Fedora Core 5: FEDORA-2006-863 Critical: Httpd Mod_Rewrite Exploit

The Apache HTTP Server is a powerful, efficient, and extensible

web server.

This update fixes a security issue in the mod_rewrite module.

Mark Dowd of McAfee Avert Labs reported an off-by-one

security problem in the LDAP scheme handling of the

mod_rewrite module. Where RewriteEngine was enabled, and for

certain RewriteRules, this could lead to a pointer being

written out of bounds. (CVE-2006-3747)

The ability to exploit this issue is dependent on the stack

layout for a particular compiled version of mod_rewrite.

The Fedora project has analyzed Fedora Core 4 and 5 binaries

and determined that these distributions are vulnerable to

this issue. However this flaw does not affect a default

installation of Fedora Core; users who do not use, or have

not enabled, the Rewrite module are not affected by this

issue.

- add mod_rewrite security fix (CVE-2006-3747)

* Wed Jul 19 2006 Joe Orton 2.2.2-1.1

- fix segfault on dummy connection failure at graceful restart (#199429)

* Thu May 11 2006 Joe Orton 2.2.2-1.0

- update to 2.2.2

* Thu Apr 6 2006 Joe Orton 2.2.0-5.2

- fix LDAP issues on 64-bit platforms (#188073)

8d3b53893059ae157e97020f526cd19b727b6b07 SRPMS/httpd-2.2.2-1.2.src.rpm

8d3b53893059ae157e97020f526cd19b727b6b07 noarch/httpd-2.2.2-1.2.src.rpm

c6e260470e3b3dc3ff7a405d8da8030a0aee25a1 ppc/mod_ssl-2.2.2-1.2.ppc.rpm

9421d2e77c8dc6713eb7fb01c27b95014c93851b ppc/debug/httpd-debuginfo-2.2.2-1.2.ppc.rpm

11d79c4daeb39b606eb19e715dc656a048f91132 ppc/httpd-2.2.2-1.2.ppc.rpm

d8b703262d835cfc5c759b0713f701361fe34492 ppc/httpd-manual-2.2.2-1.2.ppc.rpm

8a918c5f0958fef564556dd97925e97abeb58454 ppc/httpd-devel-2.2.2-1.2.ppc.rpm

89b0ff637e96e67eb5ca8cb949caf239f3fe526a x86_64/mod_ssl-2.2.2-1.2.x86_64.rpm

19fc5d68d4c25965a7cdc5f54af83e628c6302f1 x86_64/debug/httpd-debuginfo-2.2.2-1.2.x86_64.rpm

eb3dd7f7720da22479fefbd769bb7f4be28d77b6 x86_64/httpd-devel-2.2.2-1.2.x86_64.rpm

010ff13be32b86ae750a94e0b3950484f80907a7 x86_64/httpd-2.2.2-1.2.x86_64.rpm

9a638a1a7ae2dd82b78c431d4115231046d39bde x86_64/httpd-manual-2.2.2-1.2.x86_64.rpm

fe1dfd67f25b3cbf887e371f990939b45098d86f i386/httpd-devel-2.2.2-1.2.i386.rpm

d2c290eb660baa41d4ae1c144733d117a60c3e0f i386/httpd-2.2.2-1.2.i386.rpm

8dd2affc726f93482a831a6ce78e7ea319575c73 i386/debug/httpd-debuginfo-2.2.2-1.2.i386.rpm

43faee2d157ce07431100a0560f7bf3d7eeae8f1 i386/mod_ssl-2.2.2-1.2.i386.rpm

fc616885d243a7b6a98d545045d65690994ccb2e i386/httpd-manual-2.2.2-1.2.i386.rpm

This update can be installed with the 'yum' update program. Use 'yum update

package-name' at the command line. For more information, refer to 'Managing

Software with yum,' available at .

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/