Security Advisory httpd security update

Advisory: RHSA-2006:0159-8
Type: Security Advisory
Severity: Moderate
Issued on: 2006-01-05
Last updated on: 2006-01-05
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2005-2970
CVE-2005-3352
CVE-2005-3357

Details

Updated Apache httpd packages that correct three security issues are now
available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular and freely-available Web server.

A memory leak in the worker MPM could allow remote attackers to cause a
denial of service (memory consumption) via aborted connections, which
prevents the memory for the transaction pool from being reused for other
connections. The Common Vulnerabilities and Exposures project assigned the
name CVE-2005-2970 to this issue. This vulnerability only affects users
who are using the non-default worker MPM.

A flaw in mod_imap when using the Referer directive with image maps was
discovered. With certain site configurations, a remote attacker could
perform a cross-site scripting attack if a victim can be forced to visit a
malicious URL using certain web browsers. (CVE-2005-3352)

A NULL pointer dereference flaw in mod_ssl was discovered affecting server
configurations where an SSL virtual host is configured with access control
and a custom 400 error document. A remote attacker could send a carefully
crafted request to trigger this issue which would lead to a crash. This
crash would only be a denial of service if using the non-default worker
MPM. (CVE-2005-3357)

Users of httpd should update to these erratum packages which contain
backported patches to correct these issues along with some additional bugs.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
httpd-2.0.46-56.ent.src.rpm
File outdated by:  RHSA-2008:0005		     5fb40d08b35daf0b9dca84bae2d807ad
 
IA-32:
httpd-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     58472c7851877c10d75fc11acc987690
httpd-devel-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     7c5a357dc808d626e84f0b811d875087
mod_ssl-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     fd69217826949e34854440914919115d
 
x86_64:
httpd-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     19e480d4aaf0e54cd1e8beb741081e1c
httpd-devel-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     204c07d7e05a9d4b3292a5072d9c6f2a
mod_ssl-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     770cc4db896225d99e1df93a589a02b4
 
Red Hat Desktop (v. 4)
SRPMS:
httpd-2.0.52-22.ent.src.rpm
File outdated by:  RHSA-2008:0006		     1758c0d1f6326b2f8d77885a351872a1
 
IA-32:
httpd-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     64b2b544496645ed16ce4e7415b358b0
httpd-devel-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     7191377bec8fdd54c327830b05f74e7e
httpd-manual-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     5b69c82ad64cee1b4c46e9f814e88286
httpd-suexec-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     4cde89fc87b21feff51d54098fe4ed83
mod_ssl-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     97f4a87d758c4b84def3abf53e6293cc
 
x86_64:
httpd-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     e0c7651c64d7ba3c4c1e6e5b0296295c
httpd-devel-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     95f9a419ba8d943c5a99fc750fc82176
httpd-manual-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     f72c3a86cae6f4a2716e27d1e315797c
httpd-suexec-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     dbbd0863f64a60bba95c0bd2164e4d17
mod_ssl-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     8ee3ac6dff631ffc1d2b645582b35cfb
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
httpd-2.0.46-56.ent.src.rpm
File outdated by:  RHSA-2008:0005		     5fb40d08b35daf0b9dca84bae2d807ad
 
IA-32:
httpd-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     58472c7851877c10d75fc11acc987690
httpd-devel-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     7c5a357dc808d626e84f0b811d875087
mod_ssl-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     fd69217826949e34854440914919115d
 
IA-64:
httpd-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     9ba4fcecc7a987e0095cab3f3097573e
httpd-devel-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     eaaa9f395d525f97d864fa8fb7abf0b3
mod_ssl-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     5c1958e1b3abe828ccc70ef6aed3bb64
 
PPC:
httpd-2.0.46-56.ent.ppc.rpm
File outdated by:  RHSA-2008:0005		     463c75e6ea66006c222c769c133bc4a0
httpd-devel-2.0.46-56.ent.ppc.rpm
File outdated by:  RHSA-2008:0005		     fbfa43b0915f7593b0b53b060ccaa5f8
mod_ssl-2.0.46-56.ent.ppc.rpm
File outdated by:  RHSA-2008:0005		     a9c64df8a73025eca98e931dd074b69a
 
s390:
httpd-2.0.46-56.ent.s390.rpm
File outdated by:  RHSA-2008:0005		     fe25eb28019d8d9a3a75b87eb60dbfe9
httpd-devel-2.0.46-56.ent.s390.rpm
File outdated by:  RHSA-2008:0005		     21a7aab2c525ea1f61528823f440c1ab
mod_ssl-2.0.46-56.ent.s390.rpm
File outdated by:  RHSA-2008:0005		     4bec0fb1ba74b43121cba95fcbc54430
 
s390x:
httpd-2.0.46-56.ent.s390x.rpm
File outdated by:  RHSA-2008:0005		     1f0093a5d44fa75ad8d5dff12f6a8f81
httpd-devel-2.0.46-56.ent.s390x.rpm
File outdated by:  RHSA-2008:0005		     e005b654914be004d22d456c3f7cd9f1
mod_ssl-2.0.46-56.ent.s390x.rpm
File outdated by:  RHSA-2008:0005		     ed206f46043e55028a3a1ec63f516042
 
x86_64:
httpd-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     19e480d4aaf0e54cd1e8beb741081e1c
httpd-devel-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     204c07d7e05a9d4b3292a5072d9c6f2a
mod_ssl-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     770cc4db896225d99e1df93a589a02b4
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
httpd-2.0.52-22.ent.src.rpm
File outdated by:  RHSA-2008:0006		     1758c0d1f6326b2f8d77885a351872a1
 
IA-32:
httpd-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     64b2b544496645ed16ce4e7415b358b0
httpd-devel-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     7191377bec8fdd54c327830b05f74e7e
httpd-manual-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     5b69c82ad64cee1b4c46e9f814e88286
httpd-suexec-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     4cde89fc87b21feff51d54098fe4ed83
mod_ssl-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     97f4a87d758c4b84def3abf53e6293cc
 
IA-64:
httpd-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     c7522babbf9b3a24f8c3bfaff8e2e10f
httpd-devel-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     10a317c00ae0e59b4f3071870f6d939a
httpd-manual-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     adaf0ba8b49ee0ceb3469e1b5f67c339
httpd-suexec-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     38dec291e729a7e69bdc9ba25cfca5be
mod_ssl-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     fa92eddcfe59311085ed2c0c7675380b
 
PPC:
httpd-2.0.52-22.ent.ppc.rpm
File outdated by:  RHSA-2008:0006		     1fef1c2e4c3e8796c8d29f1a8b4288f2
httpd-devel-2.0.52-22.ent.ppc.rpm
File outdated by:  RHSA-2008:0006		     756f217a147ae442b5b60612c42a6e80
httpd-manual-2.0.52-22.ent.ppc.rpm
File outdated by:  RHSA-2008:0006		     d8f0dd7e832cad4efa48333ed1d649af
httpd-suexec-2.0.52-22.ent.ppc.rpm
File outdated by:  RHSA-2008:0006		     3a466a4bceadf2fcc1994206481062a6
mod_ssl-2.0.52-22.ent.ppc.rpm
File outdated by:  RHSA-2008:0006		     a293bf05ecae2c4b192d5ec3dfcbb98d
 
s390:
httpd-2.0.52-22.ent.s390.rpm
File outdated by:  RHSA-2008:0006		     c9aee197a528745c6c8590f7605b1643
httpd-devel-2.0.52-22.ent.s390.rpm
File outdated by:  RHSA-2008:0006		     9f8f303a60b8b52a5a1c4be911df9212
httpd-manual-2.0.52-22.ent.s390.rpm
File outdated by:  RHSA-2008:0006		     f3107dc3d74f773f21854fc94e2eca2d
httpd-suexec-2.0.52-22.ent.s390.rpm
File outdated by:  RHSA-2008:0006		     4f3d8737a2656298e7b2b867b0f35d2a
mod_ssl-2.0.52-22.ent.s390.rpm
File outdated by:  RHSA-2008:0006		     e78eb4e3946b778fcd3a8fd650c1cc02
 
s390x:
httpd-2.0.52-22.ent.s390x.rpm
File outdated by:  RHSA-2008:0006		     c175a4c5c89597afd57932e6e08f5755
httpd-devel-2.0.52-22.ent.s390x.rpm
File outdated by:  RHSA-2008:0006		     f894f7f71f4ab719d09812bb794f37df
httpd-manual-2.0.52-22.ent.s390x.rpm
File outdated by:  RHSA-2008:0006		     da94d5e68605db9f5c4c801e853e60ad
httpd-suexec-2.0.52-22.ent.s390x.rpm
File outdated by:  RHSA-2008:0006		     350bbc702110c42e1cf95787168d63b1
mod_ssl-2.0.52-22.ent.s390x.rpm
File outdated by:  RHSA-2008:0006		     321b95391c4d73b76fb632db96fec976
 
x86_64:
httpd-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     e0c7651c64d7ba3c4c1e6e5b0296295c
httpd-devel-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     95f9a419ba8d943c5a99fc750fc82176
httpd-manual-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     f72c3a86cae6f4a2716e27d1e315797c
httpd-suexec-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     dbbd0863f64a60bba95c0bd2164e4d17
mod_ssl-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     8ee3ac6dff631ffc1d2b645582b35cfb
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
httpd-2.0.46-56.ent.src.rpm
File outdated by:  RHSA-2008:0005		     5fb40d08b35daf0b9dca84bae2d807ad
 
IA-32:
httpd-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     58472c7851877c10d75fc11acc987690
httpd-devel-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     7c5a357dc808d626e84f0b811d875087
mod_ssl-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     fd69217826949e34854440914919115d
 
IA-64:
httpd-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     9ba4fcecc7a987e0095cab3f3097573e
httpd-devel-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     eaaa9f395d525f97d864fa8fb7abf0b3
mod_ssl-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     5c1958e1b3abe828ccc70ef6aed3bb64
 
x86_64:
httpd-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     19e480d4aaf0e54cd1e8beb741081e1c
httpd-devel-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     204c07d7e05a9d4b3292a5072d9c6f2a
mod_ssl-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     770cc4db896225d99e1df93a589a02b4
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
httpd-2.0.52-22.ent.src.rpm
File outdated by:  RHSA-2008:0006		     1758c0d1f6326b2f8d77885a351872a1
 
IA-32:
httpd-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     64b2b544496645ed16ce4e7415b358b0
httpd-devel-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     7191377bec8fdd54c327830b05f74e7e
httpd-manual-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     5b69c82ad64cee1b4c46e9f814e88286
httpd-suexec-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     4cde89fc87b21feff51d54098fe4ed83
mod_ssl-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     97f4a87d758c4b84def3abf53e6293cc
 
IA-64:
httpd-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     c7522babbf9b3a24f8c3bfaff8e2e10f
httpd-devel-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     10a317c00ae0e59b4f3071870f6d939a
httpd-manual-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     adaf0ba8b49ee0ceb3469e1b5f67c339
httpd-suexec-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     38dec291e729a7e69bdc9ba25cfca5be
mod_ssl-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     fa92eddcfe59311085ed2c0c7675380b
 
x86_64:
httpd-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     e0c7651c64d7ba3c4c1e6e5b0296295c
httpd-devel-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     95f9a419ba8d943c5a99fc750fc82176
httpd-manual-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     f72c3a86cae6f4a2716e27d1e315797c
httpd-suexec-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     dbbd0863f64a60bba95c0bd2164e4d17
mod_ssl-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     8ee3ac6dff631ffc1d2b645582b35cfb
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
httpd-2.0.46-56.ent.src.rpm
File outdated by:  RHSA-2008:0005		     5fb40d08b35daf0b9dca84bae2d807ad
 
IA-32:
httpd-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     58472c7851877c10d75fc11acc987690
httpd-devel-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     7c5a357dc808d626e84f0b811d875087
mod_ssl-2.0.46-56.ent.i386.rpm
File outdated by:  RHSA-2008:0005		     fd69217826949e34854440914919115d
 
IA-64:
httpd-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     9ba4fcecc7a987e0095cab3f3097573e
httpd-devel-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     eaaa9f395d525f97d864fa8fb7abf0b3
mod_ssl-2.0.46-56.ent.ia64.rpm
File outdated by:  RHSA-2008:0005		     5c1958e1b3abe828ccc70ef6aed3bb64
 
x86_64:
httpd-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     19e480d4aaf0e54cd1e8beb741081e1c
httpd-devel-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     204c07d7e05a9d4b3292a5072d9c6f2a
mod_ssl-2.0.46-56.ent.x86_64.rpm
File outdated by:  RHSA-2008:0005		     770cc4db896225d99e1df93a589a02b4
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
httpd-2.0.52-22.ent.src.rpm
File outdated by:  RHSA-2008:0006		     1758c0d1f6326b2f8d77885a351872a1
 
IA-32:
httpd-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     64b2b544496645ed16ce4e7415b358b0
httpd-devel-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     7191377bec8fdd54c327830b05f74e7e
httpd-manual-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     5b69c82ad64cee1b4c46e9f814e88286
httpd-suexec-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     4cde89fc87b21feff51d54098fe4ed83
mod_ssl-2.0.52-22.ent.i386.rpm
File outdated by:  RHSA-2008:0006		     97f4a87d758c4b84def3abf53e6293cc
 
IA-64:
httpd-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     c7522babbf9b3a24f8c3bfaff8e2e10f
httpd-devel-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     10a317c00ae0e59b4f3071870f6d939a
httpd-manual-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     adaf0ba8b49ee0ceb3469e1b5f67c339
httpd-suexec-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     38dec291e729a7e69bdc9ba25cfca5be
mod_ssl-2.0.52-22.ent.ia64.rpm
File outdated by:  RHSA-2008:0006		     fa92eddcfe59311085ed2c0c7675380b
 
x86_64:
httpd-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     e0c7651c64d7ba3c4c1e6e5b0296295c
httpd-devel-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     95f9a419ba8d943c5a99fc750fc82176
httpd-manual-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     f72c3a86cae6f4a2716e27d1e315797c
httpd-suexec-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     dbbd0863f64a60bba95c0bd2164e4d17
mod_ssl-2.0.52-22.ent.x86_64.rpm
File outdated by:  RHSA-2008:0006		     8ee3ac6dff631ffc1d2b645582b35cfb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

170383 - mod_ssl per-directory renegotiation with request body
171756 - CVE-2005-2970 httpd worker MPM memory consumption DoS
175602 - CVE-2005-3352 cross-site scripting flaw in mod_imap
175720 - CVE-2005-3357 mod_ssl crash


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/