Skip to navigation

Security Advisory Moderate: httpd security update

Advisory: RHSA-2007:0911-6
Type: Security Advisory
Severity: Moderate
Issued on: 2007-10-25
Last updated on: 2007-10-25
Affected Products: Red Hat Application Stack v1 for Enterprise Linux AS (v.4)
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)
Red Hat Application Stack v2
CVEs (cve.mitre.org): CVE-2007-3847
CVE-2007-4465

Details

Updated httpd packages that fix two security issues are now available for
Red Hat Application Stack.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular and freely-available Web server.

A flaw was found in the Apache HTTP Server mod_proxy module. On sites where
a reverse proxy is configured, a remote attacker could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. On sites where a forward proxy is configured, an attacker
could cause a similar crash if a user could be persuaded to visit a
malicious site using the proxy. This could lead to a denial of service if
using a threaded Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the AddDefaultCharset directive has been removed
from the configuration, a cross-site-scripting attack may be possible
against browsers which do not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465)

Users of httpd should upgrade to these updated packages which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Application Stack v1 for Enterprise Linux AS (v.4)

SRPMS:
httpd-2.0.59-1.el4s1.8.src.rpm
File outdated by:  RHSA-2008:0510
    MD5: b22d942398339ba1cc053714f1245559
 
IA-32:
httpd-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 23b907a015f7b4968a0f2ebe68ddb9bb
httpd-devel-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: d29093f7086e36831697065af1ace33b
httpd-manual-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: d7e801938aa2ade0ec8b6de4e38a4191
mod_ssl-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 2364d43a57752986156c38a2b2cf1a4d
 
x86_64:
httpd-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 2692e4c6b432a195b05fabf7c479af69
httpd-devel-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 8f71efc4adbb9d16a8d6575097d54ef1
httpd-manual-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: e5f1af974d7203f476c6592f02f9a640
mod_ssl-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: e99210762a5307b09fff744537ffe14d
 
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)

SRPMS:
httpd-2.0.59-1.el4s1.8.src.rpm
File outdated by:  RHSA-2008:0510
    MD5: b22d942398339ba1cc053714f1245559
 
IA-32:
httpd-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 23b907a015f7b4968a0f2ebe68ddb9bb
httpd-devel-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: d29093f7086e36831697065af1ace33b
httpd-manual-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: d7e801938aa2ade0ec8b6de4e38a4191
mod_ssl-2.0.59-1.el4s1.8.i386.rpm
File outdated by:  RHSA-2008:0510
    MD5: 2364d43a57752986156c38a2b2cf1a4d
 
x86_64:
httpd-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 2692e4c6b432a195b05fabf7c479af69
httpd-devel-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: 8f71efc4adbb9d16a8d6575097d54ef1
httpd-manual-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: e5f1af974d7203f476c6592f02f9a640
mod_ssl-2.0.59-1.el4s1.8.x86_64.rpm
File outdated by:  RHSA-2008:0510
    MD5: e99210762a5307b09fff744537ffe14d
 
Red Hat Application Stack v2

SRPMS:
httpd-2.2.4-7.el5s2.src.rpm
File outdated by:  RHSA-2011:1369
    MD5: 5b24a23198e69394837c1bffc9a092bd
 
IA-32:
httpd-2.2.4-7.el5s2.i386.rpm
File outdated by:  RHSA-2011:1369
    MD5: e24b96db9a4fa7e549685674cf7712fe
httpd-devel-2.2.4-7.el5s2.i386.rpm
File outdated by:  RHSA-2011:1369
    MD5: 5f28a8daf0d46d53f4d32fe9e4203da9
httpd-manual-2.2.4-7.el5s2.i386.rpm
File outdated by:  RHSA-2011:1369
    MD5: 5d5a7bb9acc85554a9fc43a3fe91a97d
mod_ssl-2.2.4-7.el5s2.i386.rpm
File outdated by:  RHSA-2011:1369
    MD5: a90655c1d69d20a46b81f3ee491a6b36
 
x86_64:
httpd-2.2.4-7.el5s2.x86_64.rpm
File outdated by:  RHSA-2011:1369
    MD5: 7702abea501f3817ebf45787656acfd9
httpd-devel-2.2.4-7.el5s2.i386.rpm
File outdated by:  RHSA-2011:1369
    MD5: 5f28a8daf0d46d53f4d32fe9e4203da9
httpd-devel-2.2.4-7.el5s2.x86_64.rpm
File outdated by:  RHSA-2011:1369
    MD5: bb87b357ca2f0f85dfa2d10fafc80f24
httpd-manual-2.2.4-7.el5s2.x86_64.rpm
File outdated by:  RHSA-2011:1369
    MD5: 2f8bdb1f247c766e46070718e2332144
mod_ssl-2.2.4-7.el5s2.x86_64.rpm
File outdated by:  RHSA-2011:1369
    MD5: 3bde4cb28d3a52c34083fea4225870c1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

250731 - CVE-2007-3847 httpd out of bounds read
289511 - CVE-2007-4465 mod_autoindex XSS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/