Apache 1.3.27 Released

http://www.apache.org/dist/httpd/Announcement.html

The Apache Software Foundation and The Apache Server Project are pleased to
announce the release of version 1.3.27 of the Apache HTTP Server. This
Announcement notes the significant changes in 1.3.27 as compared to 1.3.26.
This version of Apache is principally a security and bug fix release. A
summary of the bug fixes is given at the end of this document. Of particular
note is that 1.3.27 addresses and fixes 3 security vulnerabilities.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839
CAN-2002-0839 (cve.mitre.org): A vulnerability exists in all versions of
Apache prior to 1.3.27 on platforms using System V shared memory based
scoreboards. This vulnerability allows an attacker who can execute under the
Apache UID to exploit the Apache shared memory scoreboard format and send a
signal to any process as root or cause a local denial of service attack. We
thank iDefense for their responsible notification and disclosure of this
issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840
CAN-2002-0840 (cve.mitre.org): Apache is susceptible to a cross site
scripting vulnerability in the default 404 page of any web server hosted on
a domain that allows wildcard DNS lookups. We thank Matthew Murphy for
notification of this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0843
CAN-2002-0843 (cve.mitre.org): There were some possible overflows in ab.c
which could be exploited by a malicious server. Note that this vulnerability
is not in Apache itself, but rather one of the support programs bundled with
Apache. We thank David Wagner for the responsible notification and
disclosure of this issue.

-- 
To UNSUBSCRIBE, email to debian-security-requestlists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmasterlists.debian.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]