[Security Announce] [ MDKSA-2007:142 ] - Updated apache packages fix multiple security issues
Posted on: 07/05/2007 05:35 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:142
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apache
Date : July 4, 2007
Affected: Corporate 3.0
_______________________________________________________________________

Problem Description:

A vulnerability was discovered in the the Apache mod_status module
that could lead to a cross-site scripting attack on sites where the
server-status page was publically accessible and ExtendedStatus was
enabled (CVE-2006-5752).

The Apache server also did not verify that a process was an Apache
child process before sending it signals. A local attacker with the
ability to run scripts on the server could manipulate the scoreboard
and cause arbitrary processes to be terminated (CVE-2007-3304).

Updated packages have been patched to prevent the above issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
f5e889bd8e60e51e3083c469fe45819b corporate/3.0/i586/apache-1.3.29-1.6.C30mdk.i586.rpm
b93136eed561695b1e08bc8928ae2ed5 corporate/3.0/i586/apache-devel-1.3.29-1.6.C30mdk.i586.rpm
d3020b612ea5ba6608cb31fb9d36b2e3 corporate/3.0/i586/apache-modules-1.3.29-1.6.C30mdk.i586.rpm
7d388f0149dd885c836c0122daf3da8c corporate/3.0/i586/apache-source-1.3.29-1.6.C30mdk.i586.rpm
d380c7a6bb60735195479677bf9873d5 corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm

Corporate 3.0/X86_64:
6afb4426581fe816df087d4c08f40384 corporate/3.0/x86_64/apache-1.3.29-1.6.C30mdk.x86_64.rpm
c71d91796cfa58cca1988bd7500d4982 corporate/3.0/x86_64/apache-devel-1.3.29-1.6.C30mdk.x86_64.rpm
4e75d741e641f29b7a78a32dc7ff5e2c corporate/3.0/x86_64/apache-modules-1.3.29-1.6.C30mdk.x86_64.rpm
bce6cac0aaa62358779c65a67902fe64 corporate/3.0/x86_64/apache-source-1.3.29-1.6.C30mdk.x86_64.rpm
d380c7a6bb60735195479677bf9873d5 corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGjEPymqjQ0CJFipgRAiqsAJ9/1qGMlTFhwawadwHNlrvwU0E82wCfWh1g
KiF+cUWLSzhCxnMa0dTB5UU=
=4/IQ
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007142__updated_apache_packages_fix_multiple_security_issues.html)