imagemap was enabled and an imagemap file was
publicly available, a cross-site scripting attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled
and the status pages were publicly accessible, a cross-site scripting attack was
possible. (CVE-2007-6388) A flaw was found in the mod_proxy_balancer module.
On sites where mod_proxy_balancer was enabled, a cross-site scripting attack
against an authorized user was possible. (CVE-2007-6421) A flaw was found in
the mod_proxy_balancer module. On sites where mod_proxy_balancer was enabled,
an authorized user could send a carefully crafted request that would cause the
Apache child process handling that request to crash. This could lead to a denial
of service if using a threaded Multi-Processing Module. (CVE-2007-6422) A
flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was
enabled and a forward proxy was configured, a cross-site scripting attack was
possible against browsers which do not correctly derive the response character
set following the rules in RFC 2616. (CVE-2008-0005)
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 28 2008 Joe Orton <jorton at redhat.com> 2.2.8-1.fc8
- update to 2.2.8 (#430465)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #427228 - CVE-2007-6388 apache mod_status cross-site scripting
https://bugzilla.redhat.com/show_bug.cgi?id=427228
[ 2 ] Bug #427229 - CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting
https://bugzilla.redhat.com/show_bug.cgi?id=427229
[ 3 ] Bug #427739 - CVE-2008-0005 mod_proxy_ftp XSS
https://bugzilla.redhat.com/show_bug.cgi?id=427739
[ 4 ] Bug #419931 - CVE-2007-5000 mod_imagemap XSS
https://bugzilla.redhat.com/show_bug.cgi?id=419931
[ 5 ] Bug #427230 - CVE-2007-6422 httpd mod_proxy_balancer crash
https://bugzilla.redhat.com/show_bug.cgi?id=427230
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update httpd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the Fedora-package-announce
mailing list