Security Advisory Moderate: httpd security update

Advisory: RHSA-2009:1075-1
Type: Security Advisory
Severity: Moderate
Issued on: 2009-05-27
Last updated on: 2009-05-27
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
OVAL: com.redhat.rhsa-20091075.xml
CVEs (cve.mitre.org): CVE-2008-1678
CVE-2009-1195

Details

Updated httpd packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular and freely-available Web server.

A flaw was found in the handling of compression structures between mod_ssl
and OpenSSL. If too many connections were opened in a short period of time,
all system memory and swap space would be consumed by httpd, negatively
impacting other processes, or causing a system crash. (CVE-2008-1678)

Note: The CVE-2008-1678 issue did not affect Red Hat Enterprise Linux 5
prior to 5.3. The problem was introduced via the RHBA-2009:0181 errata in
Red Hat Enterprise Linux 5.3, which upgraded OpenSSL to the newer 0.9.8e
version.

A flaw was found in the handling of the "Options" and "AllowOverride"
directives. In configurations using the "AllowOverride" directive with
certain "Options=" arguments, local users were not restricted from
executing commands from a Server-Side-Include script as intended.
(CVE-2009-1195)

All httpd users should upgrade to these updated packages, which contain
backported patches to resolve these issues. Users must restart httpd for
this update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
httpd-2.2.3-22.el5_3.1.src.rpm
File outdated by:  RHSA-2009:1579		     a69713e7013f941b76b3ed5f9b1d92a7
 
IA-32:
httpd-devel-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     8290f1aacd4e684cd3c055080dabc490
httpd-manual-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     46dcf22915d2a12ff4d703eb667684d4
 
x86_64:
httpd-devel-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     8290f1aacd4e684cd3c055080dabc490
httpd-devel-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     0dba75ad790986af4d54d91708d55aad
httpd-manual-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     ebff201c671e927159c3b3e4125c0b8c
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
httpd-2.2.3-22.el5_3.1.src.rpm
File outdated by:  RHSA-2009:1579		     a69713e7013f941b76b3ed5f9b1d92a7
 
IA-32:
httpd-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     fb766b1d6f3aa1020b3e2cda3a8f1b33
httpd-devel-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     8290f1aacd4e684cd3c055080dabc490
httpd-manual-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     46dcf22915d2a12ff4d703eb667684d4
mod_ssl-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     b8f2488c85eb0c15e262c273f55875e4
 
IA-64:
httpd-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1579		     06a7763cca098a09545275f8be8390c0
httpd-devel-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1579		     443442d71c7dfea3c7eaf3814ad28ae9
httpd-manual-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1579		     7f1dd1708d98f8477057edd280a596a8
mod_ssl-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1579		     a1beb3f0c64174740322815b2c91f6da
 
PPC:
httpd-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1579		     e5a4f7f3d65e8b29affc611c83e49b93
httpd-devel-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1579		     32ee9693503f9aac4c71e5f0d243c3a4
httpd-devel-2.2.3-22.el5_3.1.ppc64.rpm
File outdated by:  RHSA-2009:1579		     d8ea9d555641005652d6eecff45f2199
httpd-manual-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1579		     e051f58e55aa566a961a1d2042dc1d99
mod_ssl-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1579		     c0c3b69d839e40e8151db5312c957dfd
 
s390x:
httpd-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1579		     a13a0b2358dd557053f4846119f51d2b
httpd-devel-2.2.3-22.el5_3.1.s390.rpm
File outdated by:  RHSA-2009:1579		     c3d04217421f7bda58d5a5720f10f82f
httpd-devel-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1579		     5d191dae48a18cc2c6ffd74fe64b7828
httpd-manual-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1579		     762246691fc04e5e79fe6e1a6cf41908
mod_ssl-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1579		     cec023bc0a04682454f12f3b69886f02
 
x86_64:
httpd-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     d175472c633c373644a0f989a1282a02
httpd-devel-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     8290f1aacd4e684cd3c055080dabc490
httpd-devel-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     0dba75ad790986af4d54d91708d55aad
httpd-manual-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     ebff201c671e927159c3b3e4125c0b8c
mod_ssl-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     31bec4a2071c6ba7cafe3e1a503f477b
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
httpd-2.2.3-22.el5_3.1.src.rpm
File outdated by:  RHSA-2009:1579		     a69713e7013f941b76b3ed5f9b1d92a7
 
IA-32:
httpd-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     fb766b1d6f3aa1020b3e2cda3a8f1b33
mod_ssl-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1579		     b8f2488c85eb0c15e262c273f55875e4
 
x86_64:
httpd-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     d175472c633c373644a0f989a1282a02
mod_ssl-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1579		     31bec4a2071c6ba7cafe3e1a503f477b
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)
SRPMS:
httpd-2.2.3-22.el5_3.1.src.rpm
File outdated by:  RHSA-2009:1579		     a69713e7013f941b76b3ed5f9b1d92a7
 
IA-32:
httpd-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1148		     fb766b1d6f3aa1020b3e2cda3a8f1b33
httpd-devel-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1148		     8290f1aacd4e684cd3c055080dabc490
httpd-manual-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1148		     46dcf22915d2a12ff4d703eb667684d4
mod_ssl-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1148		     b8f2488c85eb0c15e262c273f55875e4
 
IA-64:
httpd-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1148		     06a7763cca098a09545275f8be8390c0
httpd-devel-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1148		     443442d71c7dfea3c7eaf3814ad28ae9
httpd-manual-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1148		     7f1dd1708d98f8477057edd280a596a8
mod_ssl-2.2.3-22.el5_3.1.ia64.rpm
File outdated by:  RHSA-2009:1148		     a1beb3f0c64174740322815b2c91f6da
 
PPC:
httpd-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1148		     e5a4f7f3d65e8b29affc611c83e49b93
httpd-devel-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1148		     32ee9693503f9aac4c71e5f0d243c3a4
httpd-devel-2.2.3-22.el5_3.1.ppc64.rpm
File outdated by:  RHSA-2009:1148		     d8ea9d555641005652d6eecff45f2199
httpd-manual-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1148		     e051f58e55aa566a961a1d2042dc1d99
mod_ssl-2.2.3-22.el5_3.1.ppc.rpm
File outdated by:  RHSA-2009:1148		     c0c3b69d839e40e8151db5312c957dfd
 
s390x:
httpd-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1148		     a13a0b2358dd557053f4846119f51d2b
httpd-devel-2.2.3-22.el5_3.1.s390.rpm
File outdated by:  RHSA-2009:1148		     c3d04217421f7bda58d5a5720f10f82f
httpd-devel-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1148		     5d191dae48a18cc2c6ffd74fe64b7828
httpd-manual-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1148		     762246691fc04e5e79fe6e1a6cf41908
mod_ssl-2.2.3-22.el5_3.1.s390x.rpm
File outdated by:  RHSA-2009:1148		     cec023bc0a04682454f12f3b69886f02
 
x86_64:
httpd-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1148		     d175472c633c373644a0f989a1282a02
httpd-devel-2.2.3-22.el5_3.1.i386.rpm
File outdated by:  RHSA-2009:1148		     8290f1aacd4e684cd3c055080dabc490
httpd-devel-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1148		     0dba75ad790986af4d54d91708d55aad
httpd-manual-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1148		     ebff201c671e927159c3b3e4125c0b8c
mod_ssl-2.2.3-22.el5_3.1.x86_64.rpm
File outdated by:  RHSA-2009:1148		     31bec4a2071c6ba7cafe3e1a503f477b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

447268 - CVE-2008-1678 httpd: mod_ssl per-connection memory leak for connections with zlib compression
489436 - CVE-2009-1195 AllowOverride Options=IncludesNoExec allows Options Includes
497077 - memory leak in httpd


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/