Red Hat Bugzilla – Bug 282761
Apache HTTP Server 2.2.6 Released
Last modified: 2007-11-30 17:12:15 EST
Description of problem:
The Apache Software Foundation and the Apache HTTP Server Project are pleased
to announce the release of version 2.2.6 of the Apache HTTP Server ("Apache").
This version of Apache is principally a bug and security fix release. The
following potential security flaws are addressed:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when
parsing date-related headers. PR 41144.
- CVE-2007-1863: mod_cache: Prevent a segmentation fault if attributes are
listed in a Cache-Control header without any value.
- CVE-2007-3304: prefork, worker, event MPMs: Ensure that the parent process
cannot be forced to kill processes outside its process group.
- CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a
public server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection". Reported by Stefan Esser.
- CVE-2006-1862: mod_mem_cache: Copy headers into longer lived storage; header
names and values could previously point to cleaned up storage. PR 41551.
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Version-Release number of selected component (if applicable):
httpd-2.2.6-1 or newer... ;-)
Joe, a simple version bump did the trick for me.
2.2.6 is now in Raw Hide.