Updated apache packages available

Advisory:	RHSA-2001:126-29
Type:	Security Advisory
Severity:	N/A
Issued on:	2001-10-09
Last updated on:	2002-01-15
Affected Products:	Red Hat Linux 6.2 Red Hat Linux 7.0 Red Hat Linux 7.1 Red Hat Linux 7.2
OVAL:	N/A
CVEs (cve.mitre.org):	CVE-2001-0730 CVE-2001-0731

Details

Updated Apache packages are now available for Red Hat Linux 6.2, 7, 7.1,
and 7.2. These packages upgrade the Apache Web server to version 1.3.22,
which closes a potential security bug which would present clients with a
listing of the contents of a directory instead of the contents of an index
file, or in case of an error, the error message.

By using a carefully constructed HTTP request, a server with
mod_negotiation and either mod_dir or mod_autoindex loaded could be tricked
into displaying a listing of the contents of a directory, despite the
presence of an index file.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2001-0730, and CAN-2001-0731 to these
issues.

Solution

Note: The updated apache (and apache-devel) packages for Red Hat Linux 7,
7.1, and 7.2 require installation of mm and expat (as well as mm-devel and
expat-devel for apache-devel). Because mm and expat were not previously
released for Red Hat Linux 7, and mm was not previously released for Red
Hat Linux 7.1, they will need to either be installed simultaneously with or
before the apache packages.

Before applying this update, make sure all previously released errata
relevant to your system have been applied. Users of Red Hat Linux 7 and
7.1 will find that the mod_bandwidth, mod_put, and mod_throttle packages
are now built as separate packages, and that they will need to manually
install these packages as well.

To update all other RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Users of Red Hat Linux 7 will find that these updates enable the suexec
feature by default, which was not the case in previous versions of this
package. Administrators who have configured their servers to run CGI
scripts from user home directories should read the suexec documentation
included in the apache-manual package.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2

SRPMS:
apache-1.3.22-0.6.src.rpm File outdated by: RHSA-2002:222	`bc9a7598e452fd0a5e2b05173216ef81`

Alpha:
apache-1.3.22-0.6.alpha.rpm File outdated by: RHSA-2002:222	`a181a9ffff1759abbf42e05c824ddb2f`
apache-devel-1.3.22-0.6.alpha.rpm File outdated by: RHSA-2002:222	`3360fda64d65cbf60a8634e7991e5a6d`
apache-manual-1.3.22-0.6.alpha.rpm File outdated by: RHSA-2002:222	`f045b315ecc6a11e23131fa86e2d0a72`

IA-32:
apache-1.3.22-0.6.i386.rpm File outdated by: RHSA-2002:222	`dc567a3074e237efd73622596dfc2c13`
apache-devel-1.3.22-0.6.i386.rpm File outdated by: RHSA-2002:222	`36b1dd6f65c83f3c47326ae976567ce3`
apache-manual-1.3.22-0.6.i386.rpm File outdated by: RHSA-2002:222	`13d4d3822f4b2de1f198d5bc24884a8a`

Sparc:
apache-1.3.22-0.6.sparc.rpm File outdated by: RHSA-2002:222	`ef85d7e0d44abd776d4b76a75553cc86`
apache-devel-1.3.22-0.6.sparc.rpm File outdated by: RHSA-2002:222	`4eb62d0355f51df33e62ea6647a061ec`
apache-manual-1.3.22-0.6.sparc.rpm File outdated by: RHSA-2002:222	`7138fb9b44085ee557d291c081e46d3c`

Red Hat Linux 7.0

SRPMS:
apache-1.3.22-1.7.1.src.rpm File outdated by: RHSA-2002:222	`5cf136a2bfb482501254fa6630f9e6e8`
ftp://updates.redhat.com/7.0/en/os/SRPMS/expat-1.95.1-1.src.rpm Missing file	`d0cbe11cfd0c2fad460d749a4afadf8f`
mm-1.1.3-2.src.rpm File outdated by: RHBA-2002:273	`85f0ff3830d540a3235e2d7471ca2e27`
ftp://updates.redhat.com/7.0/en/os/SRPMS/mod_bandwidth-2.0.3-2.src.rpm Missing file	`9cd99798f41854041ed50e5c2b9c9d4a`
ftp://updates.redhat.com/7.0/en/os/SRPMS/mod_put-1.3-2.src.rpm Missing file	`392c6c20c9ca7d5ad437b91ea08bac2a`
mod_ssl-2.8.5-0.7.src.rpm File outdated by: RHSA-2002:222	`4d9b105c543162987b6a0755080e73b1`
ftp://updates.redhat.com/7.0/en/os/SRPMS/mod_throttle-3.1.2-3.src.rpm Missing file	`15398a5663f14b8e5babbb5309d6739c`

Alpha:
apache-1.3.22-1.7.1.alpha.rpm File outdated by: RHSA-2002:222	`8f8ea759a9ff2d61c60104ee9b3edc09`
apache-devel-1.3.22-1.7.1.alpha.rpm File outdated by: RHSA-2002:222	`ea3bd3c37081fd9a303c8f656a31b52f`
apache-manual-1.3.22-1.7.1.alpha.rpm File outdated by: RHSA-2002:222	`e6f023bd016b75e40e390b2cdf5fe77f`
ftp://updates.redhat.com/7.0/en/os/alpha/expat-1.95.1-1.alpha.rpm Missing file	`4b4d4c5fdf897457c7286d2b4fd2ac39`
ftp://updates.redhat.com/7.0/en/os/alpha/expat-devel-1.95.1-1.alpha.rpm Missing file	`aa8555291135f9b681d1d519f5fe5539`
mm-1.1.3-2.alpha.rpm File outdated by: RHBA-2002:273	`13cfd219c25232decce6703c70419f4a`
mm-devel-1.1.3-2.alpha.rpm File outdated by: RHBA-2002:273	`f9b26ec0d52c79444de07f10bceb2262`
ftp://updates.redhat.com/7.0/en/os/alpha/mod_bandwidth-2.0.3-2.alpha.rpm Missing file	`3be3121fa4b5490a1ace387526cf2406`
ftp://updates.redhat.com/7.0/en/os/alpha/mod_put-1.3-2.alpha.rpm Missing file	`25f1a3961b8c2aa6f2b63288535abc73`
mod_ssl-2.8.5-0.7.alpha.rpm File outdated by: RHSA-2002:222	`b4b100f56cefc614b878a191fb5ed6f0`
ftp://updates.redhat.com/7.0/en/os/alpha/mod_throttle-3.1.2-3.alpha.rpm Missing file	`d3f81d978bb81de0b2e357b79ade1d7e`

IA-32:
apache-1.3.22-1.7.1.i386.rpm File outdated by: RHSA-2002:222	`6bcd4368b5106127787cbac0248f669b`
apache-devel-1.3.22-1.7.1.i386.rpm File outdated by: RHSA-2002:222	`052ac912ba5dd85f2f81a1dc0c7472fd`
apache-manual-1.3.22-1.7.1.i386.rpm File outdated by: RHSA-2002:222	`26752f2274eec2d5e399d03a6f973ea7`
ftp://updates.redhat.com/7.0/en/os/i386/expat-1.95.1-1.i386.rpm Missing file	`fb87db480ce7f5317f0464640b419e43`
ftp://updates.redhat.com/7.0/en/os/i386/expat-devel-1.95.1-1.i386.rpm Missing file	`87978a5568dccb618c1646110443ad87`
mm-1.1.3-2.i386.rpm File outdated by: RHBA-2002:273	`bffbf64db212e970ad139b5e61dc4ad2`
mm-devel-1.1.3-2.i386.rpm File outdated by: RHBA-2002:273	`541a185e0e63970cdbb573eb5afc6d45`
ftp://updates.redhat.com/7.0/en/os/i386/mod_bandwidth-2.0.3-2.i386.rpm Missing file	`414b7a5cb5a0153b9cd41c0b10a7c155`
ftp://updates.redhat.com/7.0/en/os/i386/mod_put-1.3-2.i386.rpm Missing file	`c1bc1dd8b81ed2669ea31a0338cf8e8d`
mod_ssl-2.8.5-0.7.i386.rpm File outdated by: RHSA-2002:222	`ef3ec4f2b0775440f7b9f7b2274e5a3f`
ftp://updates.redhat.com/7.0/en/os/i386/mod_throttle-3.1.2-3.i386.rpm Missing file	`e80083a4d622f91d14125d291e542b24`

Red Hat Linux 7.1

SRPMS:
apache-1.3.22-1.7.1.src.rpm File outdated by: RHSA-2002:222	`5cf136a2bfb482501254fa6630f9e6e8`
mm-1.1.3-2.src.rpm File outdated by: RHBA-2002:273	`85f0ff3830d540a3235e2d7471ca2e27`
ftp://updates.redhat.com/7.1/en/os/SRPMS/mod_bandwidth-2.0.3-2.src.rpm Missing file	`9cd99798f41854041ed50e5c2b9c9d4a`
ftp://updates.redhat.com/7.1/en/os/SRPMS/mod_put-1.3-2.src.rpm Missing file	`392c6c20c9ca7d5ad437b91ea08bac2a`
mod_ssl-2.8.5-0.7.src.rpm File outdated by: RHSA-2002:222	`4d9b105c543162987b6a0755080e73b1`
ftp://updates.redhat.com/7.1/en/os/SRPMS/mod_throttle-3.1.2-3.src.rpm Missing file	`15398a5663f14b8e5babbb5309d6739c`

Alpha:
apache-1.3.22-1.7.1.alpha.rpm File outdated by: RHSA-2002:222	`8f8ea759a9ff2d61c60104ee9b3edc09`
apache-devel-1.3.22-1.7.1.alpha.rpm File outdated by: RHSA-2002:222	`ea3bd3c37081fd9a303c8f656a31b52f`
apache-manual-1.3.22-1.7.1.alpha.rpm File outdated by: RHSA-2002:222	`e6f023bd016b75e40e390b2cdf5fe77f`
mm-1.1.3-2.alpha.rpm File outdated by: RHBA-2002:273	`13cfd219c25232decce6703c70419f4a`
mm-devel-1.1.3-2.alpha.rpm File outdated by: RHBA-2002:273	`f9b26ec0d52c79444de07f10bceb2262`
ftp://updates.redhat.com/7.1/en/os/alpha/mod_bandwidth-2.0.3-2.alpha.rpm Missing file	`3be3121fa4b5490a1ace387526cf2406`
ftp://updates.redhat.com/7.1/en/os/alpha/mod_put-1.3-2.alpha.rpm Missing file	`25f1a3961b8c2aa6f2b63288535abc73`
mod_ssl-2.8.5-0.7.alpha.rpm File outdated by: RHSA-2002:222	`b4b100f56cefc614b878a191fb5ed6f0`
ftp://updates.redhat.com/7.1/en/os/alpha/mod_throttle-3.1.2-3.alpha.rpm Missing file	`d3f81d978bb81de0b2e357b79ade1d7e`

IA-32:
apache-1.3.22-1.7.1.i386.rpm File outdated by: RHSA-2003:405	`6bcd4368b5106127787cbac0248f669b`
apache-devel-1.3.22-1.7.1.i386.rpm File outdated by: RHSA-2003:405	`052ac912ba5dd85f2f81a1dc0c7472fd`
apache-manual-1.3.22-1.7.1.i386.rpm File outdated by: RHSA-2003:405	`26752f2274eec2d5e399d03a6f973ea7`
mm-1.1.3-2.i386.rpm File outdated by: RHBA-2002:273	`bffbf64db212e970ad139b5e61dc4ad2`
mm-devel-1.1.3-2.i386.rpm File outdated by: RHBA-2002:273	`541a185e0e63970cdbb573eb5afc6d45`
ftp://updates.redhat.com/7.1/en/os/i386/mod_bandwidth-2.0.3-2.i386.rpm Missing file	`414b7a5cb5a0153b9cd41c0b10a7c155`
ftp://updates.redhat.com/7.1/en/os/i386/mod_put-1.3-2.i386.rpm Missing file	`c1bc1dd8b81ed2669ea31a0338cf8e8d`
mod_ssl-2.8.5-0.7.i386.rpm File outdated by: RHSA-2003:243	`ef3ec4f2b0775440f7b9f7b2274e5a3f`
ftp://updates.redhat.com/7.1/en/os/i386/mod_throttle-3.1.2-3.i386.rpm Missing file	`e80083a4d622f91d14125d291e542b24`

IA-64:
apache-1.3.22-1.7.1.ia64.rpm File outdated by: RHSA-2002:222	`d72a44ce73899c1ae8502a4dac44977a`
apache-devel-1.3.22-1.7.1.ia64.rpm File outdated by: RHSA-2002:222	`91d505625bfc721907beead7f79fa565`
apache-manual-1.3.22-1.7.1.ia64.rpm File outdated by: RHSA-2002:222	`235d62371a30d4f8817ff873f8948dae`
mm-1.1.3-2.ia64.rpm File outdated by: RHBA-2002:273	`93ebc06c4d160fd82430b983093e9f40`
mm-devel-1.1.3-2.ia64.rpm File outdated by: RHBA-2002:273	`e31a027184bdc9a202994c57f9b96a10`
ftp://updates.redhat.com/7.1/en/os/ia64/mod_bandwidth-2.0.3-2.ia64.rpm Missing file	`c091e03032e4f7d628e8bb2f706e66ab`
ftp://updates.redhat.com/7.1/en/os/ia64/mod_put-1.3-2.ia64.rpm Missing file	`4678335e17b5e09c42d679480493f2a0`
mod_ssl-2.8.5-0.7.ia64.rpm File outdated by: RHSA-2002:222	`1e5337f03080b9f28c951cc06fa7aa14`
ftp://updates.redhat.com/7.1/en/os/ia64/mod_throttle-3.1.2-3.ia64.rpm Missing file	`47691815f0bad537d3305aa379083500`

Red Hat Linux 7.2

SRPMS:
apache-1.3.22-2.src.rpm File outdated by: RHSA-2002:103	`bf518904d1b4ef0edd07ce3a7dd34871`
mod_ssl-2.8.5-1.src.rpm File outdated by: RHSA-2003:243	`bc734ceff3e2dee5d5a4ff230b5e8293`

IA-32:
apache-1.3.22-2.i386.rpm File outdated by: RHSA-2003:405	`6dd421e90d6de5cb9a5ae25e428724e8`
apache-devel-1.3.22-2.i386.rpm File outdated by: RHSA-2003:405	`19aa4f624d8263756374095b352c274a`
apache-manual-1.3.22-2.i386.rpm File outdated by: RHSA-2003:405	`c352198baaeb451d6e1797458cfcad4e`
mod_ssl-2.8.5-1.i386.rpm File outdated by: RHSA-2003:243	`cec3188aea446e454e92efcf9246abd5`

s390:
apache-1.3.22-2.s390.rpm File outdated by: RHSA-2002:103	`94fbad043d55987ad3807aba33c9fabc`
apache-devel-1.3.22-2.s390.rpm File outdated by: RHSA-2002:103	`8030bd8357ad4d34948ae0324ad15c91`
apache-manual-1.3.22-2.s390.rpm File outdated by: RHSA-2002:103	`fcdc19d52780fc79e2cd8744575c5d02`
ftp://updates.redhat.com/7.2/en/os/s390/mod_ssl-2.8.5-1.s390.rpm Missing file	`e334cb1f9e6a09c7cb15cb1f7b0c13ff`

Bugs fixed (see bugzilla for more information)

34772 - Apache 1.3.14 breaks byterange functionality (hinders serving of PDFs)

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0731
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731
http://www.apacheweek.com/issues/01-10-05#security
http://httpd.apache.org/dist/httpd/CHANGES_1.3
http://www.securityfocus.com/bid/3009

Keywords

apache, directory, listing

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/