Apache: Multiple vulnerabilities

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200711-06 / apache
Release Date	November 07, 2007
Latest Revision	November 07, 2007: 01
Impact	normal
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
www-servers/apache	< 2.2.6	revision >= 2.0.59-r5, >= 2.2.6	All supported architectures

Related bugreports: #186219

Synopsis

Multiple vulnerabilities have been discovered in Apache, possibly resulting in a Denial of Service or the disclosure of sensitive information.

2. Impact Information

Background

The Apache HTTP server is one of the most popular web servers on the Internet.

Description

Multiple cross-site scripting vulnerabilities have been discovered in mod_status and mod_autoindex (CVE-2006-5752, CVE-2007-4465). An error has been discovered in the recall_headers() function in mod_mem_cache (CVE-2007-1862). The mod_cache module does not properly sanitize requests before processing them (CVE-2007-1863). The Prefork module does not properly check PID values before sending signals (CVE-2007-3304). The mod_proxy module does not correctly check headers before processing them (CVE-2007-3847).

Impact

A remote attacker could exploit one of these vulnerabilities to inject arbitrary script or HTML content, obtain sensitive information or cause a Denial of Service.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Apache users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.0.59-r5"

4. References

Updated November 07, 2007

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.