httpd bug fix update

Updated httpd packages that fix various bugs are now available.

The Apache HTTP Server is a popular and freely-available Web server.

These updated httpd packages provide fixes for the following bugs:

* Apache's mod_mime_magic module attempts to determine the MIME type of
files using heuristic tests. However, the "magic" file used by the
mod_mime_magic module was unable to detect PNG images correctly as being of
MIME type "image/png", which this update corrects. (BZ#240844)

* when using a reverse-proxy configuration with the mod_nss module being
used in place of the usual mod_ssl module, the mod_proxy module failed to
pass the hostname, which resulted in this error message: "Requested domain
name does not match the server's certificate". The hostname is now passed
correctly so that secure HTTP (https) connections no longer fail due to
this error. (BZ#479410)

* the "mod_ssl" module placed a hard-coded 128K limit on the amount of
request body data which would be buffered if an SSL renegotiation was
required in a Location or Directory context. This could occur if a POST
request was made to a Directory or Location which required client
certificate authentication. The limit on the amount of data to buffer is
now configurable using the "SSLRenegBufferSize" directive. (BZ#479806)

* when configuring a reverse proxy using an .htaccess file (instead of
httpd.conf) by using a "RewriteRule" to proxy requests using the "[P]"
flag, space characters in URIs would not be correctly escaped in remote
server requests, resulting in "404 Not Found" response codes. This has been
fixed so that .htaccess-configured reverse proxies perform proper
character-escaping. (BZ#480604)

* if an error occurred when invoking a CGI script, the "500 Internal Server
Error" error document was not generated. (BZ#480932)

* the mod_speling module attempts to correct misspellings of URLs. When the
"AcceptPathInfo" directive was not enabled, then mod_speling did not handle
and correct misspelled directory names. This has been fixed so that
directory names are always handled, and possibly corrected, by the
mod_speling module, regardless of the value that "AcceptPathInfo" is set
to. (BZ#485524)

* if request body data was buffered when an SSL renegotiation was required
in a Location or Directory context, then the buffered data was discarded if
an internal redirect occurred. (BZ#488886)

* the httpd init script did not reference the process ID stored by a
running daemon, and invocations could affect other httpd processes running
on the system. (BZ#491135)

* during a graceful restart, a spurious "Bad file descriptor" error message
was sometimes logged. The error, though harmless, occurred because the
socket on which the server called the accept() function was immediately
closed in child processes upon receipt of the graceful restart signal. This
error message is no longer logged. (BZ#233955)

* during a graceful restart, the following spurious error messages were
logged by the mod_rewrite module if the "RewriteLog" directive was
configured: "apr_global_mutex_lock(rewrite_log_lock) failed". (BZ#493023)

* Apache's mod_ext_filter module sometimes logged this spurious error
message if an input filter was configured and an error response was sent:
"Bad file descriptor: apr_file_close(child input)". (BZ#479463)

* the "%p" format option in the "CustomLog" directive, used to log a port
number in a request, did not respect the "remote" and "local" specifiers.
(BZ#493070)

* the httpd package inappropriately obsoleted the "mod_jk" package; it no
longer does so. (BZ#493592)

* an invalid HTTP status code—such as 70007—was logged to the access log if
a timeout or other input error occurred while reading the request body
during processing of a CGI script. (BZ#498170)

* a security issue fix (CVE-2009-1195) in Server-Side Include (SSI)
Options-handling inadvertently broke backwards-compatibility with the
mod_perl module. (BZ#502998)

Users are advised to upgrade to these updated packages, which resolve these
issues.

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

233955 - Bad file descriptor: apr_socket_accept
240844 - /etc/httpd/conf/magic is too simple (PNG is missing)
479463 - Bad file descriptor: apr_file_close(child input)
479806 - Can't do POST larger than 128K to ssl sites
480932 - mod_cgi: error pages have wrong headers
485524 - mod_speling not correcting directory names in a URI
488886 - mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables
491135 - Fix /etc/init.d/httpd to use the pid file of the server to restart instead of blowing all httpds away
491763 - HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error
493023 - mod_rewrite: apr_global_mutex_lock(rewrite_log_lock) failed
493070 - mod_log_config: format options for %p (locale, remote) broken
493592 - The httpd package shouldn't obsolete mod_jk
498170 - httpd incorrectly returns lower level return code (70007 status code is not RFC)
502998 - Backwards compatibility for CVE-2009-1195 change