You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2007/07/17 17:35:55 UTC
svn commit: r556948 - in /httpd/site/trunk: docs/security/ xdocs/security/
Author: mjc
Date: Tue Jul 17 08:35:43 2007
New Revision: 556948
URL: http://svn.apache.org/viewvc?view=rev&rev=556948
Log:
Add details for CVE-2007-3304 now that it's backported
Modified:
httpd/site/trunk/docs/security/vulnerabilities-oval.xml
httpd/site/trunk/docs/security/vulnerabilities_13.html
httpd/site/trunk/docs/security/vulnerabilities_20.html
httpd/site/trunk/docs/security/vulnerabilities_22.html
httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
httpd/site/trunk/xdocs/security/vulnerabilities_22.xml
Modified: httpd/site/trunk/docs/security/vulnerabilities-oval.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities-oval.xml?view=diff&rev=556948&r1=556947&r2=556948
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities-oval.xml (original)
+++ httpd/site/trunk/docs/security/vulnerabilities-oval.xml Tue Jul 17 08:35:43 2007
@@ -5,6 +5,82 @@
<oval:timestamp>2005-10-12T18:13:45</oval:timestamp>
</generator>
<definitions>
+<definition id="oval:org.apache.httpd:def:20073304" version="1" class="vulnerability">
+<metadata>
+<title>Signals to arbitrary processes</title>
+<reference source="CVE" ref_id="CVE-2007-3304" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304"/>
+<description>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</description>
+<apache_httpd_repository>
+<public>20070619</public>
+<reported>20060515</reported>
+<released/>
+<severity level="3">moderate</severity>
+</apache_httpd_repository>
+</metadata>
+<criteria operator="OR">
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:2059" comment="the version of httpd is 2.0.59"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2058" comment="the version of httpd is 2.0.58"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2055" comment="the version of httpd is 2.0.55"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2054" comment="the version of httpd is 2.0.54"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2053" comment="the version of httpd is 2.0.53"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2052" comment="the version of httpd is 2.0.52"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2051" comment="the version of httpd is 2.0.51"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2050" comment="the version of httpd is 2.0.50"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2049" comment="the version of httpd is 2.0.49"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2048" comment="the version of httpd is 2.0.48"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2047" comment="the version of httpd is 2.0.47"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2046" comment="the version of httpd is 2.0.46"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2045" comment="the version of httpd is 2.0.45"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2044" comment="the version of httpd is 2.0.44"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2043" comment="the version of httpd is 2.0.43"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2042" comment="the version of httpd is 2.0.42"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2040" comment="the version of httpd is 2.0.40"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2039" comment="the version of httpd is 2.0.39"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2037" comment="the version of httpd is 2.0.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2036" comment="the version of httpd is 2.0.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:2035" comment="the version of httpd is 2.0.35"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:224" comment="the version of httpd is 2.2.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:223" comment="the version of httpd is 2.2.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:222" comment="the version of httpd is 2.2.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:220" comment="the version of httpd is 2.2.0"/>
+</criteria>
+<criteria operator="OR">
+<criterion test_ref="oval:org.apache.httpd:tst:1337" comment="the version of httpd is 1.3.37"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1336" comment="the version of httpd is 1.3.36"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1335" comment="the version of httpd is 1.3.35"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1334" comment="the version of httpd is 1.3.34"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1333" comment="the version of httpd is 1.3.33"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1332" comment="the version of httpd is 1.3.32"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1331" comment="the version of httpd is 1.3.31"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1329" comment="the version of httpd is 1.3.29"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1328" comment="the version of httpd is 1.3.28"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1327" comment="the version of httpd is 1.3.27"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1326" comment="the version of httpd is 1.3.26"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1324" comment="the version of httpd is 1.3.24"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1322" comment="the version of httpd is 1.3.22"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1320" comment="the version of httpd is 1.3.20"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1319" comment="the version of httpd is 1.3.19"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1317" comment="the version of httpd is 1.3.17"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1314" comment="the version of httpd is 1.3.14"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1312" comment="the version of httpd is 1.3.12"/>
+<criterion test_ref="oval:org.apache.httpd:tst:1311" comment="the version of httpd is 1.3.11"/>
+<criterion test_ref="oval:org.apache.httpd:tst:139" comment="the version of httpd is 1.3.9"/>
+<criterion test_ref="oval:org.apache.httpd:tst:136" comment="the version of httpd is 1.3.6"/>
+<criterion test_ref="oval:org.apache.httpd:tst:134" comment="the version of httpd is 1.3.4"/>
+<criterion test_ref="oval:org.apache.httpd:tst:133" comment="the version of httpd is 1.3.3"/>
+<criterion test_ref="oval:org.apache.httpd:tst:132" comment="the version of httpd is 1.3.2"/>
+<criterion test_ref="oval:org.apache.httpd:tst:131" comment="the version of httpd is 1.3.1"/>
+<criterion test_ref="oval:org.apache.httpd:tst:130" comment="the version of httpd is 1.3.0"/>
+</criteria>
+</criteria>
+</definition>
<definition id="oval:org.apache.httpd:def:20071862" version="1" class="vulnerability">
<metadata>
<title>mod_cache information leak</title>
@@ -2308,10 +2384,6 @@
</definition>
</definitions>
<tests>
-<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:224" version="1" comment="the version of httpd is 2.2.4" check="at least one">
-<object object_ref="oval:org.apache.httpd:obj:1"/>
-<state state_ref="oval:org.apache.httpd:ste:224"/>
-</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2059" version="1" comment="the version of httpd is 2.0.59" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:2059"/>
@@ -2388,6 +2460,18 @@
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:2037"/>
</httpd_test>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2036" version="1" comment="the version of httpd is 2.0.36" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:2036"/>
+</httpd_test>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2035" version="1" comment="the version of httpd is 2.0.35" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:2035"/>
+</httpd_test>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:224" version="1" comment="the version of httpd is 2.2.4" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:224"/>
+</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:223" version="1" comment="the version of httpd is 2.2.3" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:223"/>
@@ -2400,6 +2484,10 @@
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:220"/>
</httpd_test>
+<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:1337" version="1" comment="the version of httpd is 1.3.37" check="at least one">
+<object object_ref="oval:org.apache.httpd:obj:1"/>
+<state state_ref="oval:org.apache.httpd:ste:1337"/>
+</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:1336" version="1" comment="the version of httpd is 1.3.36" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:1336"/>
@@ -2432,14 +2520,6 @@
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:1328"/>
</httpd_test>
-<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2036" version="1" comment="the version of httpd is 2.0.36" check="at least one">
-<object object_ref="oval:org.apache.httpd:obj:1"/>
-<state state_ref="oval:org.apache.httpd:ste:2036"/>
-</httpd_test>
-<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:2035" version="1" comment="the version of httpd is 2.0.35" check="at least one">
-<object object_ref="oval:org.apache.httpd:obj:1"/>
-<state state_ref="oval:org.apache.httpd:ste:2035"/>
-</httpd_test>
<httpd_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:tst:1327" version="1" comment="the version of httpd is 1.3.27" check="at least one">
<object object_ref="oval:org.apache.httpd:obj:1"/>
<state state_ref="oval:org.apache.httpd:ste:1327"/>
@@ -2517,9 +2597,6 @@
</httpd_object>
</objects>
<states>
-<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:224" version="1" comment="the version of httpd is 2.2.4">
-<version operation="equals" datatype="version">2.2.4</version>
-</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2059" version="1" comment="the version of httpd is 2.0.59">
<version operation="equals" datatype="version">2.0.59</version>
</httpd_state>
@@ -2577,6 +2654,15 @@
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2037" version="1" comment="the version of httpd is 2.0.37">
<version operation="equals" datatype="version">2.0.37</version>
</httpd_state>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2036" version="1" comment="the version of httpd is 2.0.36">
+<version operation="equals" datatype="version">2.0.36</version>
+</httpd_state>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2035" version="1" comment="the version of httpd is 2.0.35">
+<version operation="equals" datatype="version">2.0.35</version>
+</httpd_state>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:224" version="1" comment="the version of httpd is 2.2.4">
+<version operation="equals" datatype="version">2.2.4</version>
+</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:223" version="1" comment="the version of httpd is 2.2.3">
<version operation="equals" datatype="version">2.2.3</version>
</httpd_state>
@@ -2586,6 +2672,9 @@
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:220" version="1" comment="the version of httpd is 2.2.0">
<version operation="equals" datatype="version">2.2.0</version>
</httpd_state>
+<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:1337" version="1" comment="the version of httpd is 1.3.37">
+<version operation="equals" datatype="version">1.3.37</version>
+</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:1336" version="1" comment="the version of httpd is 1.3.36">
<version operation="equals" datatype="version">1.3.36</version>
</httpd_state>
@@ -2609,12 +2698,6 @@
</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:1328" version="1" comment="the version of httpd is 1.3.28">
<version operation="equals" datatype="version">1.3.28</version>
-</httpd_state>
-<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2036" version="1" comment="the version of httpd is 2.0.36">
-<version operation="equals" datatype="version">2.0.36</version>
-</httpd_state>
-<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:2035" version="1" comment="the version of httpd is 2.0.35">
-<version operation="equals" datatype="version">2.0.35</version>
</httpd_state>
<httpd_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#apache" id="oval:org.apache.httpd:ste:1327" version="1" comment="the version of httpd is 1.3.27">
<version operation="equals" datatype="version">1.3.27</version>
Modified: httpd/site/trunk/docs/security/vulnerabilities_13.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_13.html?view=diff&rev=556948&r1=556947&r2=556948
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_13.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_13.html Tue Jul 17 08:35:43 2007
@@ -81,6 +81,36 @@
<table border="0" cellspacing="0" cellpadding="2" width="100%">
<tr><td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
+ <a name="1.3.38-dev"><strong>Fixed in Apache httpd 1.3.38-dev</strong></a>
+ </font>
+ </td></tr>
+ <tr><td>
+ <blockquote>
+<dl>
+<dd>
+<b>moderate: </b>
+<b>
+<name name="CVE-2007-3304">Signals to arbitrary processes</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304</a>
+<p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p>
+</dd>
+<dd />
+<dd>
+ Affects:
+ 1.3.37, 1.3.36, 1.3.35, 1.3.34, 1.3.33, 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0<p />
+</dd>
+</dl>
+ </blockquote>
+ </td></tr>
+</table>
+ <table border="0" cellspacing="0" cellpadding="2" width="100%">
+ <tr><td bgcolor="#525D76">
+ <font color="#ffffff" face="arial,helvetica,sanserif">
<a name="1.3.37"><strong>Fixed in Apache httpd 1.3.37</strong></a>
</font>
</td></tr>
Modified: httpd/site/trunk/docs/security/vulnerabilities_20.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_20.html?view=diff&rev=556948&r1=556947&r2=556948
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_20.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_20.html Tue Jul 17 08:35:43 2007
@@ -90,6 +90,23 @@
<dd>
<b>moderate: </b>
<b>
+<name name="CVE-2007-3304">Signals to arbitrary processes</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304</a>
+<p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p>
+</dd>
+<dd />
+<dd>
+ Affects:
+ 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, 2.0.37, 2.0.36, 2.0.35<p />
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
<name name="CVE-2007-1863">mod_cache proxy DoS</name>
</b>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863">CVE-2007-1863</a>
Modified: httpd/site/trunk/docs/security/vulnerabilities_22.html
URL: http://svn.apache.org/viewvc/httpd/site/trunk/docs/security/vulnerabilities_22.html?view=diff&rev=556948&r1=556947&r2=556948
==============================================================================
--- httpd/site/trunk/docs/security/vulnerabilities_22.html (original)
+++ httpd/site/trunk/docs/security/vulnerabilities_22.html Tue Jul 17 08:35:43 2007
@@ -90,6 +90,23 @@
<dd>
<b>moderate: </b>
<b>
+<name name="CVE-2007-3304">Signals to arbitrary processes</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304</a>
+<p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p>
+</dd>
+<dd />
+<dd>
+ Affects:
+ 2.2.4, 2.2.3, 2.2.2, 2.2.0<p />
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
<name name="CVE-2007-1862">mod_cache information leak</name>
</b>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862">CVE-2007-1862</a>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml?view=diff&rev=556948&r1=556947&r2=556948
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities-httpd.xml Tue Jul 17 08:35:43 2007
@@ -1,5 +1,89 @@
<security updated="20070717">
+<issue fixed="2.0.60-dev" public="20070619" reported="20060515">
+<cve name="CVE-2007-3304"/>
+<severity level="3">moderate</severity>
+<title>Signals to arbitrary processes</title>
+<description><p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p></description>
+<affects prod="httpd" version="2.0.59"/>
+<affects prod="httpd" version="2.0.58"/>
+<affects prod="httpd" version="2.0.55"/>
+<affects prod="httpd" version="2.0.54"/>
+<affects prod="httpd" version="2.0.53"/>
+<affects prod="httpd" version="2.0.52"/>
+<affects prod="httpd" version="2.0.51"/>
+<affects prod="httpd" version="2.0.50"/>
+<affects prod="httpd" version="2.0.49"/>
+<affects prod="httpd" version="2.0.48"/>
+<affects prod="httpd" version="2.0.47"/>
+<affects prod="httpd" version="2.0.46"/>
+<affects prod="httpd" version="2.0.45"/>
+<affects prod="httpd" version="2.0.44"/>
+<affects prod="httpd" version="2.0.43"/>
+<affects prod="httpd" version="2.0.42"/>
+<affects prod="httpd" version="2.0.40"/>
+<affects prod="httpd" version="2.0.39"/>
+<affects prod="httpd" version="2.0.37"/>
+<affects prod="httpd" version="2.0.36"/>
+<affects prod="httpd" version="2.0.35"/>
+</issue>
+
+<issue fixed="2.2.5-dev" public="20070619" reported="20060515">
+<cve name="CVE-2007-3304"/>
+<severity level="3">moderate</severity>
+<title>Signals to arbitrary processes</title>
+<description><p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p></description>
+<affects prod="httpd" version="2.2.4"/>
+<affects prod="httpd" version="2.2.3"/>
+<affects prod="httpd" version="2.2.2"/>
+<affects prod="httpd" version="2.2.0"/>
+</issue>
+
+<issue fixed="1.3.38-dev" public="20070619" reported="20060515">
+<cve name="CVE-2007-3304"/>
+<severity level="3">moderate</severity>
+<title>Signals to arbitrary processes</title>
+<description><p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p></description>
+<affects prod="httpd" version="1.3.37"/>
+<affects prod="httpd" version="1.3.36"/>
+<affects prod="httpd" version="1.3.35"/>
+<affects prod="httpd" version="1.3.34"/>
+<affects prod="httpd" version="1.3.33"/>
+<affects prod="httpd" version="1.3.32"/>
+<affects prod="httpd" version="1.3.31"/>
+<affects prod="httpd" version="1.3.29"/>
+<affects prod="httpd" version="1.3.28"/>
+<affects prod="httpd" version="1.3.27"/>
+<affects prod="httpd" version="1.3.26"/>
+<affects prod="httpd" version="1.3.24"/>
+<affects prod="httpd" version="1.3.22"/>
+<affects prod="httpd" version="1.3.20"/>
+<affects prod="httpd" version="1.3.19"/>
+<affects prod="httpd" version="1.3.17"/>
+<affects prod="httpd" version="1.3.14"/>
+<affects prod="httpd" version="1.3.12"/>
+<affects prod="httpd" version="1.3.11"/>
+<affects prod="httpd" version="1.3.9"/>
+<affects prod="httpd" version="1.3.6"/>
+<affects prod="httpd" version="1.3.4"/>
+<affects prod="httpd" version="1.3.3"/>
+<affects prod="httpd" version="1.3.2"/>
+<affects prod="httpd" version="1.3.1"/>
+<affects prod="httpd" version="1.3.0"/>
+</issue>
+
<issue fixed="2.2.5-dev" public="20070601" reported="20070426">
<cve name="CVE-2007-1862"/>
<severity level="3">moderate</severity>
Modified: httpd/site/trunk/xdocs/security/vulnerabilities_22.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/xdocs/security/vulnerabilities_22.xml?view=diff&rev=556948&r1=556947&r2=556948
==============================================================================
--- httpd/site/trunk/xdocs/security/vulnerabilities_22.xml (original)
+++ httpd/site/trunk/xdocs/security/vulnerabilities_22.xml Tue Jul 17 08:35:43 2007
@@ -25,6 +25,23 @@
<dd>
<b>moderate: </b>
<b>
+<name name="CVE-2007-3304">Signals to arbitrary processes</name>
+</b>
+<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304">CVE-2007-3304</a>
+<p>The Apache HTTP server did not verify that a process
+was an Apache child process before sending it signals. A local
+attacker with the ability to run scripts on the HTTP server could
+manipulate the scoreboard and cause arbitrary processes to be
+terminated which could lead to a denial of service.</p>
+</dd>
+<dd/>
+<dd>
+ Affects:
+ 2.2.4, 2.2.3, 2.2.2, 2.2.0<p/>
+</dd>
+<dd>
+<b>moderate: </b>
+<b>
<name name="CVE-2007-1862">mod_cache information leak</name>
</b>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1862">CVE-2007-1862</a>