Skip to navigation

Security Advisory Moderate: httpd security update

Advisory: RHSA-2008:0008-6
Type: Security Advisory
Severity: Moderate
Issued on: 2008-01-15
Last updated on: 2008-01-15
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.1.z server)
CVEs (cve.mitre.org): CVE-2007-4465
CVE-2007-5000
CVE-2007-6388
CVE-2007-6421
CVE-2007-6422
CVE-2008-0005

Details

Updated Apache httpd packages that fix several security issues are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the mod_imagemap module. On sites where mod_imagemap
was enabled and an imagemap file was publicly available, a cross-site
scripting attack was possible. (CVE-2007-5000)

A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the "AddDefaultCharset" directive has been removed
from the configuration, a cross-site scripting attack might have been
possible against Web browsers which do not correctly derive the response
character set following the rules in RFC 2616. (CVE-2007-4465)

A flaw was found in the mod_status module. On sites where mod_status was
enabled and the status pages were publicly available, a cross-site
scripting attack was possible. (CVE-2007-6388)

A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, a cross-site scripting attack against an
authorized user was possible. (CVE-2007-6421)

A flaw was found in the mod_proxy_balancer module. On sites where
mod_proxy_balancer was enabled, an authorized user could send a carefully
crafted request that would cause the Apache child process handling that
request to crash. This could lead to a denial of service if using a
threaded Multi-Processing Module. (CVE-2007-6422)

A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp
was enabled and a forward proxy was configured, a cross-site scripting
attack was possible against Web browsers which do not correctly derive the
response character set following the rules in RFC 2616. (CVE-2008-0005)

Users of Apache httpd should upgrade to these updated packages, which
contain backported patches to resolve these issues. Users should restart
httpd after installing this update.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
httpd-2.2.3-11.el5_1.3.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 86350187e69fc5f41b0ce9185247f95b
 
IA-32:
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 091d5dde2429502b5fcc708eb6037c82
httpd-manual-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 1231ad07b833b163e31ec0c0138dd44b
 
x86_64:
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 091d5dde2429502b5fcc708eb6037c82
httpd-devel-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: b15f3e560dfa4454a2919a290987b809
httpd-manual-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 713522db5bbfc34432503dbe121a3f98
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
httpd-2.2.3-11.el5_1.3.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 86350187e69fc5f41b0ce9185247f95b
 
IA-32:
httpd-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 546691630899ef26b98e0f7b1c7b0770
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 091d5dde2429502b5fcc708eb6037c82
httpd-manual-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 1231ad07b833b163e31ec0c0138dd44b
mod_ssl-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 70129ebb47c0c628552053957c003fc4
 
IA-64:
httpd-2.2.3-11.el5_1.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 414a9979d84b76f503f29bfadea0bb73
httpd-devel-2.2.3-11.el5_1.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 848448e6a9c0b6ed292b57a7f09cf564
httpd-manual-2.2.3-11.el5_1.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 60318f340d46e94f6ac5756b649a8426
mod_ssl-2.2.3-11.el5_1.3.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 7219af97e84b44ccef2d54923b08512d
 
PPC:
httpd-2.2.3-11.el5_1.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 344d1147e0aac9498650058344e62b96
httpd-devel-2.2.3-11.el5_1.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: e1c5f8b6777a5bcd804ca9b122c501c6
httpd-devel-2.2.3-11.el5_1.3.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 801f6f08d7d1d579f6a4dd0061e815fe
httpd-manual-2.2.3-11.el5_1.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 687024b1e7001cfc580cfa6014a4f5e7
mod_ssl-2.2.3-11.el5_1.3.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 14a3b36a644f468ea588246ab530c6d4
 
s390x:
httpd-2.2.3-11.el5_1.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: c70c12ae6ee703e861956297bb7d75a0
httpd-devel-2.2.3-11.el5_1.3.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4ff213415d7a51d9be34df366e23abb1
httpd-devel-2.2.3-11.el5_1.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8c3c061ed869e498ee69c607a4c2dd08
httpd-manual-2.2.3-11.el5_1.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 77d8aa7a4775c32558d257c86d413b50
mod_ssl-2.2.3-11.el5_1.3.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: cdaab872832b9f53b87c1d3dec758810
 
x86_64:
httpd-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: cdccf8d2d0a2dd39f814eb8d60a13cff
httpd-devel-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 091d5dde2429502b5fcc708eb6037c82
httpd-devel-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: b15f3e560dfa4454a2919a290987b809
httpd-manual-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 713522db5bbfc34432503dbe121a3f98
mod_ssl-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 6e04c579ae3abf233ce894827f686cae
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
httpd-2.2.3-11.el5_1.3.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 86350187e69fc5f41b0ce9185247f95b
 
IA-32:
httpd-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 546691630899ef26b98e0f7b1c7b0770
mod_ssl-2.2.3-11.el5_1.3.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 70129ebb47c0c628552053957c003fc4
 
x86_64:
httpd-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: cdccf8d2d0a2dd39f814eb8d60a13cff
mod_ssl-2.2.3-11.el5_1.3.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 6e04c579ae3abf233ce894827f686cae
 
Red Hat Enterprise Linux EUS (v. 5.1.z server)

SRPMS:
httpd-2.2.3-11.el5_1.3.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: 86350187e69fc5f41b0ce9185247f95b
 
IA-32:
httpd-2.2.3-11.el5_1.3.i386.rpm     MD5: 546691630899ef26b98e0f7b1c7b0770
httpd-devel-2.2.3-11.el5_1.3.i386.rpm     MD5: 091d5dde2429502b5fcc708eb6037c82
httpd-manual-2.2.3-11.el5_1.3.i386.rpm     MD5: 1231ad07b833b163e31ec0c0138dd44b
mod_ssl-2.2.3-11.el5_1.3.i386.rpm     MD5: 70129ebb47c0c628552053957c003fc4
 
IA-64:
httpd-2.2.3-11.el5_1.3.ia64.rpm     MD5: 414a9979d84b76f503f29bfadea0bb73
httpd-devel-2.2.3-11.el5_1.3.ia64.rpm     MD5: 848448e6a9c0b6ed292b57a7f09cf564
httpd-manual-2.2.3-11.el5_1.3.ia64.rpm     MD5: 60318f340d46e94f6ac5756b649a8426
mod_ssl-2.2.3-11.el5_1.3.ia64.rpm     MD5: 7219af97e84b44ccef2d54923b08512d
 
PPC:
httpd-2.2.3-11.el5_1.3.ppc.rpm     MD5: 344d1147e0aac9498650058344e62b96
httpd-devel-2.2.3-11.el5_1.3.ppc.rpm     MD5: e1c5f8b6777a5bcd804ca9b122c501c6
httpd-devel-2.2.3-11.el5_1.3.ppc64.rpm     MD5: 801f6f08d7d1d579f6a4dd0061e815fe
httpd-manual-2.2.3-11.el5_1.3.ppc.rpm     MD5: 687024b1e7001cfc580cfa6014a4f5e7
mod_ssl-2.2.3-11.el5_1.3.ppc.rpm     MD5: 14a3b36a644f468ea588246ab530c6d4
 
s390x:
httpd-2.2.3-11.el5_1.3.s390x.rpm     MD5: c70c12ae6ee703e861956297bb7d75a0
httpd-devel-2.2.3-11.el5_1.3.s390.rpm     MD5: 4ff213415d7a51d9be34df366e23abb1
httpd-devel-2.2.3-11.el5_1.3.s390x.rpm     MD5: 8c3c061ed869e498ee69c607a4c2dd08
httpd-manual-2.2.3-11.el5_1.3.s390x.rpm     MD5: 77d8aa7a4775c32558d257c86d413b50
mod_ssl-2.2.3-11.el5_1.3.s390x.rpm     MD5: cdaab872832b9f53b87c1d3dec758810
 
x86_64:
httpd-2.2.3-11.el5_1.3.x86_64.rpm     MD5: cdccf8d2d0a2dd39f814eb8d60a13cff
httpd-devel-2.2.3-11.el5_1.3.i386.rpm     MD5: 091d5dde2429502b5fcc708eb6037c82
httpd-devel-2.2.3-11.el5_1.3.x86_64.rpm     MD5: b15f3e560dfa4454a2919a290987b809
httpd-manual-2.2.3-11.el5_1.3.x86_64.rpm     MD5: 713522db5bbfc34432503dbe121a3f98
mod_ssl-2.2.3-11.el5_1.3.x86_64.rpm     MD5: 6e04c579ae3abf233ce894827f686cae
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

289511 - CVE-2007-4465 mod_autoindex XSS
419931 - CVE-2007-5000 mod_imagemap XSS
427228 - CVE-2007-6388 apache mod_status cross-site scripting
427229 - CVE-2007-6421 httpd mod_proxy_balancer cross-site scripting
427230 - CVE-2007-6422 httpd mod_proxy_balancer crash
427739 - CVE-2008-0005 mod_proxy_ftp XSS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/