Date: Wed, 04 Jul 2007 22:08:41 -0600
From: security@mandriva.com
Subject: [ MDKSA-2007:142 ] - Updated apache packages fix multiple security
issues
To: bugtraq@securityfocus.com
Reply-To: xsecurity@mandriva.com
Message-id: <E1I6Ie1-0005lN-3p@artemis.annvix.ca.>
X-SA-Exim-Connect-IP: 10.0.5.11
X-SA-Exim-Mail-From: qateam@artemis.annvix.ca
X-SA-Exim-Version: 4.2.1 (built Fri, 02 Feb 2007 19:02:33 -0700)
X-SA-Exim-Scanned: Yes (on hades.annvix.org)
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2007:142
http://www.mandriva.com/security/
_______________________________________________________________________
Package : apache
Date : July 4, 2007
Affected: Corporate 3.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered in the the Apache mod_status module
that could lead to a cross-site scripting attack on sites where the
server-status page was publically accessible and ExtendedStatus was
enabled (CVE-2006-5752).
The Apache server also did not verify that a process was an Apache
child process before sending it signals. A local attacker with the
ability to run scripts on the server could manipulate the scoreboard
and cause arbitrary processes to be terminated (CVE-2007-3304).
Updated packages have been patched to prevent the above issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304
_______________________________________________________________________
Updated Packages:
Corporate 3.0:
f5e889bd8e60e51e3083c469fe45819b corporate/3.0/i586/apache-1.3.29-1.6.C30mdk.i586.rpm
b93136eed561695b1e08bc8928ae2ed5 corporate/3.0/i586/apache-devel-1.3.29-1.6.C30mdk.i586.rpm
d3020b612ea5ba6608cb31fb9d36b2e3 corporate/3.0/i586/apache-modules-1.3.29-1.6.C30mdk.i586.rpm
7d388f0149dd885c836c0122daf3da8c corporate/3.0/i586/apache-source-1.3.29-1.6.C30mdk.i586.rpm
d380c7a6bb60735195479677bf9873d5 corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm
Corporate 3.0/X86_64:
6afb4426581fe816df087d4c08f40384 corporate/3.0/x86_64/apache-1.3.29-1.6.C30mdk.x86_64.rpm
c71d91796cfa58cca1988bd7500d4982 corporate/3.0/x86_64/apache-devel-1.3.29-1.6.C30mdk.x86_64.rpm
4e75d741e641f29b7a78a32dc7ff5e2c corporate/3.0/x86_64/apache-modules-1.3.29-1.6.C30mdk.x86_64.rpm
bce6cac0aaa62358779c65a67902fe64 corporate/3.0/x86_64/apache-source-1.3.29-1.6.C30mdk.x86_64.rpm
d380c7a6bb60735195479677bf9873d5 corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFGjEPymqjQ0CJFipgRAiqsAJ9/1qGMlTFhwawadwHNlrvwU0E82wCfWh1g
KiF+cUWLSzhCxnMa0dTB5UU=
=4/IQ
-----END PGP SIGNATURE-----
