Synopsis: Moderate: httpd security update
Issue date: 2007-06-27
CVE Names: CVE-2006-5752 CVE-2007-1863
A flaw was found in the Apache HTTP Server mod_status module. On sites
where the server-status page is publicly accessible and ExtendedStatus is
enabled this could lead to a cross-site scripting attack. On Red Hat
Enterprise Linux the server-status page is not enabled by default and it is
best practice to not make this publicly available. (CVE-2006-5752)
A flaw was found in the Apache HTTP Server mod_cache module. On sites where
caching is enabled, a remote attacker could send a carefully crafted
request that would cause the Apache child process handling that request to
crash. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-1863)
SL 3.0.x
SRPMS:
httpd-2.0.46-67.sl3.src.rpm
i386:
httpd-2.0.46-67.sl3.i386.rpm
httpd-devel-2.0.46-67.sl3.i386.rpm
mod_ssl-2.0.46-67.sl3.i386.rpm
x86_64:
httpd-2.0.46-67.sl3.x86_64.rpm
httpd-devel-2.0.46-67.sl3.x86_64.rpm
mod_ssl-2.0.46-67.sl3.x86_64.rpm
-Connie Sieh
-Troy Dawson