drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in httpd
Name: |
Mehrere Probleme in httpd |
|
ID: |
RHSA-2007:0557-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Application Stack |
|
Datum: |
Fr, 13. Juli 2007, 10:04 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304 |
|
Applikationen: |
Apache |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --------------------------------------------------------------------- Red Hat Security Advisory
Synopsis: Moderate: httpd security update Advisory ID: RHSA-2007:0557-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0557.html Issue date: 2007-07-13 Updated on: 2007-07-13 Product: Red Hat Application Stack CVE Names: CVE-2006-5752 CVE-2007-1863 CVE-2007-3304 - ---------------------------------------------------------------------
1. Summary:
Updated Apache httpd packages that correct two security issues are now available for Red Hat Application Stack.
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64 Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64
3. Problem description:
The Apache HTTP Server is a popular Web server.
A flaw was found in the Apache HTTP Server mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled, this flaw could lead to a cross-site scripting attack. On Red Hat Enterprise Linux, the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752)
A bug was found in the Apache HTTP Server mod_cache module. On sites where caching is enabled, a remote attacker could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module. (CVE-2007-1863)
The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service. (CVE-2007-3304).
Users of httpd should upgrade to these updated packages, which contain backported patches to correct these issues. Users should restart Apache after installing this update.
4. Solution:
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
244658 - CVE-2007-1863 httpd mod_cache segfault 245112 - CVE-2006-5752 httpd mod_status XSS
6. RPMs required:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4):
SRPMS: httpd-2.0.59-1.el4s1.7.src.rpm ba3642a4c124090b5e7ea8a90294fa23 httpd-2.0.59-1.el4s1.7.src.rpm
i386: 44e247bfcdceaaa6e59009925d13129d httpd-2.0.59-1.el4s1.7.i386.rpm a4bbcf0b9e6f5649942347d5fb4f41ab httpd-debuginfo-2.0.59-1.el4s1.7.i386.rpm 486ef1d5da37f178eedea70abd82a4f5 httpd-devel-2.0.59-1.el4s1.7.i386.rpm 33389202046b9651e3a35da1bc0091d9 httpd-manual-2.0.59-1.el4s1.7.i386.rpm beae81006d90d0187e31275030051a73 mod_ssl-2.0.59-1.el4s1.7.i386.rpm
x86_64: b78c01f55bdecc83ed40084eae41e5f3 httpd-2.0.59-1.el4s1.7.x86_64.rpm 389b87bb05f5cde1141297a309676a20 httpd-debuginfo-2.0.59-1.el4s1.7.x86_64.rpm 2968024dee972275e73da19815030cc5 httpd-devel-2.0.59-1.el4s1.7.x86_64.rpm 405428ee9039e797350cbbca2dfbd6fb httpd-manual-2.0.59-1.el4s1.7.x86_64.rpm a1a9fbe7e8e4ec4082b47320a520091f mod_ssl-2.0.59-1.el4s1.7.x86_64.rpm
Red Hat Application Stack v1 for Enterprise Linux ES (v.4):
SRPMS: httpd-2.0.59-1.el4s1.7.src.rpm ba3642a4c124090b5e7ea8a90294fa23 httpd-2.0.59-1.el4s1.7.src.rpm
i386: 44e247bfcdceaaa6e59009925d13129d httpd-2.0.59-1.el4s1.7.i386.rpm a4bbcf0b9e6f5649942347d5fb4f41ab httpd-debuginfo-2.0.59-1.el4s1.7.i386.rpm 486ef1d5da37f178eedea70abd82a4f5 httpd-devel-2.0.59-1.el4s1.7.i386.rpm 33389202046b9651e3a35da1bc0091d9 httpd-manual-2.0.59-1.el4s1.7.i386.rpm beae81006d90d0187e31275030051a73 mod_ssl-2.0.59-1.el4s1.7.i386.rpm
x86_64: b78c01f55bdecc83ed40084eae41e5f3 httpd-2.0.59-1.el4s1.7.x86_64.rpm 389b87bb05f5cde1141297a309676a20 httpd-debuginfo-2.0.59-1.el4s1.7.x86_64.rpm 2968024dee972275e73da19815030cc5 httpd-devel-2.0.59-1.el4s1.7.x86_64.rpm 405428ee9039e797350cbbca2dfbd6fb httpd-manual-2.0.59-1.el4s1.7.x86_64.rpm a1a9fbe7e8e4ec4082b47320a520091f mod_ssl-2.0.59-1.el4s1.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304 http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFGlyw9XlSAg2UNWIIRAlmsAKCgFiBOqda2VjFYxJTQxY+/mWQuXwCghJ9p 4TvGhz6dYnBUWDCLtzYf0ds= =WkE5 -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
|
|