Hosting Provided By

[ MDKSA-2007:142 ] - Updated apache packages fix multiple security issues

From: <security(at)mandriva.com>
Date: Thu Jul 05 2007 - 00:08:41 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 Mandriva Linux Security Advisory                         MDKSA-2007:142

http://www.mandriva.com/security/

 Package : apache
 Date    : July 4, 2007
 Affected: Corporate 3.0

 _______________________________________________________________________

Problem Description:

A vulnerability was discovered in the the Apache mod_status module that could lead to a cross-site scripting attack on sites where the server-status page was publically accessible and ExtendedStatus was enabled (CVE-2006-5752).

The Apache server also did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the server could manipulate the scoreboard and cause arbitrary processes to be terminated (CVE-2007-3304).

Updated packages have been patched to prevent the above issues.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304

Do you need help?

Updated Packages:

Corporate 3.0:

 f5e889bd8e60e51e3083c469fe45819b  corporate/3.0/i586/apache-1.3.29-1.6.C30mdk.i586.rpm
 b93136eed561695b1e08bc8928ae2ed5  corporate/3.0/i586/apache-devel-1.3.29-1.6.C30mdk.i586.rpm
 d3020b612ea5ba6608cb31fb9d36b2e3  corporate/3.0/i586/apache-modules-1.3.29-1.6.C30mdk.i586.rpm
 7d388f0149dd885c836c0122daf3da8c  corporate/3.0/i586/apache-source-1.3.29-1.6.C30mdk.i586.rpm 
 d380c7a6bb60735195479677bf9873d5  corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm

Corporate 3.0/X86_64:

 6afb4426581fe816df087d4c08f40384  corporate/3.0/x86_64/apache-1.3.29-1.6.C30mdk.x86_64.rpm
 c71d91796cfa58cca1988bd7500d4982  corporate/3.0/x86_64/apache-devel-1.3.29-1.6.C30mdk.x86_64.rpm
 4e75d741e641f29b7a78a32dc7ff5e2c  corporate/3.0/x86_64/apache-modules-1.3.29-1.6.C30mdk.x86_64.rpm
 bce6cac0aaa62358779c65a67902fe64  corporate/3.0/x86_64/apache-source-1.3.29-1.6.C30mdk.x86_64.rpm 
 d380c7a6bb60735195479677bf9873d5  corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm

 _______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

Do you need more help?

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGjEPymqjQ0CJFipgRAiqsAJ9/1qGMlTFhwawadwHNlrvwU0E82wCfWh1g KiF+cUWLSzhCxnMa0dTB5UU=
=4/IQ
-----END PGP SIGNATURE----- Received on Thu Jul 5 12:45:59 2007

This message: [ Message body ]
Next message: tomaz.bratusa(at)teamintell.com: "Session fixation in Zen Cart CMS"
Previous message: security(at)mandriva.com: "[ MDKSA-2007:141 ] - Updated apache packages fix multiple security issues"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu Jul 05 2007 - 14:00:26 EDT