Skip to navigation

Security Advisory httpd security update

Advisory: RHSA-2006:0619-9
Type: Security Advisory
Severity: Moderate
Issued on: 2006-08-10
Last updated on: 2006-08-10
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2006-3918

Details

Updated Apache httpd packages that correct security issues and resolve bugs
are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server available for free.

A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header. (CVE-2006-3918)

While a web browser cannot be forced to send an arbitrary Expect
header by a third-party attacker, it was recently discovered that
certain versions of the Flash plugin can manipulate request headers.
If users running such versions can be persuaded to load a web page
with a malicious Flash applet, a cross-site scripting attack against
the server may be possible.

On Red Hat Enterprise Linux 3 and 4 systems, due to an unrelated issue in
the handling of malformed Expect headers, the page produced by the
cross-site scripting attack will only be returned after a timeout expires
(2-5 minutes by default) if not first canceled by the user.

Users of httpd should update to these erratum packages, which contain a
backported patch to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)
IA-32:
httpd-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: d9bb6b02095ee31f3779a41ccf37e889
httpd-devel-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 59adb3ab038e3bf0e799b1d246913b87
mod_ssl-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 8095700d500f6427d83e7e65010d91c5
 
x86_64:
httpd-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: a867591bfea47c5918bb37b37fbec21a
httpd-devel-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 624fd85d9aa4e6372f1663052df06309
mod_ssl-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 927b300b3ff027401c1c7b38dac1cfa0
 
Red Hat Desktop (v. 4)
SRPMS:
httpd-2.0.52-28.ent.src.rpm
File outdated by:  RHSA-2011:1392		     MD5: 4f35d5c8dc42f7e0c8d47fbe15f80ee7
 
IA-32:
httpd-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 0b30f0a89cca20b95784a39fcab65e35
httpd-devel-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1f5dc32947852da3a57662e6d8d5da21
httpd-manual-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 453758ed80cda526c0d28dbe6a4fb053
httpd-suexec-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 08c31b58be6c3a3e56b4ab8cd7c9d60b
mod_ssl-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: bafd04190956db5220e1931f1cdfda06
 
x86_64:
httpd-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 5ea25c8a07bb0021b79d3607bebb7324
httpd-devel-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 349f57d1d4819f8adb4a46118b774a50
httpd-manual-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 53ba74eac84a36cc1cb2829add804236
httpd-suexec-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: ad3cdee012b0cc635caa391ab695345c
mod_ssl-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 92a99ce7ec860e35b735814360ec37cb
 
Red Hat Enterprise Linux AS (v. 3)
IA-32:
httpd-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: d9bb6b02095ee31f3779a41ccf37e889
httpd-devel-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 59adb3ab038e3bf0e799b1d246913b87
mod_ssl-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 8095700d500f6427d83e7e65010d91c5
 
IA-64:
httpd-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 66c25ecc5c74599ba3a7bb3f2fa9f4b8
httpd-devel-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: c967c0497ef645d09805b432add9fac2
mod_ssl-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 635c92aac642b85d9b49322c4fd09f39
 
PPC:
httpd-2.0.46-61.ent.ppc.rpm
File outdated by:  RHSA-2009:1579		     MD5: 54e916bfdc60fdd36ff8e924f18fa165
httpd-devel-2.0.46-61.ent.ppc.rpm
File outdated by:  RHSA-2009:1579		     MD5: acaaf4cbdca1df0cd1e781af286c8758
mod_ssl-2.0.46-61.ent.ppc.rpm
File outdated by:  RHSA-2009:1579		     MD5: 076c66ddc29fc5d97fc9b33f744dda30
 
s390:
httpd-2.0.46-61.ent.s390.rpm
File outdated by:  RHSA-2009:1579		     MD5: 631fd6776f5930a1a5346ef7b651a596
httpd-devel-2.0.46-61.ent.s390.rpm
File outdated by:  RHSA-2009:1579		     MD5: d547adbcdb6e9b7c3971db416196eb24
mod_ssl-2.0.46-61.ent.s390.rpm
File outdated by:  RHSA-2009:1579		     MD5: 7bb49ad738ca9fd78ee1fcaaf6fa85e9
 
s390x:
httpd-2.0.46-61.ent.s390x.rpm
File outdated by:  RHSA-2009:1579		     MD5: 88820ef80fc2f013716483ed9cc24618
httpd-devel-2.0.46-61.ent.s390x.rpm
File outdated by:  RHSA-2009:1579		     MD5: 9f02adf3a99778f31bdcc5e83c552ccf
mod_ssl-2.0.46-61.ent.s390x.rpm
File outdated by:  RHSA-2009:1579		     MD5: 6f9e00153fb16ca4d84ca25edc8b369d
 
x86_64:
httpd-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: a867591bfea47c5918bb37b37fbec21a
httpd-devel-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 624fd85d9aa4e6372f1663052df06309
mod_ssl-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 927b300b3ff027401c1c7b38dac1cfa0
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
httpd-2.0.52-28.ent.src.rpm
File outdated by:  RHSA-2011:1392		     MD5: 4f35d5c8dc42f7e0c8d47fbe15f80ee7
 
IA-32:
httpd-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 0b30f0a89cca20b95784a39fcab65e35
httpd-devel-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1f5dc32947852da3a57662e6d8d5da21
httpd-manual-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 453758ed80cda526c0d28dbe6a4fb053
httpd-suexec-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 08c31b58be6c3a3e56b4ab8cd7c9d60b
mod_ssl-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: bafd04190956db5220e1931f1cdfda06
 
IA-64:
httpd-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 981d825a38f285dc367a57909ebb1bb5
httpd-devel-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 37da1e4c1527b539523bd076595ec3fb
httpd-manual-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: e6dc477ed351c90340a16ee7e05a6c0f
httpd-suexec-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 2e8c68c3be5aba7ff97fe63a5204c1ed
mod_ssl-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1b20f7a2d51bb180b8e0d7ce7198c37a
 
PPC:
httpd-2.0.52-28.ent.ppc.rpm
File outdated by:  RHSA-2011:1392		     MD5: d5f2c327364716fac423212bab0e78ae
httpd-devel-2.0.52-28.ent.ppc.rpm
File outdated by:  RHSA-2011:1392		     MD5: 90bd7f4d121543fa18c46d5e4d061800
httpd-manual-2.0.52-28.ent.ppc.rpm
File outdated by:  RHSA-2011:1392		     MD5: 4df7750df209c840db61a391c4dc53cb
httpd-suexec-2.0.52-28.ent.ppc.rpm
File outdated by:  RHSA-2011:1392		     MD5: d990a29b89b52cc4f106f71e960de2f6
mod_ssl-2.0.52-28.ent.ppc.rpm
File outdated by:  RHSA-2011:1392		     MD5: 2e36173faaf66a60e16f4ab560943264
 
s390:
httpd-2.0.52-28.ent.s390.rpm
File outdated by:  RHSA-2011:1392		     MD5: 6b4eadc50cd34b89a5e552a9d837915b
httpd-devel-2.0.52-28.ent.s390.rpm
File outdated by:  RHSA-2011:1392		     MD5: c32a312d95476cb5239f09ac5640cc89
httpd-manual-2.0.52-28.ent.s390.rpm
File outdated by:  RHSA-2011:1392		     MD5: 9f2a04f98ba26be7241299f38b3bdb30
httpd-suexec-2.0.52-28.ent.s390.rpm
File outdated by:  RHSA-2011:1392		     MD5: 3f69e468aa98ccb4041eb638fb4f9836
mod_ssl-2.0.52-28.ent.s390.rpm
File outdated by:  RHSA-2011:1392		     MD5: b1bf1d1537d3c69db0810449cd40a202
 
s390x:
httpd-2.0.52-28.ent.s390x.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1ade626c844752cacd4a4e3693b89c4d
httpd-devel-2.0.52-28.ent.s390x.rpm
File outdated by:  RHSA-2011:1392		     MD5: 0473513c742d3926e936daa1cedb01e3
httpd-manual-2.0.52-28.ent.s390x.rpm
File outdated by:  RHSA-2011:1392		     MD5: 62693d03ee562582b0e8b3338da593ff
httpd-suexec-2.0.52-28.ent.s390x.rpm
File outdated by:  RHSA-2011:1392		     MD5: ce08d7a587630f3568d49a35d1aa3ad7
mod_ssl-2.0.52-28.ent.s390x.rpm
File outdated by:  RHSA-2011:1392		     MD5: bf53b4918b08d5efd7abaf97445821f5
 
x86_64:
httpd-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 5ea25c8a07bb0021b79d3607bebb7324
httpd-devel-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 349f57d1d4819f8adb4a46118b774a50
httpd-manual-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 53ba74eac84a36cc1cb2829add804236
httpd-suexec-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: ad3cdee012b0cc635caa391ab695345c
mod_ssl-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 92a99ce7ec860e35b735814360ec37cb
 
Red Hat Enterprise Linux ES (v. 3)
IA-32:
httpd-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: d9bb6b02095ee31f3779a41ccf37e889
httpd-devel-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 59adb3ab038e3bf0e799b1d246913b87
mod_ssl-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 8095700d500f6427d83e7e65010d91c5
 
IA-64:
httpd-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 66c25ecc5c74599ba3a7bb3f2fa9f4b8
httpd-devel-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: c967c0497ef645d09805b432add9fac2
mod_ssl-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 635c92aac642b85d9b49322c4fd09f39
 
x86_64:
httpd-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: a867591bfea47c5918bb37b37fbec21a
httpd-devel-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 624fd85d9aa4e6372f1663052df06309
mod_ssl-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 927b300b3ff027401c1c7b38dac1cfa0
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
httpd-2.0.52-28.ent.src.rpm
File outdated by:  RHSA-2011:1392		     MD5: 4f35d5c8dc42f7e0c8d47fbe15f80ee7
 
IA-32:
httpd-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 0b30f0a89cca20b95784a39fcab65e35
httpd-devel-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1f5dc32947852da3a57662e6d8d5da21
httpd-manual-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 453758ed80cda526c0d28dbe6a4fb053
httpd-suexec-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 08c31b58be6c3a3e56b4ab8cd7c9d60b
mod_ssl-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: bafd04190956db5220e1931f1cdfda06
 
IA-64:
httpd-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 981d825a38f285dc367a57909ebb1bb5
httpd-devel-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 37da1e4c1527b539523bd076595ec3fb
httpd-manual-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: e6dc477ed351c90340a16ee7e05a6c0f
httpd-suexec-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 2e8c68c3be5aba7ff97fe63a5204c1ed
mod_ssl-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1b20f7a2d51bb180b8e0d7ce7198c37a
 
x86_64:
httpd-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 5ea25c8a07bb0021b79d3607bebb7324
httpd-devel-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 349f57d1d4819f8adb4a46118b774a50
httpd-manual-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 53ba74eac84a36cc1cb2829add804236
httpd-suexec-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: ad3cdee012b0cc635caa391ab695345c
mod_ssl-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 92a99ce7ec860e35b735814360ec37cb
 
Red Hat Enterprise Linux WS (v. 3)
IA-32:
httpd-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: d9bb6b02095ee31f3779a41ccf37e889
httpd-devel-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 59adb3ab038e3bf0e799b1d246913b87
mod_ssl-2.0.46-61.ent.i386.rpm
File outdated by:  RHSA-2009:1579		     MD5: 8095700d500f6427d83e7e65010d91c5
 
IA-64:
httpd-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 66c25ecc5c74599ba3a7bb3f2fa9f4b8
httpd-devel-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: c967c0497ef645d09805b432add9fac2
mod_ssl-2.0.46-61.ent.ia64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 635c92aac642b85d9b49322c4fd09f39
 
x86_64:
httpd-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: a867591bfea47c5918bb37b37fbec21a
httpd-devel-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 624fd85d9aa4e6372f1663052df06309
mod_ssl-2.0.46-61.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579		     MD5: 927b300b3ff027401c1c7b38dac1cfa0
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
httpd-2.0.52-28.ent.src.rpm
File outdated by:  RHSA-2011:1392		     MD5: 4f35d5c8dc42f7e0c8d47fbe15f80ee7
 
IA-32:
httpd-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 0b30f0a89cca20b95784a39fcab65e35
httpd-devel-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1f5dc32947852da3a57662e6d8d5da21
httpd-manual-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 453758ed80cda526c0d28dbe6a4fb053
httpd-suexec-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: 08c31b58be6c3a3e56b4ab8cd7c9d60b
mod_ssl-2.0.52-28.ent.i386.rpm
File outdated by:  RHSA-2011:1392		     MD5: bafd04190956db5220e1931f1cdfda06
 
IA-64:
httpd-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 981d825a38f285dc367a57909ebb1bb5
httpd-devel-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 37da1e4c1527b539523bd076595ec3fb
httpd-manual-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: e6dc477ed351c90340a16ee7e05a6c0f
httpd-suexec-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 2e8c68c3be5aba7ff97fe63a5204c1ed
mod_ssl-2.0.52-28.ent.ia64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 1b20f7a2d51bb180b8e0d7ce7198c37a
 
x86_64:
httpd-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 5ea25c8a07bb0021b79d3607bebb7324
httpd-devel-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 349f57d1d4819f8adb4a46118b774a50
httpd-manual-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 53ba74eac84a36cc1cb2829add804236
httpd-suexec-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: ad3cdee012b0cc635caa391ab695345c
mod_ssl-2.0.52-28.ent.x86_64.rpm
File outdated by:  RHSA-2011:1392		     MD5: 92a99ce7ec860e35b735814360ec37cb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

200732 - CVE-2006-3918 Expect header XSS


References

https://www.redhat.com/security/data/cve/CVE-2006-3918.html
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/