Welcome! - The Apache HTTP Server Project
Apacheがバージョンアップしています。Apache 2.2.6、2.0.61、1.3.39が出ていてprefork, workerプロセスの脆弱性に対応しています。
2007/09/07 04:31にリリースされていました。気づかなかった・・・
Apache 2.2.6 Released
Changes with Apache 2.2.6よりセキュリティ修正点は以下
*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
[Davi Arnaut, Nick Kew]*) SECURITY: CVE-2007-1863 (cve.mitre.org)
mod_cache: Prevent a segmentation fault if attributes are listed in a
Cache-Control header without any value.
[Niklas Edmundsson] *) SECURITY: CVE-2007-3304 (cve.mitre.org)
prefork, worker, event MPMs: Ensure that the parent process cannot
be forced to kill processes outside its process group.
[Joe Orton, Jim Jagielski]*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]*) SECURITY: CVE-2007-1862 (cve.mitre.org)
mod_mem_cache: Copy headers into longer lived storage; header names and
values could previously point to cleaned up storage. PR 41551.
[Davi Arnaut] Apache 2.0.61 Released
Changes with Apache 2.0.61よりセキュリティ修正点は以下
*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
[Davi Arnaut, Nick Kew]*) SECURITY: CVE-2007-1863 (cve.mitre.org)
mod_cache: Prevent segmentation fault if a Cache-Control header has
no value. [Niklas Edmundsson] *) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]*) SECURITY: CVE-2007-3304 (cve.mitre.org)
prefork, worker MPMs: Ensure that the parent process cannot
be forced to kill processes outside its process group.
[Joe Orton, Jim Jagielski]Apache 1.3.39
Changes with Apache 1.3.39よりセキュリティ修正点は以下
*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]*) SECURITY: CVE-2007-3304 (cve.mitre.org)
Ensure that the parent process cannot be forced to kill non-child
processes by checking scoreboard PID data with parent process
privately stored PID data. [Jim Jagielski]