Skip to navigation

Security Advisory Moderate: apache security update

Advisory: RHSA-2007:0532-2
Type: Security Advisory
Severity: Moderate
Issued on: 2007-06-26
Last updated on: 2007-06-26
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2006-5752
CVE-2007-3304

Details

Updated Apache httpd packages that correct two security issues are now
available for Red Hat Enterprise Linux 2.1.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)

A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752)

Users of Apache should upgrade to these updated packages, which contain
backported patches to correct these issues. Users should restart Apache
after installing this update.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)

SRPMS:
apache-1.3.27-12.ent.src.rpm
File outdated by:  RHSA-2008:0004
    MD5: 737514615921dc02ea4309ad12f91f80
 
IA-32:
apache-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: 4661f8345564a7b429a0c6b84df699a9
apache-devel-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: cf02487246160118259738e8ec6b112d
apache-manual-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: 1c3d08027ffb5cdab74af4daa37d7058
 
IA-64:
apache-1.3.27-12.ent.ia64.rpm
File outdated by:  RHSA-2008:0004
    MD5: 4981b35e225ad4b660e910c831776305
apache-devel-1.3.27-12.ent.ia64.rpm
File outdated by:  RHSA-2008:0004
    MD5: 42d858d5d916dbed7c550db5c5b0d07b
apache-manual-1.3.27-12.ent.ia64.rpm
File outdated by:  RHSA-2008:0004
    MD5: 7b25f3454a76869ca91cbb6ed319e75f
 
Red Hat Enterprise Linux ES (v. 2.1)

SRPMS:
apache-1.3.27-12.ent.src.rpm
File outdated by:  RHSA-2008:0004
    MD5: 737514615921dc02ea4309ad12f91f80
 
IA-32:
apache-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: 4661f8345564a7b429a0c6b84df699a9
apache-devel-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: cf02487246160118259738e8ec6b112d
apache-manual-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: 1c3d08027ffb5cdab74af4daa37d7058
 
Red Hat Enterprise Linux WS (v. 2.1)

SRPMS:
apache-1.3.27-12.ent.src.rpm
File outdated by:  RHSA-2008:0004
    MD5: 737514615921dc02ea4309ad12f91f80
 
IA-32:
apache-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: 4661f8345564a7b429a0c6b84df699a9
apache-devel-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: cf02487246160118259738e8ec6b112d
apache-manual-1.3.27-12.ent.i386.rpm
File outdated by:  RHSA-2008:0004
    MD5: 1c3d08027ffb5cdab74af4daa37d7058
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

SRPMS:
apache-1.3.27-12.ent.src.rpm
File outdated by:  RHSA-2008:0004
    MD5: 737514615921dc02ea4309ad12f91f80
 
IA-64:
apache-1.3.27-12.ent.ia64.rpm
File outdated by:  RHSA-2008:0004
    MD5: 4981b35e225ad4b660e910c831776305
apache-devel-1.3.27-12.ent.ia64.rpm
File outdated by:  RHSA-2008:0004
    MD5: 42d858d5d916dbed7c550db5c5b0d07b
apache-manual-1.3.27-12.ent.ia64.rpm
File outdated by:  RHSA-2008:0004
    MD5: 7b25f3454a76869ca91cbb6ed319e75f
 

Bugs fixed (see bugzilla for more information)

245111 - CVE-2007-3304 httpd scoreboard lack of PID protection
245112 - CVE-2006-5752 httpd mod_status XSS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/