Security Advisory Moderate: httpd security and bug fix update

Advisory: RHSA-2008:0967-4
Type: Security Advisory
Severity: Moderate
Issued on: 2008-11-11
Last updated on: 2008-11-11
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080967.xml
CVEs (cve.mitre.org): CVE-2008-2364
CVE-2008-2939

Details

Updated httpd packages that resolve several security issues and fix a bug
are now available for Red Hat Enterprise Linux 3, 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_proxy Apache module. An attacker in control of
a Web server to which requests were being proxied could have caused a
limited denial of service due to CPU consumption and stack exhaustion.
(CVE-2008-2364)

A flaw was found in the mod_proxy_ftp Apache module. If Apache was
configured to support FTP-over-HTTP proxying, a remote attacker could have
performed a cross-site scripting attack. (CVE-2008-2939)

In addition, these updated packages fix a bug found in the handling of the
"ProxyRemoteMatch" directive in the Red Hat Enterprise Linux 4 httpd
packages. This bug is not present in the Red Hat Enterprise Linux 3 or Red
Hat Enterprise Linux 5 packages.

Users of httpd should upgrade to these updated packages, which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
httpd-devel-2.2.3-11.el5_2.4.i386.rpm     0f0a108b676a8b757a7fe47717a3837c
httpd-manual-2.2.3-11.el5_2.4.i386.rpm     1d64a403f81518f5ac774a72e95e6ad9
 
x86_64:
httpd-devel-2.2.3-11.el5_2.4.i386.rpm     0f0a108b676a8b757a7fe47717a3837c
httpd-devel-2.2.3-11.el5_2.4.x86_64.rpm     2658ad83b36b43775b1c38fcbc633a51
httpd-manual-2.2.3-11.el5_2.4.x86_64.rpm     afef5cff7083ecb74c297e9e7b7b58f9
 
Red Hat Desktop (v. 3)
SRPMS:
httpd-2.0.46-71.ent.src.rpm     680df6ee645776db50d7fccac66ea75b
 
IA-32:
httpd-2.0.46-71.ent.i386.rpm     6f554d8f0472ae432c4beecf82274b93
httpd-devel-2.0.46-71.ent.i386.rpm     caf1474238bddeb36c762bbc64fabcda
mod_ssl-2.0.46-71.ent.i386.rpm     de772ede8cbfcd5a0530e278a1679956
 
x86_64:
httpd-2.0.46-71.ent.x86_64.rpm     4adcf5a521c7fcdb690c59397c544384
httpd-devel-2.0.46-71.ent.x86_64.rpm     28dbe6216481c918abaff8c8564b2c69
mod_ssl-2.0.46-71.ent.x86_64.rpm     f4e45b27396522d9ce5f8d969f2b4310
 
Red Hat Desktop (v. 4)
SRPMS:
httpd-2.0.52-41.ent.2.src.rpm     e36cd1f253fff4cd6f049afb66e25cf2
 
IA-32:
httpd-2.0.52-41.ent.2.i386.rpm     a626a3325166911167bbeee41ab33af5
httpd-devel-2.0.52-41.ent.2.i386.rpm     9e5b16a7092ca002d36eb8e8ab74e6f6
httpd-manual-2.0.52-41.ent.2.i386.rpm     d6f752a59d3fb8cf13d1ff34620686b0
httpd-suexec-2.0.52-41.ent.2.i386.rpm     e4cdac515fda1ab74979382aa42b972b
mod_ssl-2.0.52-41.ent.2.i386.rpm     ee6b817dda3654b943f8309a0461230b
 
x86_64:
httpd-2.0.52-41.ent.2.x86_64.rpm     99fd6240767a3080805332e455e7b9bf
httpd-devel-2.0.52-41.ent.2.x86_64.rpm     c11c13d7c2e86725a65eaf518ebac05c
httpd-manual-2.0.52-41.ent.2.x86_64.rpm     1dfcc292855e84a995feb3051e9d314f
httpd-suexec-2.0.52-41.ent.2.x86_64.rpm     10e2ca12e78908a32f840fac8217fa04
mod_ssl-2.0.52-41.ent.2.x86_64.rpm     9b5bf8797ecbe5539e1a952fe551f803
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
httpd-2.2.3-11.el5_2.4.src.rpm     bb08fcb31a0e4d23e6915da228c08b71
 
IA-32:
httpd-2.2.3-11.el5_2.4.i386.rpm     6d8c205ece20686a56da3237aa742c81
httpd-devel-2.2.3-11.el5_2.4.i386.rpm     0f0a108b676a8b757a7fe47717a3837c
httpd-manual-2.2.3-11.el5_2.4.i386.rpm     1d64a403f81518f5ac774a72e95e6ad9
mod_ssl-2.2.3-11.el5_2.4.i386.rpm     f45458156d785c0a4e50b479656c23a9
 
IA-64:
httpd-2.2.3-11.el5_2.4.ia64.rpm     0c470994ea648312164f394b9b63dad2
httpd-devel-2.2.3-11.el5_2.4.ia64.rpm     5bc8101ced26d7c8d2589c1ef1f50d3e
httpd-manual-2.2.3-11.el5_2.4.ia64.rpm     2d963af3796db37d59cb4fa008cb8dc8
mod_ssl-2.2.3-11.el5_2.4.ia64.rpm     fb37ac34afdaa865654f653dc336e10e
 
PPC:
httpd-2.2.3-11.el5_2.4.ppc.rpm     2b710e84427668c7e6f65feaaa7b0161
httpd-2.2.3-11.el5_2.4.ppc64.rpm     24cae2944eb290c1dc52e539e1aad974
httpd-devel-2.2.3-11.el5_2.4.ppc.rpm     f33828c3203d7e70be08e1149b3735bf
httpd-devel-2.2.3-11.el5_2.4.ppc64.rpm     539bc7cd46e76f31f76fe57adb7ef96b
httpd-manual-2.2.3-11.el5_2.4.ppc.rpm     87d9cf50ac62ff6cda5ec33313bdafc8
mod_ssl-2.2.3-11.el5_2.4.ppc.rpm     b796747825e92dc4d1cc496a2d4e3f14
 
s390x:
httpd-2.2.3-11.el5_2.4.s390x.rpm     13d5bf85a5c6c1b87a249a88101cf27f
httpd-devel-2.2.3-11.el5_2.4.s390.rpm     cd7e5c7f4cad2352229e51bd1ba53971
httpd-devel-2.2.3-11.el5_2.4.s390x.rpm     a3baf175a0946d4033034737e2ba4ed0
httpd-manual-2.2.3-11.el5_2.4.s390x.rpm     ff181c297447dc84a112c2bb2752a56b
mod_ssl-2.2.3-11.el5_2.4.s390x.rpm     3129339ffc9dffa85cdbd7306ed8b3a1
 
x86_64:
httpd-2.2.3-11.el5_2.4.x86_64.rpm     9de78dd09c30dd35fcafb29c338f3182
httpd-devel-2.2.3-11.el5_2.4.i386.rpm     0f0a108b676a8b757a7fe47717a3837c
httpd-devel-2.2.3-11.el5_2.4.x86_64.rpm     2658ad83b36b43775b1c38fcbc633a51
httpd-manual-2.2.3-11.el5_2.4.x86_64.rpm     afef5cff7083ecb74c297e9e7b7b58f9
mod_ssl-2.2.3-11.el5_2.4.x86_64.rpm     89f272cb71170d9a9ee904266ecfb93e
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
httpd-2.0.46-71.ent.src.rpm     680df6ee645776db50d7fccac66ea75b
 
IA-32:
httpd-2.0.46-71.ent.i386.rpm     6f554d8f0472ae432c4beecf82274b93
httpd-devel-2.0.46-71.ent.i386.rpm     caf1474238bddeb36c762bbc64fabcda
mod_ssl-2.0.46-71.ent.i386.rpm     de772ede8cbfcd5a0530e278a1679956
 
IA-64:
httpd-2.0.46-71.ent.ia64.rpm     d416e2d93fba45175a26b37174c24f40
httpd-devel-2.0.46-71.ent.ia64.rpm     069c3ef3e98d532325210fcda61bed7f
mod_ssl-2.0.46-71.ent.ia64.rpm     8936e700bbc090d8db090206bda98ab4
 
PPC:
httpd-2.0.46-71.ent.ppc.rpm     c12ba2b6f31ac2917f2f7edce48e04a7
httpd-devel-2.0.46-71.ent.ppc.rpm     3de11fc0e75f04e132f1cdd29ce50776
mod_ssl-2.0.46-71.ent.ppc.rpm     677714964a3073da2bda6bd16d050273
 
s390:
httpd-2.0.46-71.ent.s390.rpm     0c1893a6f44dc3ebea1638fb9ea1e9db
httpd-devel-2.0.46-71.ent.s390.rpm     668cab1b4c35b120c24a1de9ac25d410
mod_ssl-2.0.46-71.ent.s390.rpm     a972af998c8ef0db69108991a2f83a91
 
s390x:
httpd-2.0.46-71.ent.s390x.rpm     30d4ac5b7c705d89c16803cb54b3ac33
httpd-devel-2.0.46-71.ent.s390x.rpm     ed86d0982de04729eb076470e2bba525
mod_ssl-2.0.46-71.ent.s390x.rpm     e51c24d5d2cd12073bf291a73eab7010
 
x86_64:
httpd-2.0.46-71.ent.x86_64.rpm     4adcf5a521c7fcdb690c59397c544384
httpd-devel-2.0.46-71.ent.x86_64.rpm     28dbe6216481c918abaff8c8564b2c69
mod_ssl-2.0.46-71.ent.x86_64.rpm     f4e45b27396522d9ce5f8d969f2b4310
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
httpd-2.0.52-41.ent.2.src.rpm     e36cd1f253fff4cd6f049afb66e25cf2
 
IA-32:
httpd-2.0.52-41.ent.2.i386.rpm     a626a3325166911167bbeee41ab33af5
httpd-devel-2.0.52-41.ent.2.i386.rpm     9e5b16a7092ca002d36eb8e8ab74e6f6
httpd-manual-2.0.52-41.ent.2.i386.rpm     d6f752a59d3fb8cf13d1ff34620686b0
httpd-suexec-2.0.52-41.ent.2.i386.rpm     e4cdac515fda1ab74979382aa42b972b
mod_ssl-2.0.52-41.ent.2.i386.rpm     ee6b817dda3654b943f8309a0461230b
 
IA-64:
httpd-2.0.52-41.ent.2.ia64.rpm     97fd4e8f51005451193534bd8a5554f3
httpd-devel-2.0.52-41.ent.2.ia64.rpm     d9fa67a4d3885587292644f94c117700
httpd-manual-2.0.52-41.ent.2.ia64.rpm     0d7c9c76628bcc5782dddb1f41c896c7
httpd-suexec-2.0.52-41.ent.2.ia64.rpm     9f8f0af636ca4f8bb83cac4a8d84e78f
mod_ssl-2.0.52-41.ent.2.ia64.rpm     ad36b53671d57cdcf9f91e087135f30c
 
PPC:
httpd-2.0.52-41.ent.2.ppc.rpm     db53a88fc7a2fc69b5cec85dcb4979df
httpd-devel-2.0.52-41.ent.2.ppc.rpm     19a7234cf58fabe4d1e1684926724755
httpd-manual-2.0.52-41.ent.2.ppc.rpm     577d17a5d3dd6d5a6e03f148ad7ea1de
httpd-suexec-2.0.52-41.ent.2.ppc.rpm     b254927457e4d3a86f7d7bb87bcf4b75
mod_ssl-2.0.52-41.ent.2.ppc.rpm     e59b29bbd6299ac67121b9f946927dd3
 
s390:
httpd-2.0.52-41.ent.2.s390.rpm     3e101d12d9c1956a544a6857c7e25d0f
httpd-devel-2.0.52-41.ent.2.s390.rpm     7950f1cc423a64917efa02dc054edfee
httpd-manual-2.0.52-41.ent.2.s390.rpm     01a84511f50bb47f66bdc670ee862788
httpd-suexec-2.0.52-41.ent.2.s390.rpm     e9c52f3de3e21c7c0a3bb6dc91f07913
mod_ssl-2.0.52-41.ent.2.s390.rpm     f8c94af71af22e03d139b34fbaa4593b
 
s390x:
httpd-2.0.52-41.ent.2.s390x.rpm     d56fe52759a47d9bbff810868134abf3
httpd-devel-2.0.52-41.ent.2.s390x.rpm     5fffa6b6aa8ddb07316a4140f3bef16a
httpd-manual-2.0.52-41.ent.2.s390x.rpm     727ce4111212bb4f45ea1e4eddfb53da
httpd-suexec-2.0.52-41.ent.2.s390x.rpm     bb6ba7f77d6de58af0cea7c2a5f13081
mod_ssl-2.0.52-41.ent.2.s390x.rpm     a37e32108d1d49945294af765d67582b
 
x86_64:
httpd-2.0.52-41.ent.2.x86_64.rpm     99fd6240767a3080805332e455e7b9bf
httpd-devel-2.0.52-41.ent.2.x86_64.rpm     c11c13d7c2e86725a65eaf518ebac05c
httpd-manual-2.0.52-41.ent.2.x86_64.rpm     1dfcc292855e84a995feb3051e9d314f
httpd-suexec-2.0.52-41.ent.2.x86_64.rpm     10e2ca12e78908a32f840fac8217fa04
mod_ssl-2.0.52-41.ent.2.x86_64.rpm     9b5bf8797ecbe5539e1a952fe551f803
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
httpd-2.2.3-11.el5_2.4.src.rpm     bb08fcb31a0e4d23e6915da228c08b71
 
IA-32:
httpd-2.2.3-11.el5_2.4.i386.rpm     6d8c205ece20686a56da3237aa742c81
mod_ssl-2.2.3-11.el5_2.4.i386.rpm     f45458156d785c0a4e50b479656c23a9
 
x86_64:
httpd-2.2.3-11.el5_2.4.x86_64.rpm     9de78dd09c30dd35fcafb29c338f3182
mod_ssl-2.2.3-11.el5_2.4.x86_64.rpm     89f272cb71170d9a9ee904266ecfb93e
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
httpd-2.0.46-71.ent.src.rpm     680df6ee645776db50d7fccac66ea75b
 
IA-32:
httpd-2.0.46-71.ent.i386.rpm     6f554d8f0472ae432c4beecf82274b93
httpd-devel-2.0.46-71.ent.i386.rpm     caf1474238bddeb36c762bbc64fabcda
mod_ssl-2.0.46-71.ent.i386.rpm     de772ede8cbfcd5a0530e278a1679956
 
IA-64:
httpd-2.0.46-71.ent.ia64.rpm     d416e2d93fba45175a26b37174c24f40
httpd-devel-2.0.46-71.ent.ia64.rpm     069c3ef3e98d532325210fcda61bed7f
mod_ssl-2.0.46-71.ent.ia64.rpm     8936e700bbc090d8db090206bda98ab4
 
x86_64:
httpd-2.0.46-71.ent.x86_64.rpm     4adcf5a521c7fcdb690c59397c544384
httpd-devel-2.0.46-71.ent.x86_64.rpm     28dbe6216481c918abaff8c8564b2c69
mod_ssl-2.0.46-71.ent.x86_64.rpm     f4e45b27396522d9ce5f8d969f2b4310
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
httpd-2.0.52-41.ent.2.src.rpm     e36cd1f253fff4cd6f049afb66e25cf2
 
IA-32:
httpd-2.0.52-41.ent.2.i386.rpm     a626a3325166911167bbeee41ab33af5
httpd-devel-2.0.52-41.ent.2.i386.rpm     9e5b16a7092ca002d36eb8e8ab74e6f6
httpd-manual-2.0.52-41.ent.2.i386.rpm     d6f752a59d3fb8cf13d1ff34620686b0
httpd-suexec-2.0.52-41.ent.2.i386.rpm     e4cdac515fda1ab74979382aa42b972b
mod_ssl-2.0.52-41.ent.2.i386.rpm     ee6b817dda3654b943f8309a0461230b
 
IA-64:
httpd-2.0.52-41.ent.2.ia64.rpm     97fd4e8f51005451193534bd8a5554f3
httpd-devel-2.0.52-41.ent.2.ia64.rpm     d9fa67a4d3885587292644f94c117700
httpd-manual-2.0.52-41.ent.2.ia64.rpm     0d7c9c76628bcc5782dddb1f41c896c7
httpd-suexec-2.0.52-41.ent.2.ia64.rpm     9f8f0af636ca4f8bb83cac4a8d84e78f
mod_ssl-2.0.52-41.ent.2.ia64.rpm     ad36b53671d57cdcf9f91e087135f30c
 
x86_64:
httpd-2.0.52-41.ent.2.x86_64.rpm     99fd6240767a3080805332e455e7b9bf
httpd-devel-2.0.52-41.ent.2.x86_64.rpm     c11c13d7c2e86725a65eaf518ebac05c
httpd-manual-2.0.52-41.ent.2.x86_64.rpm     1dfcc292855e84a995feb3051e9d314f
httpd-suexec-2.0.52-41.ent.2.x86_64.rpm     10e2ca12e78908a32f840fac8217fa04
mod_ssl-2.0.52-41.ent.2.x86_64.rpm     9b5bf8797ecbe5539e1a952fe551f803
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
httpd-2.0.46-71.ent.src.rpm     680df6ee645776db50d7fccac66ea75b
 
IA-32:
httpd-2.0.46-71.ent.i386.rpm     6f554d8f0472ae432c4beecf82274b93
httpd-devel-2.0.46-71.ent.i386.rpm     caf1474238bddeb36c762bbc64fabcda
mod_ssl-2.0.46-71.ent.i386.rpm     de772ede8cbfcd5a0530e278a1679956
 
IA-64:
httpd-2.0.46-71.ent.ia64.rpm     d416e2d93fba45175a26b37174c24f40
httpd-devel-2.0.46-71.ent.ia64.rpm     069c3ef3e98d532325210fcda61bed7f
mod_ssl-2.0.46-71.ent.ia64.rpm     8936e700bbc090d8db090206bda98ab4
 
x86_64:
httpd-2.0.46-71.ent.x86_64.rpm     4adcf5a521c7fcdb690c59397c544384
httpd-devel-2.0.46-71.ent.x86_64.rpm     28dbe6216481c918abaff8c8564b2c69
mod_ssl-2.0.46-71.ent.x86_64.rpm     f4e45b27396522d9ce5f8d969f2b4310
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
httpd-2.0.52-41.ent.2.src.rpm     e36cd1f253fff4cd6f049afb66e25cf2
 
IA-32:
httpd-2.0.52-41.ent.2.i386.rpm     a626a3325166911167bbeee41ab33af5
httpd-devel-2.0.52-41.ent.2.i386.rpm     9e5b16a7092ca002d36eb8e8ab74e6f6
httpd-manual-2.0.52-41.ent.2.i386.rpm     d6f752a59d3fb8cf13d1ff34620686b0
httpd-suexec-2.0.52-41.ent.2.i386.rpm     e4cdac515fda1ab74979382aa42b972b
mod_ssl-2.0.52-41.ent.2.i386.rpm     ee6b817dda3654b943f8309a0461230b
 
IA-64:
httpd-2.0.52-41.ent.2.ia64.rpm     97fd4e8f51005451193534bd8a5554f3
httpd-devel-2.0.52-41.ent.2.ia64.rpm     d9fa67a4d3885587292644f94c117700
httpd-manual-2.0.52-41.ent.2.ia64.rpm     0d7c9c76628bcc5782dddb1f41c896c7
httpd-suexec-2.0.52-41.ent.2.ia64.rpm     9f8f0af636ca4f8bb83cac4a8d84e78f
mod_ssl-2.0.52-41.ent.2.ia64.rpm     ad36b53671d57cdcf9f91e087135f30c
 
x86_64:
httpd-2.0.52-41.ent.2.x86_64.rpm     99fd6240767a3080805332e455e7b9bf
httpd-devel-2.0.52-41.ent.2.x86_64.rpm     c11c13d7c2e86725a65eaf518ebac05c
httpd-manual-2.0.52-41.ent.2.x86_64.rpm     1dfcc292855e84a995feb3051e9d314f
httpd-suexec-2.0.52-41.ent.2.x86_64.rpm     10e2ca12e78908a32f840fac8217fa04
mod_ssl-2.0.52-41.ent.2.x86_64.rpm     9b5bf8797ecbe5539e1a952fe551f803
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

451615 - CVE-2008-2364 httpd: mod_proxy_http DoS via excessive interim responses from the origin server
458250 - CVE-2008-2939 httpd: mod_proxy_ftp globbing XSS
464492 - mod_proxy: ProxyRemoteMatch uses remote proxy if regex does *not* match


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/