Skip to navigation

Security Advisory Moderate: httpd security update

Advisory: RHSA-2007:0557-3
Type: Security Advisory
Severity: Moderate
Issued on: 2007-07-13
Last updated on: 2007-07-13
Affected Products: Red Hat Application Stack v1 for Enterprise Linux AS (v.4)
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)
CVEs (cve.mitre.org): CVE-2006-5752
CVE-2007-1863
CVE-2007-3304

Details

Updated Apache httpd packages that correct two security issues are now
available for Red Hat Application Stack.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the Apache HTTP Server mod_status module. On sites
where the server-status page is publicly accessible and ExtendedStatus is
enabled, this flaw could lead to a cross-site scripting attack. On Red Hat
Enterprise Linux, the server-status page is not enabled by default and it
is best practice to not make this publicly available. (CVE-2006-5752)

A bug was found in the Apache HTTP Server mod_cache module. On sites where
caching is enabled, a remote attacker could send a carefully crafted
request that would cause the Apache child process handling that request to
crash. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-1863)

The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker with the ability to run
scripts on the Apache HTTP Server could manipulate the scoreboard and cause
arbitrary processes to be terminated which could lead to a denial of
service. (CVE-2007-3304).

Users of httpd should upgrade to these updated packages, which contain
backported patches to correct these issues. Users should restart Apache
after installing this update.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Application Stack v1 for Enterprise Linux AS (v.4)

SRPMS:
httpd-2.0.59-1.el4s1.7.src.rpm
File outdated by:  RHSA-2008:0510
    MD5: ba3642a4c124090b5e7ea8a90294fa23
 
IA-32:
httpd-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 44e247bfcdceaaa6e59009925d13129d
httpd-devel-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 486ef1d5da37f178eedea70abd82a4f5
httpd-manual-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 33389202046b9651e3a35da1bc0091d9
mod_ssl-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: beae81006d90d0187e31275030051a73
 
x86_64:
httpd-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: b78c01f55bdecc83ed40084eae41e5f3
httpd-devel-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 2968024dee972275e73da19815030cc5
httpd-manual-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 405428ee9039e797350cbbca2dfbd6fb
mod_ssl-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: a1a9fbe7e8e4ec4082b47320a520091f
 
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)

SRPMS:
httpd-2.0.59-1.el4s1.7.src.rpm
File outdated by:  RHSA-2008:0510
    MD5: ba3642a4c124090b5e7ea8a90294fa23
 
IA-32:
httpd-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 44e247bfcdceaaa6e59009925d13129d
httpd-devel-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 486ef1d5da37f178eedea70abd82a4f5
httpd-manual-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 33389202046b9651e3a35da1bc0091d9
mod_ssl-2.0.59-1.el4s1.7.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: beae81006d90d0187e31275030051a73
 
x86_64:
httpd-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: b78c01f55bdecc83ed40084eae41e5f3
httpd-devel-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 2968024dee972275e73da19815030cc5
httpd-manual-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 405428ee9039e797350cbbca2dfbd6fb
mod_ssl-2.0.59-1.el4s1.7.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: a1a9fbe7e8e4ec4082b47320a520091f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

244658 - CVE-2007-1863 httpd mod_cache segfault
245112 - CVE-2006-5752 httpd mod_status XSS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/