Skip to navigation

Security Advisory Important: httpd security update

Advisory: RHSA-2009:1148-1
Type: Security Advisory
Severity: Important
Issued on: 2009-07-09
Last updated on: 2009-07-09
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
Red Hat Enterprise Linux Long Life (v. 5.3 server)
CVEs (cve.mitre.org): CVE-2009-1890
CVE-2009-1891

Details

Updated httpd packages that fix two security issues are now available for
Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A denial of service flaw was found in the Apache mod_proxy module when it
was used as a reverse proxy. A remote attacker could use this flaw to force
a proxy process to consume large amounts of CPU time. (CVE-2009-1890)

A denial of service flaw was found in the Apache mod_deflate module. This
module continued to compress large files until compression was complete,
even if the network connection that requested the content was closed before
compression completed. This would cause mod_deflate to consume large
amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
httpd-2.2.3-22.el5_3.2.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: b4cab0442dd5bd472db501d29de4a092
 
IA-32:
httpd-devel-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 58d04ec7062e394518bfd420b1682188
httpd-manual-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 7d095da1b7404781bc71f443d88ee27f
 
x86_64:
httpd-devel-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 58d04ec7062e394518bfd420b1682188
httpd-devel-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 28c66d699b7122ad882a3933132e99e2
httpd-manual-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 64842456769d5bcf66b01ba72c41c40c
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
httpd-2.2.3-22.el5_3.2.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: b4cab0442dd5bd472db501d29de4a092
 
IA-32:
httpd-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4cab238c56c7ae45d0408a1dde620969
httpd-devel-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 58d04ec7062e394518bfd420b1682188
httpd-manual-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 7d095da1b7404781bc71f443d88ee27f
mod_ssl-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: a89a750cfe88828e39f0336f0e4aaffa
 
IA-64:
httpd-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: bb7edf958759f6382ee92825d5249b91
httpd-devel-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: e490d3be06ae2b820b5ecf02115d75d4
httpd-manual-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: b528a1cac37aca9e9a8fad5882435acf
mod_ssl-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 784b56a3e09431684bcf9314e24fc05b
 
PPC:
httpd-2.2.3-22.el5_3.2.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 6aa5d0ffe37f0a2535ddd83a90043d6c
httpd-devel-2.2.3-22.el5_3.2.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: cd5f26864a5cd12f8a51a6ab855f67d5
httpd-devel-2.2.3-22.el5_3.2.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 40c59e3b4d7db2a0dbd904bbbe29712a
httpd-manual-2.2.3-22.el5_3.2.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 228fb4e715788dd2015efffcf49f4215
mod_ssl-2.2.3-22.el5_3.2.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: e8dc47de3df9151c941b42c96139db2a
 
s390x:
httpd-2.2.3-22.el5_3.2.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 22561037a1ce8b32d1c8262aee4fa6a8
httpd-devel-2.2.3-22.el5_3.2.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: 322e58e23e3ae4830e7c4cac41eea85c
httpd-devel-2.2.3-22.el5_3.2.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: f22453975651710aba2e5822a74c931a
httpd-manual-2.2.3-22.el5_3.2.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4403ad829cdf31a477eec3f5e886cabb
mod_ssl-2.2.3-22.el5_3.2.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 9ca6c4adbd3b3e07aa70bad71774cf53
 
x86_64:
httpd-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 3a756282588f39abca685f9a54483155
httpd-devel-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 58d04ec7062e394518bfd420b1682188
httpd-devel-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 28c66d699b7122ad882a3933132e99e2
httpd-manual-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 64842456769d5bcf66b01ba72c41c40c
mod_ssl-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: e325f77f1479879d445f70163d5a0679
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
httpd-2.2.3-22.el5_3.2.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: b4cab0442dd5bd472db501d29de4a092
 
IA-32:
httpd-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4cab238c56c7ae45d0408a1dde620969
mod_ssl-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: a89a750cfe88828e39f0336f0e4aaffa
 
x86_64:
httpd-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 3a756282588f39abca685f9a54483155
mod_ssl-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: e325f77f1479879d445f70163d5a0679
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)

SRPMS:
httpd-2.2.3-22.el5_3.2.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: b4cab0442dd5bd472db501d29de4a092
 
IA-32:
httpd-2.2.3-22.el5_3.2.i386.rpm     MD5: 4cab238c56c7ae45d0408a1dde620969
httpd-devel-2.2.3-22.el5_3.2.i386.rpm     MD5: 58d04ec7062e394518bfd420b1682188
httpd-manual-2.2.3-22.el5_3.2.i386.rpm     MD5: 7d095da1b7404781bc71f443d88ee27f
mod_ssl-2.2.3-22.el5_3.2.i386.rpm     MD5: a89a750cfe88828e39f0336f0e4aaffa
 
IA-64:
httpd-2.2.3-22.el5_3.2.ia64.rpm     MD5: bb7edf958759f6382ee92825d5249b91
httpd-devel-2.2.3-22.el5_3.2.ia64.rpm     MD5: e490d3be06ae2b820b5ecf02115d75d4
httpd-manual-2.2.3-22.el5_3.2.ia64.rpm     MD5: b528a1cac37aca9e9a8fad5882435acf
mod_ssl-2.2.3-22.el5_3.2.ia64.rpm     MD5: 784b56a3e09431684bcf9314e24fc05b
 
PPC:
httpd-2.2.3-22.el5_3.2.ppc.rpm     MD5: 6aa5d0ffe37f0a2535ddd83a90043d6c
httpd-devel-2.2.3-22.el5_3.2.ppc.rpm     MD5: cd5f26864a5cd12f8a51a6ab855f67d5
httpd-devel-2.2.3-22.el5_3.2.ppc64.rpm     MD5: 40c59e3b4d7db2a0dbd904bbbe29712a
httpd-manual-2.2.3-22.el5_3.2.ppc.rpm     MD5: 228fb4e715788dd2015efffcf49f4215
mod_ssl-2.2.3-22.el5_3.2.ppc.rpm     MD5: e8dc47de3df9151c941b42c96139db2a
 
s390x:
httpd-2.2.3-22.el5_3.2.s390x.rpm     MD5: 22561037a1ce8b32d1c8262aee4fa6a8
httpd-devel-2.2.3-22.el5_3.2.s390.rpm     MD5: 322e58e23e3ae4830e7c4cac41eea85c
httpd-devel-2.2.3-22.el5_3.2.s390x.rpm     MD5: f22453975651710aba2e5822a74c931a
httpd-manual-2.2.3-22.el5_3.2.s390x.rpm     MD5: 4403ad829cdf31a477eec3f5e886cabb
mod_ssl-2.2.3-22.el5_3.2.s390x.rpm     MD5: 9ca6c4adbd3b3e07aa70bad71774cf53
 
x86_64:
httpd-2.2.3-22.el5_3.2.x86_64.rpm     MD5: 3a756282588f39abca685f9a54483155
httpd-devel-2.2.3-22.el5_3.2.i386.rpm     MD5: 58d04ec7062e394518bfd420b1682188
httpd-devel-2.2.3-22.el5_3.2.x86_64.rpm     MD5: 28c66d699b7122ad882a3933132e99e2
httpd-manual-2.2.3-22.el5_3.2.x86_64.rpm     MD5: 64842456769d5bcf66b01ba72c41c40c
mod_ssl-2.2.3-22.el5_3.2.x86_64.rpm     MD5: e325f77f1479879d445f70163d5a0679
 
Red Hat Enterprise Linux Long Life (v. 5.3 server)

SRPMS:
httpd-2.2.3-22.el5_3.2.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: b4cab0442dd5bd472db501d29de4a092
 
IA-32:
httpd-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2011:1294
    MD5: 4cab238c56c7ae45d0408a1dde620969
httpd-devel-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2011:1294
    MD5: 58d04ec7062e394518bfd420b1682188
httpd-manual-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2011:1294
    MD5: 7d095da1b7404781bc71f443d88ee27f
mod_ssl-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2011:1294
    MD5: a89a750cfe88828e39f0336f0e4aaffa
 
IA-64:
httpd-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2011:1294
    MD5: bb7edf958759f6382ee92825d5249b91
httpd-devel-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2011:1294
    MD5: e490d3be06ae2b820b5ecf02115d75d4
httpd-manual-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2011:1294
    MD5: b528a1cac37aca9e9a8fad5882435acf
mod_ssl-2.2.3-22.el5_3.2.ia64.rpm
File outdated by:  RHSA-2011:1294
    MD5: 784b56a3e09431684bcf9314e24fc05b
 
x86_64:
httpd-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2011:1294
    MD5: 3a756282588f39abca685f9a54483155
httpd-devel-2.2.3-22.el5_3.2.i386.rpm
File outdated by:  RHSA-2011:1294
    MD5: 58d04ec7062e394518bfd420b1682188
httpd-devel-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2011:1294
    MD5: 28c66d699b7122ad882a3933132e99e2
httpd-manual-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2011:1294
    MD5: 64842456769d5bcf66b01ba72c41c40c
mod_ssl-2.2.3-22.el5_3.2.x86_64.rpm
File outdated by:  RHSA-2011:1294
    MD5: e325f77f1479879d445f70163d5a0679
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

509125 - CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate
509375 - CVE-2009-1890 httpd: mod_proxy reverse proxy DoS (infinite loop)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/