Home > Security > Advisories

Advisories

Mandriva Advisories

Package name apache
Date July 4th, 2007
Advisory ID MDKSA-2007:142
Affected versions CS3.0
Synopsis Updated apache packages fix multiple security issues

Problem Description

A vulnerability was discovered in the the Apache mod_status module
that could lead to a cross-site scripting attack on sites where the
server-status page was publically accessible and ExtendedStatus was
enabled (CVE-2006-5752).

The Apache server also did not verify that a process was an Apache
child process before sending it signals. A local attacker with the
ability to run scripts on the server could manipulate the scoreboard
and cause arbitrary processes to be terminated (CVE-2007-3304).

Updated packages have been patched to prevent the above issues.

Updated Packages

Corporate Server 3.0

 f5e889bd8e60e51e3083c469fe45819b  corporate/3.0/i586/apache-1.3.29-1.6.C30mdk.i586.rpm
 b93136eed561695b1e08bc8928ae2ed5  corporate/3.0/i586/apache-devel-1.3.29-1.6.C30mdk.i586.rpm
 d3020b612ea5ba6608cb31fb9d36b2e3  corporate/3.0/i586/apache-modules-1.3.29-1.6.C30mdk.i586.rpm
 7d388f0149dd885c836c0122daf3da8c  corporate/3.0/i586/apache-source-1.3.29-1.6.C30mdk.i586.rpm 
 d380c7a6bb60735195479677bf9873d5  corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 6afb4426581fe816df087d4c08f40384  corporate/3.0/x86_64/apache-1.3.29-1.6.C30mdk.x86_64.rpm
 c71d91796cfa58cca1988bd7500d4982  corporate/3.0/x86_64/apache-devel-1.3.29-1.6.C30mdk.x86_64.rpm
 4e75d741e641f29b7a78a32dc7ff5e2c  corporate/3.0/x86_64/apache-modules-1.3.29-1.6.C30mdk.x86_64.rpm
 bce6cac0aaa62358779c65a67902fe64  corporate/3.0/x86_64/apache-source-1.3.29-1.6.C30mdk.x86_64.rpm 
 d380c7a6bb60735195479677bf9873d5  corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.