-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:142 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apache Date : July 4, 2007 Affected: Corporate 3.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered in the the Apache mod_status module that could lead to a cross-site scripting attack on sites where the server-status page was publically accessible and ExtendedStatus was enabled (CVE-2006-5752). The Apache server also did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the server could manipulate the scoreboard and cause arbitrary processes to be terminated (CVE-2007-3304). Updated packages have been patched to prevent the above issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304 _______________________________________________________________________ Updated Packages: Corporate 3.0: f5e889bd8e60e51e3083c469fe45819b corporate/3.0/i586/apache-1.3.29-1.6.C30mdk.i586.rpm b93136eed561695b1e08bc8928ae2ed5 corporate/3.0/i586/apache-devel-1.3.29-1.6.C30mdk.i586.rpm d3020b612ea5ba6608cb31fb9d36b2e3 corporate/3.0/i586/apache-modules-1.3.29-1.6.C30mdk.i586.rpm 7d388f0149dd885c836c0122daf3da8c corporate/3.0/i586/apache-source-1.3.29-1.6.C30mdk.i586.rpm d380c7a6bb60735195479677bf9873d5 corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm Corporate 3.0/X86_64: 6afb4426581fe816df087d4c08f40384 corporate/3.0/x86_64/apache-1.3.29-1.6.C30mdk.x86_64.rpm c71d91796cfa58cca1988bd7500d4982 corporate/3.0/x86_64/apache-devel-1.3.29-1.6.C30mdk.x86_64.rpm 4e75d741e641f29b7a78a32dc7ff5e2c corporate/3.0/x86_64/apache-modules-1.3.29-1.6.C30mdk.x86_64.rpm bce6cac0aaa62358779c65a67902fe64 corporate/3.0/x86_64/apache-source-1.3.29-1.6.C30mdk.x86_64.rpm d380c7a6bb60735195479677bf9873d5 corporate/3.0/SRPMS/apache-1.3.29-1.6.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGjEPymqjQ0CJFipgRAiqsAJ9/1qGMlTFhwawadwHNlrvwU0E82wCfWh1g KiF+cUWLSzhCxnMa0dTB5UU= =4/IQ -----END PGP SIGNATURE-----