Security Advisory Moderate: httpd security update

Advisory: RHSA-2007:0534-4
Type: Security Advisory
Severity: Moderate
Issued on: 2007-06-26
Last updated on: 2007-06-26
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2006-5752
CVE-2007-1863

Details

Updated Apache httpd packages that correct two security issues are now
available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the Apache HTTP Server mod_status module. On sites
where the server-status page is publicly accessible and ExtendedStatus is
enabled this could lead to a cross-site scripting attack. On Red Hat
Enterprise Linux the server-status page is not enabled by default and it is
best practice to not make this publicly available. (CVE-2006-5752)

A bug was found in the Apache HTTP Server mod_cache module. On sites where
caching is enabled, a remote attacker could send a carefully crafted
request that would cause the Apache child process handling that request to
crash. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-1863)

Users of httpd should upgrade to these updated packages, which contain
backported patches to correct these issues. Users should restart Apache
after installing this update.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
httpd-2.0.52-32.2.ent.src.rpm
File outdated by:  RHBA-2009:0388		     e19b6b381b001d6a03479e084173a619
 
IA-32:
httpd-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     f0582489efd46c9c59863195707d00d0
httpd-devel-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     340f2feebe9a79e42a767335336675f5
httpd-manual-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     2b490d14e2d09eb8cbafd88fe9467312
httpd-suexec-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     115487cace183f2caf4aac73a5149c9f
mod_ssl-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     d86d6d290b95fc85e3de832dae45ba7f
 
x86_64:
httpd-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     208ead4487bdc36a3eb0c45af2dac4d0
httpd-devel-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     2926a123b3645ea8c79e2057d572c5ab
httpd-manual-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     c048d1098d04d7d6e6f552270c97fa33
httpd-suexec-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     6217e605a53ac2b4476ca842e027a8b5
mod_ssl-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     5b2613e647bfd5ff5459d8daee1177e5
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
httpd-2.0.52-32.2.ent.src.rpm
File outdated by:  RHBA-2009:0388		     e19b6b381b001d6a03479e084173a619
 
IA-32:
httpd-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     f0582489efd46c9c59863195707d00d0
httpd-devel-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     340f2feebe9a79e42a767335336675f5
httpd-manual-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     2b490d14e2d09eb8cbafd88fe9467312
httpd-suexec-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     115487cace183f2caf4aac73a5149c9f
mod_ssl-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     d86d6d290b95fc85e3de832dae45ba7f
 
IA-64:
httpd-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     43280ea7ada5d21c98a4d9d0738ef341
httpd-devel-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     8cb1a7fb6dcf3b6c8bba764574a4f46b
httpd-manual-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     7f3a1353272854c8446d83f80333443c
httpd-suexec-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     309413e6ae60a2dc263e6ed963a3e4be
mod_ssl-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     56749924b8239b7343ab30975376cd82
 
PPC:
httpd-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHBA-2009:0388		     127729c579cbca6fcd60a2f8e8b76f6c
httpd-devel-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHBA-2009:0388		     0911772998e00a4a09536b2240de07e4
httpd-manual-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHBA-2009:0388		     209a157b1cae1e4454d90590f3df6500
httpd-suexec-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHBA-2009:0388		     975f553c1ce8616f5cce71f511903a53
mod_ssl-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHBA-2009:0388		     40cab07e07fb43a436e80bca5b928413
 
s390:
httpd-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHBA-2009:0388		     9770d5a8918fdd97d74ddedf2a1f686e
httpd-devel-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHBA-2009:0388		     980920e38a008e2333e70bc0f794b2db
httpd-manual-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHBA-2009:0388		     9e49e23e2266faa6b25bf4e5b2f89c7b
httpd-suexec-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHBA-2009:0388		     dd3da0029f6d267011e0d673c077ceab
mod_ssl-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHBA-2009:0388		     ea1047ac976b43b5be3cb1dfb4e8c26d
 
s390x:
httpd-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHBA-2009:0388		     eb4f61a04aa54984ba1a09726bca13b7
httpd-devel-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHBA-2009:0388		     417868bf22d1669436695452c7f49ad2
httpd-manual-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHBA-2009:0388		     d16a5308fd622d2790a0a6c777872ae7
httpd-suexec-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHBA-2009:0388		     ed840994b9f16962d3c2d773f1416004
mod_ssl-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHBA-2009:0388		     b717d806bbeb703cb4988c3c9c093a36
 
x86_64:
httpd-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     208ead4487bdc36a3eb0c45af2dac4d0
httpd-devel-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     2926a123b3645ea8c79e2057d572c5ab
httpd-manual-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     c048d1098d04d7d6e6f552270c97fa33
httpd-suexec-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     6217e605a53ac2b4476ca842e027a8b5
mod_ssl-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     5b2613e647bfd5ff5459d8daee1177e5
 
Red Hat Enterprise Linux AS (v. 4.5.z)
SRPMS:
httpd-2.0.52-32.2.ent.src.rpm
File outdated by:  RHBA-2009:0388		     e19b6b381b001d6a03479e084173a619
 
IA-32:
httpd-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     f0582489efd46c9c59863195707d00d0
httpd-devel-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     340f2feebe9a79e42a767335336675f5
httpd-manual-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     2b490d14e2d09eb8cbafd88fe9467312
httpd-suexec-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     115487cace183f2caf4aac73a5149c9f
mod_ssl-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     d86d6d290b95fc85e3de832dae45ba7f
 
IA-64:
httpd-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     43280ea7ada5d21c98a4d9d0738ef341
httpd-devel-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     8cb1a7fb6dcf3b6c8bba764574a4f46b
httpd-manual-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     7f3a1353272854c8446d83f80333443c
httpd-suexec-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     309413e6ae60a2dc263e6ed963a3e4be
mod_ssl-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     56749924b8239b7343ab30975376cd82
 
PPC:
httpd-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHSA-2007:0662		     127729c579cbca6fcd60a2f8e8b76f6c
httpd-devel-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHSA-2007:0662		     0911772998e00a4a09536b2240de07e4
httpd-manual-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHSA-2007:0662		     209a157b1cae1e4454d90590f3df6500
httpd-suexec-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHSA-2007:0662		     975f553c1ce8616f5cce71f511903a53
mod_ssl-2.0.52-32.2.ent.ppc.rpm
File outdated by:  RHSA-2007:0662		     40cab07e07fb43a436e80bca5b928413
 
s390:
httpd-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHSA-2007:0662		     9770d5a8918fdd97d74ddedf2a1f686e
httpd-devel-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHSA-2007:0662		     980920e38a008e2333e70bc0f794b2db
httpd-manual-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHSA-2007:0662		     9e49e23e2266faa6b25bf4e5b2f89c7b
httpd-suexec-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHSA-2007:0662		     dd3da0029f6d267011e0d673c077ceab
mod_ssl-2.0.52-32.2.ent.s390.rpm
File outdated by:  RHSA-2007:0662		     ea1047ac976b43b5be3cb1dfb4e8c26d
 
s390x:
httpd-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHSA-2007:0662		     eb4f61a04aa54984ba1a09726bca13b7
httpd-devel-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHSA-2007:0662		     417868bf22d1669436695452c7f49ad2
httpd-manual-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHSA-2007:0662		     d16a5308fd622d2790a0a6c777872ae7
httpd-suexec-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHSA-2007:0662		     ed840994b9f16962d3c2d773f1416004
mod_ssl-2.0.52-32.2.ent.s390x.rpm
File outdated by:  RHSA-2007:0662		     b717d806bbeb703cb4988c3c9c093a36
 
x86_64:
httpd-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     208ead4487bdc36a3eb0c45af2dac4d0
httpd-devel-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     2926a123b3645ea8c79e2057d572c5ab
httpd-manual-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     c048d1098d04d7d6e6f552270c97fa33
httpd-suexec-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     6217e605a53ac2b4476ca842e027a8b5
mod_ssl-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     5b2613e647bfd5ff5459d8daee1177e5
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
httpd-2.0.52-32.2.ent.src.rpm
File outdated by:  RHBA-2009:0388		     e19b6b381b001d6a03479e084173a619
 
IA-32:
httpd-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     f0582489efd46c9c59863195707d00d0
httpd-devel-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     340f2feebe9a79e42a767335336675f5
httpd-manual-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     2b490d14e2d09eb8cbafd88fe9467312
httpd-suexec-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     115487cace183f2caf4aac73a5149c9f
mod_ssl-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     d86d6d290b95fc85e3de832dae45ba7f
 
IA-64:
httpd-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     43280ea7ada5d21c98a4d9d0738ef341
httpd-devel-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     8cb1a7fb6dcf3b6c8bba764574a4f46b
httpd-manual-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     7f3a1353272854c8446d83f80333443c
httpd-suexec-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     309413e6ae60a2dc263e6ed963a3e4be
mod_ssl-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     56749924b8239b7343ab30975376cd82
 
x86_64:
httpd-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     208ead4487bdc36a3eb0c45af2dac4d0
httpd-devel-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     2926a123b3645ea8c79e2057d572c5ab
httpd-manual-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     c048d1098d04d7d6e6f552270c97fa33
httpd-suexec-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     6217e605a53ac2b4476ca842e027a8b5
mod_ssl-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     5b2613e647bfd5ff5459d8daee1177e5
 
Red Hat Enterprise Linux ES (v. 4.5.z)
SRPMS:
httpd-2.0.52-32.2.ent.src.rpm
File outdated by:  RHBA-2009:0388		     e19b6b381b001d6a03479e084173a619
 
IA-32:
httpd-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     f0582489efd46c9c59863195707d00d0
httpd-devel-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     340f2feebe9a79e42a767335336675f5
httpd-manual-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     2b490d14e2d09eb8cbafd88fe9467312
httpd-suexec-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     115487cace183f2caf4aac73a5149c9f
mod_ssl-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHSA-2007:0662		     d86d6d290b95fc85e3de832dae45ba7f
 
IA-64:
httpd-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     43280ea7ada5d21c98a4d9d0738ef341
httpd-devel-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     8cb1a7fb6dcf3b6c8bba764574a4f46b
httpd-manual-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     7f3a1353272854c8446d83f80333443c
httpd-suexec-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     309413e6ae60a2dc263e6ed963a3e4be
mod_ssl-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHSA-2007:0662		     56749924b8239b7343ab30975376cd82
 
x86_64:
httpd-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     208ead4487bdc36a3eb0c45af2dac4d0
httpd-devel-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     2926a123b3645ea8c79e2057d572c5ab
httpd-manual-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     c048d1098d04d7d6e6f552270c97fa33
httpd-suexec-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     6217e605a53ac2b4476ca842e027a8b5
mod_ssl-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHSA-2007:0662		     5b2613e647bfd5ff5459d8daee1177e5
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
httpd-2.0.52-32.2.ent.src.rpm
File outdated by:  RHBA-2009:0388		     e19b6b381b001d6a03479e084173a619
 
IA-32:
httpd-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     f0582489efd46c9c59863195707d00d0
httpd-devel-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     340f2feebe9a79e42a767335336675f5
httpd-manual-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     2b490d14e2d09eb8cbafd88fe9467312
httpd-suexec-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     115487cace183f2caf4aac73a5149c9f
mod_ssl-2.0.52-32.2.ent.i386.rpm
File outdated by:  RHBA-2009:0388		     d86d6d290b95fc85e3de832dae45ba7f
 
IA-64:
httpd-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     43280ea7ada5d21c98a4d9d0738ef341
httpd-devel-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     8cb1a7fb6dcf3b6c8bba764574a4f46b
httpd-manual-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     7f3a1353272854c8446d83f80333443c
httpd-suexec-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     309413e6ae60a2dc263e6ed963a3e4be
mod_ssl-2.0.52-32.2.ent.ia64.rpm
File outdated by:  RHBA-2009:0388		     56749924b8239b7343ab30975376cd82
 
x86_64:
httpd-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     208ead4487bdc36a3eb0c45af2dac4d0
httpd-devel-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     2926a123b3645ea8c79e2057d572c5ab
httpd-manual-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     c048d1098d04d7d6e6f552270c97fa33
httpd-suexec-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     6217e605a53ac2b4476ca842e027a8b5
mod_ssl-2.0.52-32.2.ent.x86_64.rpm
File outdated by:  RHBA-2009:0388		     5b2613e647bfd5ff5459d8daee1177e5
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

244658 - CVE-2007-1863 httpd mod_cache segfault
245112 - CVE-2006-5752 httpd mod_status XSS


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/