Skip to navigation

Security Advisory Moderate: httpd security update

Advisory: RHSA-2008:0005-4
Type: Security Advisory
Severity: Moderate
Issued on: 2008-01-15
Last updated on: 2008-01-15
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CVE-2007-3847
CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2008-0005

Details

Updated Apache httpd packages that fix several security issues are now
available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)

A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the "AddDefaultCharset" directive has been removed
from the configuration, a cross-site scripting attack was possible against
Web browsers which did not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465)

A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)

A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which did not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)

Users of Apache httpd should upgrade to these updated packages, which
contain backported patches to resolve these issues. Users should restart
httpd after installing this update.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
httpd-2.0.46-70.ent.src.rpm
File outdated by:  RHSA-2009:1579
    MD5: b2da904635ee4c5a92b15a854a83a8b9
 
IA-32:
httpd-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: 847875ca5096f6bc40cf745bf84de492
httpd-devel-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: b8859c02a0933996a55b1efaf69df9d0
mod_ssl-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: e967058179994cac2caba0553179b33d
 
x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 3c5fca78b3b47f8fa279ae68193785b6
httpd-devel-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 7ba3bd3872eae4a1dca50a3b8ca05539
mod_ssl-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 391c0884aabfe1d7f3080ab703eb830c
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
httpd-2.0.46-70.ent.src.rpm
File outdated by:  RHSA-2009:1579
    MD5: b2da904635ee4c5a92b15a854a83a8b9
 
IA-32:
httpd-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: 847875ca5096f6bc40cf745bf84de492
httpd-devel-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: b8859c02a0933996a55b1efaf69df9d0
mod_ssl-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: e967058179994cac2caba0553179b33d
 
IA-64:
httpd-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 042faca4d000881243b379f2b9368eef
httpd-devel-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: e5c61749634e68840c66b7d9f5d848a1
mod_ssl-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 38be7784447090d10b0dafc092f45e6b
 
PPC:
httpd-2.0.46-70.ent.ppc.rpm
File outdated by:  RHSA-2009:1579
    MD5: 47445147d08190f17bc627c818045eb0
httpd-devel-2.0.46-70.ent.ppc.rpm
File outdated by:  RHSA-2009:1579
    MD5: 4cf010a9e15b0010ea99ffc8f5e0f8c6
mod_ssl-2.0.46-70.ent.ppc.rpm
File outdated by:  RHSA-2009:1579
    MD5: 6dfea1c91a5d17ac9ae0367f8e5a096a
 
s390:
httpd-2.0.46-70.ent.s390.rpm
File outdated by:  RHSA-2009:1579
    MD5: a29b0bae45123b529ee562add299484e
httpd-devel-2.0.46-70.ent.s390.rpm
File outdated by:  RHSA-2009:1579
    MD5: 65f6b82eaefa26e8381cd9bc9d51b89b
mod_ssl-2.0.46-70.ent.s390.rpm
File outdated by:  RHSA-2009:1579
    MD5: ba5a9db88f1c771f2ddc869b0dea0c0e
 
s390x:
httpd-2.0.46-70.ent.s390x.rpm
File outdated by:  RHSA-2009:1579
    MD5: 5a31a0ede6ef6dd3890c7de645643caa
httpd-devel-2.0.46-70.ent.s390x.rpm
File outdated by:  RHSA-2009:1579
    MD5: b1afdf881aec6e7c05fd8bf0844055b7
mod_ssl-2.0.46-70.ent.s390x.rpm
File outdated by:  RHSA-2009:1579
    MD5: fd20968c556efdd91ce7073b4a62cb80
 
x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 3c5fca78b3b47f8fa279ae68193785b6
httpd-devel-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 7ba3bd3872eae4a1dca50a3b8ca05539
mod_ssl-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 391c0884aabfe1d7f3080ab703eb830c
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
httpd-2.0.46-70.ent.src.rpm
File outdated by:  RHSA-2009:1579
    MD5: b2da904635ee4c5a92b15a854a83a8b9
 
IA-32:
httpd-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: 847875ca5096f6bc40cf745bf84de492
httpd-devel-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: b8859c02a0933996a55b1efaf69df9d0
mod_ssl-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: e967058179994cac2caba0553179b33d
 
IA-64:
httpd-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 042faca4d000881243b379f2b9368eef
httpd-devel-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: e5c61749634e68840c66b7d9f5d848a1
mod_ssl-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 38be7784447090d10b0dafc092f45e6b
 
x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 3c5fca78b3b47f8fa279ae68193785b6
httpd-devel-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 7ba3bd3872eae4a1dca50a3b8ca05539
mod_ssl-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 391c0884aabfe1d7f3080ab703eb830c
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
httpd-2.0.46-70.ent.src.rpm
File outdated by:  RHSA-2009:1579
    MD5: b2da904635ee4c5a92b15a854a83a8b9
 
IA-32:
httpd-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: 847875ca5096f6bc40cf745bf84de492
httpd-devel-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: b8859c02a0933996a55b1efaf69df9d0
mod_ssl-2.0.46-70.ent.i386.rpm
File outdated by:  RHSA-2009:1579
    MD5: e967058179994cac2caba0553179b33d
 
IA-64:
httpd-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 042faca4d000881243b379f2b9368eef
httpd-devel-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: e5c61749634e68840c66b7d9f5d848a1
mod_ssl-2.0.46-70.ent.ia64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 38be7784447090d10b0dafc092f45e6b
 
x86_64:
httpd-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 3c5fca78b3b47f8fa279ae68193785b6
httpd-devel-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 7ba3bd3872eae4a1dca50a3b8ca05539
mod_ssl-2.0.46-70.ent.x86_64.rpm
File outdated by:  RHSA-2009:1579
    MD5: 391c0884aabfe1d7f3080ab703eb830c
 

Bugs fixed (see bugzilla for more information)

250731 - CVE-2007-3847 httpd out of bounds read
289511 - CVE-2007-4465 mod_autoindex XSS
419931 - CVE-2007-5000 mod_imagemap XSS
427228 - CVE-2007-6388 apache mod_status cross-site scripting
427739 - CVE-2008-0005 mod_proxy_ftp XSS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/