Welcome! - The Apache HTTP Server Project

セキュリティ

ripjyr2007-09-09

てれもえ! -照れこそは萌えが戴くべき最高の至宝経由)

Apacheがバージョンアップしています。Apache 2.2.6、2.0.61、1.3.39が出ていてprefork, workerプロセスの脆弱性に対応しています。

2007/09/07 04:31にリリースされていました。気づかなかった・・・

Apache 2.2.6 Released

Changes with Apache 2.2.6よりセキュリティ修正点は以下

*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
[Davi Arnaut, Nick Kew]

*) SECURITY: CVE-2007-1863 (cve.mitre.org)
mod_cache: Prevent a segmentation fault if attributes are listed in a
Cache-Control header without any value.
[Niklas Edmundsson ]

*) SECURITY: CVE-2007-3304 (cve.mitre.org)
prefork, worker, event MPMs: Ensure that the parent process cannot
be forced to kill processes outside its process group.
[Joe Orton, Jim Jagielski]

*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]

*) SECURITY: CVE-2007-1862 (cve.mitre.org)
mod_mem_cache: Copy headers into longer lived storage; header names and
values could previously point to cleaned up storage. PR 41551.
[Davi Arnaut ]

Apache 2.0.61 Released

Changes with Apache 2.0.61よりセキュリティ修正点は以下

*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
[Davi Arnaut, Nick Kew]

*) SECURITY: CVE-2007-1863 (cve.mitre.org)
mod_cache: Prevent segmentation fault if a Cache-Control header has
no value. [Niklas Edmundsson ]

*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]

*) SECURITY: CVE-2007-3304 (cve.mitre.org)
prefork, worker MPMs: Ensure that the parent process cannot
be forced to kill processes outside its process group.
[Joe Orton, Jim Jagielski]

Apache 1.3.39

Changes with Apache 1.3.39よりセキュリティ修正点は以下

*) SECURITY: CVE-2006-5752 (cve.mitre.org)
mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser. [Joe Orton]

*) SECURITY: CVE-2007-3304 (cve.mitre.org)
Ensure that the parent process cannot be forced to kill non-child
processes by checking scoreboard PID data with parent process
privately stored PID data. [Jim Jagielski]