Bug Fix Advisory httpd bug fix and enhancement update

Advisory: RHBA-2015:2194-6
Type: Bug Fix Advisory
Severity: N/A
Issued on: 2015-11-19
Last updated on: 2015-11-19
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Workstation (v. 7)

Details

Updated httpd packages that fix several bugs and add various enhancements are
now available for Red Hat Enterprise Linux 7.

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and
extensible web server.

This update fixes the following bugs:

* The httpd daemon did not reset an internal array for storing variables defined
using the "Define" directive. Consequently, variables could be undefined after a
graceful restart. httpd has been fixed to reset this internal array during a
graceful restart, and variables are now correctly defined in this scenario.
(BZ#1227219)

* The SSL_CLIENT_VERIFY environment variable was incorrectly handled when the
"SSLVerifyClient optional_no_ca" and "SSLSessionCache" options were used.
Consequently, when an SSL session was resumed, the SSL_CLIENT_VERIFY value was
set to "SUCCESS" instead of the previously set "GENEROUS". SSL_CLIENT_VERIFY is
now correctly set to GENEROUS in this scenario. (BZ#1170206)

* The mod_ssl module did not call the ERR_free_strings method during its
cleanup. Consequently, during the httpd daemon's reload, mod_ssl leaked memory.
Now, ERR_free_strings is called by mod_ssl during the httpd reload, and mod_ssl
no longer leaks memory. (BZ#1181690)

* The status line of an HTTP response message from a server did not include the
HTTP Reason-Phrase if the original response from the mod_proxy back-end server
contained only a Status Code. Consequently, the server displayed only the Status
Code to an HTTP client. HTTP clients now receive both the Status Code and
Reason-Phrase. (BZ#1162159)

* The mod_authz_dbm module requires the mod_authz_owner module but this
dependency was not reflected in the mod_authz_dbm code. Consequently, when the
"Require dbm-file-group" directive was used and mod_authz_dbm was loaded before
mod_authz_owner, the httpd daemon terminated unexpectedly with a segmentation
fault. The mod_authz_dbm code now allows loading before the mod_authz_owner
module, and httpd no loner crashes in this scenario. (BZ#1221575)

* The mod_proxy_fcgi module had a hardcoded 30-second timeout for a request.
Consequently, it was impossible to change the timeout. mod_proxy_fcgi has been
fixed to honor the Timeout or ProxyTimeout directives, and users are now able to
configure the timeout of mod_proxy_fcgi. (BZ#1222328)

* The mod_ssl method used for enabling Next Protocol Negotiation (NPN) support
returned incorrect exit status when NPN was disabled. Consequently, although NPN
was disabled by the configuration, mod_ssl continued to send it. The mod_ssl
method now returns the correct value in this scenario, and mod_ssl no longer
sends NPN unless configured to do so. (BZ#1226015)

The update adds these enhancements:

* The default configuration of the mod_ssl module in the Apache HTTP Server no
longer enables support for SSL cipher suites using the single IDEA or SEED
encryption algorithms, which are known to be easily exploitable. (BZ#1118476)

* The mod_proxy_wstunnel module is now enabled by default and it includes
support for SSL connections in the "wss://" scheme. Additionally, it is possible
to use the "ws://" scheme in the "mod_rewrite" directives. This allows for using
WebSockets as a target to "mod_rewrite" and enabling WebSockets in the proxy
module. (BZ#1180745)

* Apache HTTP Server now supports Microsoft User Principal Name (UPN) in the
SSLUserName directive. Users can now authenticate with their Common Access Card
(CAC) or certificate with a UPN in it, and have their UPN used as authenticated
user information, consumed by both the access control in Apache and using the
REMOTE_USER environment variable or a similar mechanism in applications. As a
result, users can now set "SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0" for
authentication using UPN. (BZ#1242503)

Users of httpd are advised to upgrade to these updated packages, which fix these
bugs and add these enhancements. After installing the updated packages, the
httpd daemon will be restarted automatically.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
httpd-2.4.6-40.el7.src.rpm
File outdated by:  RHSA-2017:0906
    MD5: 022bca84a71da7f1d9b6dcb03e702fdb
SHA-256: 471ec2e084fafcc42d454df1afc04c26333da6e9290618407fd57277040192bc
 
x86_64:
httpd-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: fc753d6a02ea1c30e4866a8fac4f57b7
SHA-256: bc204f30ad767a21169478d40cf77ed3cc1027026516a4a863cf7753b7f4eec6
httpd-debuginfo-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 7711caf150ac59de67974e12131bab52
SHA-256: 03ba563d7167b0669e0f4f0fbf1f0fef4c69fe745d1a26bee32a25d617e4ad3c
httpd-devel-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: a37acf8531d8c8f98d224aa69dbc2df0
SHA-256: 2fff12f27ae7e60f677da663421feaf1b0ab4743ac7c2c51ef00ee714ce23f74
httpd-manual-2.4.6-40.el7.noarch.rpm
File outdated by:  RHSA-2017:0906
    MD5: c5eb910b4b11537b67f3334c87da0ff4
SHA-256: 66e4e8478a67f9cef93b622d2409ad5195c2344d1425734998afbd61ced3282e
httpd-tools-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 4bc08cb2f4c4c9dfb83afc2b6cee7565
SHA-256: d7263eebcb7561c120609056ef0edc52af68943525f6a33c56c8e648395f9883
mod_ldap-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: adceb4361303ed00c804685af8a0ab01
SHA-256: d13eb0202961e1831ee7f45373d667ae7945e2ab294fcf69a3baafcd694b41fd
mod_proxy_html-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 351717e3cbc6fd091c1dde138f17711c
SHA-256: 2f21747db15de65380a9523e5a940df9faf93b8360aec91767230d9d67e83a3e
mod_session-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: f18fda8e32a3c11f4a8844bf35339f57
SHA-256: ef96b78b20a8ddcb4ea6fa15bb8659e4247495b0363bd9df35354fccbc430a0b
mod_ssl-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: eed119304edc4d86d44ff80c5ca3ed2b
SHA-256: 88d9a8b31d492b2103a7cceb32230489f8dc085e924d4b667e7ea0e1663d8878
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
httpd-2.4.6-40.el7.src.rpm
File outdated by:  RHSA-2017:0906
    MD5: 022bca84a71da7f1d9b6dcb03e702fdb
SHA-256: 471ec2e084fafcc42d454df1afc04c26333da6e9290618407fd57277040192bc
 
x86_64:
httpd-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: fc753d6a02ea1c30e4866a8fac4f57b7
SHA-256: bc204f30ad767a21169478d40cf77ed3cc1027026516a4a863cf7753b7f4eec6
httpd-debuginfo-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 7711caf150ac59de67974e12131bab52
SHA-256: 03ba563d7167b0669e0f4f0fbf1f0fef4c69fe745d1a26bee32a25d617e4ad3c
httpd-devel-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: a37acf8531d8c8f98d224aa69dbc2df0
SHA-256: 2fff12f27ae7e60f677da663421feaf1b0ab4743ac7c2c51ef00ee714ce23f74
httpd-manual-2.4.6-40.el7.noarch.rpm
File outdated by:  RHSA-2017:0906
    MD5: c5eb910b4b11537b67f3334c87da0ff4
SHA-256: 66e4e8478a67f9cef93b622d2409ad5195c2344d1425734998afbd61ced3282e
httpd-tools-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 4bc08cb2f4c4c9dfb83afc2b6cee7565
SHA-256: d7263eebcb7561c120609056ef0edc52af68943525f6a33c56c8e648395f9883
mod_ldap-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: adceb4361303ed00c804685af8a0ab01
SHA-256: d13eb0202961e1831ee7f45373d667ae7945e2ab294fcf69a3baafcd694b41fd
mod_proxy_html-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 351717e3cbc6fd091c1dde138f17711c
SHA-256: 2f21747db15de65380a9523e5a940df9faf93b8360aec91767230d9d67e83a3e
mod_session-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: f18fda8e32a3c11f4a8844bf35339f57
SHA-256: ef96b78b20a8ddcb4ea6fa15bb8659e4247495b0363bd9df35354fccbc430a0b
mod_ssl-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: eed119304edc4d86d44ff80c5ca3ed2b
SHA-256: 88d9a8b31d492b2103a7cceb32230489f8dc085e924d4b667e7ea0e1663d8878
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
httpd-2.4.6-40.el7.src.rpm
File outdated by:  RHSA-2017:0906
    MD5: 022bca84a71da7f1d9b6dcb03e702fdb
SHA-256: 471ec2e084fafcc42d454df1afc04c26333da6e9290618407fd57277040192bc
 
PPC:
httpd-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: ae61484b34c7d78003bd9bffdf3614ae
SHA-256: 3156b4ba012131193614684c91ac5ba8715d3c36a932e1ba8f7000923207bad7
httpd-debuginfo-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 05999538e700ae06d8d12c328b1d0717
SHA-256: 917450c8f7d4c726fdb56eee034203f99fb7927c2e54e5d1f1cc38c35142de8e
httpd-devel-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: c485c49ec4e72394df9d2923593bca7a
SHA-256: 3d200fb533481748e2186504dd076e2e3e3d9a1e0d039a2e17ad1014af3b64b0
httpd-manual-2.4.6-40.el7.noarch.rpm
File outdated by:  RHSA-2017:0906
    MD5: c5eb910b4b11537b67f3334c87da0ff4
SHA-256: 66e4e8478a67f9cef93b622d2409ad5195c2344d1425734998afbd61ced3282e
httpd-tools-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 63e6c3a9f7abbd5a622a73e4520284be
SHA-256: 062184db15a32932d371da98237f986d4a385b09914ce5be04f84e7952bdd1d6
mod_ldap-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 379dc1149bd7634a0b43991dba56aa8e
SHA-256: 47853f65217a420c53bab7af1622a65ac4ffc424f6308b23bcfa01b7dea9eac3
mod_proxy_html-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: c97398e1b25da07dcb9ec42b2db3ca79
SHA-256: 6bf9146cd303a53919672130f17a6aa14ddbdc8f51632def8f333fe9a16556db
mod_session-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: ff4ed66ced65ee99a38288d7173f5de0
SHA-256: 5e794ea31357aa4ada30250ba23157d38c7ad7fc0acb002a6067960fea7537c0
mod_ssl-2.4.6-40.el7.ppc64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 7c48fc891119ac14fc56bb77c0192636
SHA-256: 4e4d757feed97cc30c9831ffb2c4fd67f07aea52b3b659e6890f473d3d0b2fca
 
s390x:
httpd-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 183a89a322657561ceaea0d869433536
SHA-256: fabd62115c710a085df9f7edb9763471c7ff158736ed70d68e16619cb8a69bc6
httpd-debuginfo-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 0678a9e7bff78f6793038faec03e7e6e
SHA-256: 389e85a933fa9c5d8d3272ee9e141fbe7d4d5faa5b0b592593d9ef1ad9f0ab05
httpd-devel-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 0c0fe0a744405706e7a42c52bc46d497
SHA-256: ed681d8e59126e215aac154996820b3ec326e3c8a45da1aac52def7077bf845b
httpd-manual-2.4.6-40.el7.noarch.rpm
File outdated by:  RHSA-2017:0906
    MD5: c5eb910b4b11537b67f3334c87da0ff4
SHA-256: 66e4e8478a67f9cef93b622d2409ad5195c2344d1425734998afbd61ced3282e
httpd-tools-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 4e367de2a29d52260fb246ab18c3dcbe
SHA-256: 47734b248e7065d391ce5254fa68d03dbe924771e21c29ac3c55d8d7b7f73d3d
mod_ldap-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 31f8e549f8da40e3108a4119946ba5e5
SHA-256: 71655085120a410d028c2c0fb800f7ba29f29d6b3305ef43161d102c7e1281d4
mod_proxy_html-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 54b2fbf5c37eb30e1443cfc6bd020cd1
SHA-256: 6dc7c4867cc0647f5143b95a46e2bfff540eb38c4f13270a910eb69ce5d1f71d
mod_session-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 1ea1e6eded30703c0bd27b01d5e7bec5
SHA-256: 66b0e68c4ce001b00ad881024343a2ce75f55b2d1b74d235fbdeff8156428e91
mod_ssl-2.4.6-40.el7.s390x.rpm
File outdated by:  RHSA-2017:0906
    MD5: 05acf84cd907a11175955578710d1d23
SHA-256: cb7066337a0a8c6e09c458de9018857ff1026b971101769be80956fd61f8d5a7
 
x86_64:
httpd-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: fc753d6a02ea1c30e4866a8fac4f57b7
SHA-256: bc204f30ad767a21169478d40cf77ed3cc1027026516a4a863cf7753b7f4eec6
httpd-debuginfo-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 7711caf150ac59de67974e12131bab52
SHA-256: 03ba563d7167b0669e0f4f0fbf1f0fef4c69fe745d1a26bee32a25d617e4ad3c
httpd-devel-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: a37acf8531d8c8f98d224aa69dbc2df0
SHA-256: 2fff12f27ae7e60f677da663421feaf1b0ab4743ac7c2c51ef00ee714ce23f74
httpd-manual-2.4.6-40.el7.noarch.rpm
File outdated by:  RHSA-2017:0906
    MD5: c5eb910b4b11537b67f3334c87da0ff4
SHA-256: 66e4e8478a67f9cef93b622d2409ad5195c2344d1425734998afbd61ced3282e
httpd-tools-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 4bc08cb2f4c4c9dfb83afc2b6cee7565
SHA-256: d7263eebcb7561c120609056ef0edc52af68943525f6a33c56c8e648395f9883
mod_ldap-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: adceb4361303ed00c804685af8a0ab01
SHA-256: d13eb0202961e1831ee7f45373d667ae7945e2ab294fcf69a3baafcd694b41fd
mod_proxy_html-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 351717e3cbc6fd091c1dde138f17711c
SHA-256: 2f21747db15de65380a9523e5a940df9faf93b8360aec91767230d9d67e83a3e
mod_session-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: f18fda8e32a3c11f4a8844bf35339f57
SHA-256: ef96b78b20a8ddcb4ea6fa15bb8659e4247495b0363bd9df35354fccbc430a0b
mod_ssl-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: eed119304edc4d86d44ff80c5ca3ed2b
SHA-256: 88d9a8b31d492b2103a7cceb32230489f8dc085e924d4b667e7ea0e1663d8878
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
httpd-2.4.6-40.el7.src.rpm
File outdated by:  RHSA-2017:0906
    MD5: 022bca84a71da7f1d9b6dcb03e702fdb
SHA-256: 471ec2e084fafcc42d454df1afc04c26333da6e9290618407fd57277040192bc
 
x86_64:
httpd-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: fc753d6a02ea1c30e4866a8fac4f57b7
SHA-256: bc204f30ad767a21169478d40cf77ed3cc1027026516a4a863cf7753b7f4eec6
httpd-debuginfo-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 7711caf150ac59de67974e12131bab52
SHA-256: 03ba563d7167b0669e0f4f0fbf1f0fef4c69fe745d1a26bee32a25d617e4ad3c
httpd-devel-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: a37acf8531d8c8f98d224aa69dbc2df0
SHA-256: 2fff12f27ae7e60f677da663421feaf1b0ab4743ac7c2c51ef00ee714ce23f74
httpd-manual-2.4.6-40.el7.noarch.rpm
File outdated by:  RHSA-2017:0906
    MD5: c5eb910b4b11537b67f3334c87da0ff4
SHA-256: 66e4e8478a67f9cef93b622d2409ad5195c2344d1425734998afbd61ced3282e
httpd-tools-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 4bc08cb2f4c4c9dfb83afc2b6cee7565
SHA-256: d7263eebcb7561c120609056ef0edc52af68943525f6a33c56c8e648395f9883
mod_ldap-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: adceb4361303ed00c804685af8a0ab01
SHA-256: d13eb0202961e1831ee7f45373d667ae7945e2ab294fcf69a3baafcd694b41fd
mod_proxy_html-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: 351717e3cbc6fd091c1dde138f17711c
SHA-256: 2f21747db15de65380a9523e5a940df9faf93b8360aec91767230d9d67e83a3e
mod_session-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: f18fda8e32a3c11f4a8844bf35339f57
SHA-256: ef96b78b20a8ddcb4ea6fa15bb8659e4247495b0363bd9df35354fccbc430a0b
mod_ssl-2.4.6-40.el7.x86_64.rpm
File outdated by:  RHSA-2017:0906
    MD5: eed119304edc4d86d44ff80c5ca3ed2b
SHA-256: 88d9a8b31d492b2103a7cceb32230489f8dc085e924d4b667e7ea0e1663d8878
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1125276 - ab fails when domain name resolved to IPv6 adress
1160625 - mod_ssl should have BuildRequires: openssl-devel >= 1:1.0.1e-37
1162159 - Missing Reason-Phrase in HTTP response header for *standard* 3-digit status codes
1169081 - mod_remoteip doesn't correctly set the client address reported by mod_status
1170206 - bad SSL_CLIENT_VERIFY value on resumed session with "SSLVerifyClient optional_no_ca"
1170214 - mod_deflate does not decompress files larger than 4GB
1170215 - httpd.conf uses icon bomb.gif for all files/dirs ending with core
1170220 - Apache startup fails with misleading error if DocumentRoot has context type user_home_t
1176449 - httpd.conf is missing DAVLockDB configuration
1179306 - mod_remoteip allows to set any client IP (fixed in upstream).
1180745 - mod_proxy_wstunnel not included in default apache config, does not work in conjunction with mod_rewrite, does not support ssl
1184118 - No Documentation= lines in the httpd.service and htcacheclean.service files
1188779 - authentication over mod_dbd fails when MALLOC_CHECK_ not set
1210091 - mod_rewrite bug - not actually rewriting
1214398 - apachectl graceful does not start httpd when not running
1214401 - apachectl graceful does not ignore sysconfig HTTPD
1214430 - 'service httpd graceful' starts server without daemon
1221575 - a segfault in dbmfilegroup_check_authorization in mod_authz_dbm.c
1222328 - mod_proxy_fcgi ignores timeout (fixed at 30s)
1225820 - httpd -D DUMP_VHOSTS shows all vhosts 2 times
1226015 - httpd + mod_ssl sends the NPN extension with default configuration, it shouldn't.
1227219 - Variables get undefined on graceful restart
1231924 - outdated documentation of 'apachectl status'
1235383 - mod_dav sends incomplete response body
1239164 - mod_ssl leaks memory on httpd reload
1242416 - Apache httpd ProxyPass connectiontimeout parameter does not have effect when proxying to AJP back-end
1242503 - Add support for Microsoft User Principal Name in SSLUserName
1255480 - upstream fix for bug 55397 is needed to get Polarion supported on RHEL7
1263975 - Regression caused by fix for Bug 1255480



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/