Skip to navigation

Security Advisory Moderate: httpd security update

Advisory: RHSA-2009:1580-1
Type: Security Advisory
Severity: Moderate
Issued on: 2009-11-11
Last updated on: 2009-11-11
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2009-1891
CVE-2009-3094
CVE-2009-3095
CVE-2009-3555

Details

Updated httpd packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Apache HTTP Server is a popular Web server.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handle session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client's
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker's request as if authenticated using the
victim's credentials. This update partially mitigates this flaw for SSL
sessions to HTTP servers using mod_ssl by rejecting client-requested
renegotiation. (CVE-2009-3555)

Note: This update does not fully resolve the issue for HTTPS servers. An
attack is still possible in configurations that require a server-initiated
renegotiation. Refer to the following Knowledgebase article for further
information: http://kbase.redhat.com/faq/docs/DOC-20491

A denial of service flaw was found in the Apache mod_deflate module. This
module continued to compress large files until compression was complete,
even if the network connection that requested the content was closed before
compression completed. This would cause mod_deflate to consume large
amounts of CPU if mod_deflate was enabled for a large file. (CVE-2009-1891)

A NULL pointer dereference flaw was found in the Apache mod_proxy_ftp
module. A malicious FTP server to which requests are being proxied could
use this flaw to crash an httpd child process via a malformed reply to the
EPSV or PASV commands, resulting in a limited denial of service.
(CVE-2009-3094)

A second flaw was found in the Apache mod_proxy_ftp module. In a reverse
proxy configuration, a remote attacker could use this flaw to bypass
intended access restrictions by creating a carefully-crafted HTTP
Authorization header, allowing the attacker to send arbitrary commands to
the FTP server. (CVE-2009-3095)

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Desktop (v. 4)

IA-32:
httpd-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 7d7b4692f54cb23ef104bd121030cf01
httpd-devel-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 8a10095a2480cac6b392ded2c04d3299
httpd-manual-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: e071102bd00edf470e1d7e7456a05cd2
httpd-suexec-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 5988c325e8b53123e6609f79c16af9a2
mod_ssl-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 628410bcb878c778a9d08d1d5a5b6585
 
x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c644427d94e29990a730c6905a2a1bfd
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c02c86057ce897aa83eb6f6b51723d6c
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 9af23f1dfc0f922c7d132f809c087aaa
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: b46fad76f761e6034df809150975de3d
mod_ssl-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 3c86132ea1d5a1bd616b282d343d9f81
 
Red Hat Enterprise Linux AS (v. 4)

IA-32:
httpd-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 7d7b4692f54cb23ef104bd121030cf01
httpd-devel-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 8a10095a2480cac6b392ded2c04d3299
httpd-manual-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: e071102bd00edf470e1d7e7456a05cd2
httpd-suexec-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 5988c325e8b53123e6609f79c16af9a2
mod_ssl-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 628410bcb878c778a9d08d1d5a5b6585
 
IA-64:
httpd-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 6b387bd8f44b094774e65f501b5e9356
httpd-devel-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: da6c1d96e1df86aea765e00517c361de
httpd-manual-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 6dceb0646173c8418281de0574d4a698
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 0d2454a39c34f5aebf7f4375175f4a29
mod_ssl-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 7f004e36bede5c1f9766ebe9fd3e3145
 
PPC:
httpd-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2011:1392
    MD5: f5c78886316235c33eebb6c84f4fef6f
httpd-devel-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2011:1392
    MD5: 6961f9253505d5265a9621528e6c298f
httpd-manual-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2011:1392
    MD5: c22e4ffb9a997ecbc7a9586613525030
httpd-suexec-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2011:1392
    MD5: f7e338dec5d07114338e205995b2e8ca
mod_ssl-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2011:1392
    MD5: 66f9b24528573e9b8824902ef2c51c13
 
s390:
httpd-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2011:1392
    MD5: 9bc35e7250be8d809b8cfa17255ba096
httpd-devel-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2011:1392
    MD5: 4731b26ed1cff6d5e5f2d6b0c7a22f42
httpd-manual-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2011:1392
    MD5: 30d2911c1922496295f97bbe5b3162e6
httpd-suexec-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2011:1392
    MD5: 573906da972ba03743a95bea640589e0
mod_ssl-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2011:1392
    MD5: e11c023b4e322fbebebf6e7645940a28
 
s390x:
httpd-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2011:1392
    MD5: f347538360694812b4decc9da21e5cea
httpd-devel-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2011:1392
    MD5: e8ff8206644d48de6e0e46c1f1ee788b
httpd-manual-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2011:1392
    MD5: d69f22f7ba63288c610be24025a3c2d3
httpd-suexec-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2011:1392
    MD5: f390229c32dd5784440f351a7d2b1bd4
mod_ssl-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2011:1392
    MD5: da98baff792d327adce24524a0b79820
 
x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c644427d94e29990a730c6905a2a1bfd
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c02c86057ce897aa83eb6f6b51723d6c
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 9af23f1dfc0f922c7d132f809c087aaa
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: b46fad76f761e6034df809150975de3d
mod_ssl-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 3c86132ea1d5a1bd616b282d343d9f81
 
Red Hat Enterprise Linux AS (v. 4.8.z)

IA-32:
httpd-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 7d7b4692f54cb23ef104bd121030cf01
httpd-devel-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 8a10095a2480cac6b392ded2c04d3299
httpd-manual-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: e071102bd00edf470e1d7e7456a05cd2
httpd-suexec-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 5988c325e8b53123e6609f79c16af9a2
mod_ssl-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 628410bcb878c778a9d08d1d5a5b6585
 
IA-64:
httpd-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 6b387bd8f44b094774e65f501b5e9356
httpd-devel-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: da6c1d96e1df86aea765e00517c361de
httpd-manual-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 6dceb0646173c8418281de0574d4a698
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 0d2454a39c34f5aebf7f4375175f4a29
mod_ssl-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 7f004e36bede5c1f9766ebe9fd3e3145
 
PPC:
httpd-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2010:0175
    MD5: f5c78886316235c33eebb6c84f4fef6f
httpd-devel-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2010:0175
    MD5: 6961f9253505d5265a9621528e6c298f
httpd-manual-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2010:0175
    MD5: c22e4ffb9a997ecbc7a9586613525030
httpd-suexec-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2010:0175
    MD5: f7e338dec5d07114338e205995b2e8ca
mod_ssl-2.0.52-41.ent.6.ppc.rpm
File outdated by:  RHSA-2010:0175
    MD5: 66f9b24528573e9b8824902ef2c51c13
 
s390:
httpd-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2010:0175
    MD5: 9bc35e7250be8d809b8cfa17255ba096
httpd-devel-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2010:0175
    MD5: 4731b26ed1cff6d5e5f2d6b0c7a22f42
httpd-manual-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2010:0175
    MD5: 30d2911c1922496295f97bbe5b3162e6
httpd-suexec-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2010:0175
    MD5: 573906da972ba03743a95bea640589e0
mod_ssl-2.0.52-41.ent.6.s390.rpm
File outdated by:  RHSA-2010:0175
    MD5: e11c023b4e322fbebebf6e7645940a28
 
s390x:
httpd-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2010:0175
    MD5: f347538360694812b4decc9da21e5cea
httpd-devel-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2010:0175
    MD5: e8ff8206644d48de6e0e46c1f1ee788b
httpd-manual-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2010:0175
    MD5: d69f22f7ba63288c610be24025a3c2d3
httpd-suexec-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2010:0175
    MD5: f390229c32dd5784440f351a7d2b1bd4
mod_ssl-2.0.52-41.ent.6.s390x.rpm
File outdated by:  RHSA-2010:0175
    MD5: da98baff792d327adce24524a0b79820
 
x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: c644427d94e29990a730c6905a2a1bfd
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: c02c86057ce897aa83eb6f6b51723d6c
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 9af23f1dfc0f922c7d132f809c087aaa
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: b46fad76f761e6034df809150975de3d
mod_ssl-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 3c86132ea1d5a1bd616b282d343d9f81
 
Red Hat Enterprise Linux ES (v. 4)

IA-32:
httpd-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 7d7b4692f54cb23ef104bd121030cf01
httpd-devel-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 8a10095a2480cac6b392ded2c04d3299
httpd-manual-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: e071102bd00edf470e1d7e7456a05cd2
httpd-suexec-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 5988c325e8b53123e6609f79c16af9a2
mod_ssl-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 628410bcb878c778a9d08d1d5a5b6585
 
IA-64:
httpd-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 6b387bd8f44b094774e65f501b5e9356
httpd-devel-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: da6c1d96e1df86aea765e00517c361de
httpd-manual-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 6dceb0646173c8418281de0574d4a698
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 0d2454a39c34f5aebf7f4375175f4a29
mod_ssl-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 7f004e36bede5c1f9766ebe9fd3e3145
 
x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c644427d94e29990a730c6905a2a1bfd
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c02c86057ce897aa83eb6f6b51723d6c
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 9af23f1dfc0f922c7d132f809c087aaa
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: b46fad76f761e6034df809150975de3d
mod_ssl-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 3c86132ea1d5a1bd616b282d343d9f81
 
Red Hat Enterprise Linux ES (v. 4.8.z)

IA-32:
httpd-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 7d7b4692f54cb23ef104bd121030cf01
httpd-devel-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 8a10095a2480cac6b392ded2c04d3299
httpd-manual-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: e071102bd00edf470e1d7e7456a05cd2
httpd-suexec-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 5988c325e8b53123e6609f79c16af9a2
mod_ssl-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2010:0175
    MD5: 628410bcb878c778a9d08d1d5a5b6585
 
IA-64:
httpd-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 6b387bd8f44b094774e65f501b5e9356
httpd-devel-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: da6c1d96e1df86aea765e00517c361de
httpd-manual-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 6dceb0646173c8418281de0574d4a698
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 0d2454a39c34f5aebf7f4375175f4a29
mod_ssl-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 7f004e36bede5c1f9766ebe9fd3e3145
 
x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: c644427d94e29990a730c6905a2a1bfd
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: c02c86057ce897aa83eb6f6b51723d6c
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 9af23f1dfc0f922c7d132f809c087aaa
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: b46fad76f761e6034df809150975de3d
mod_ssl-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2010:0175
    MD5: 3c86132ea1d5a1bd616b282d343d9f81
 
Red Hat Enterprise Linux WS (v. 4)

IA-32:
httpd-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 7d7b4692f54cb23ef104bd121030cf01
httpd-devel-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 8a10095a2480cac6b392ded2c04d3299
httpd-manual-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: e071102bd00edf470e1d7e7456a05cd2
httpd-suexec-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 5988c325e8b53123e6609f79c16af9a2
mod_ssl-2.0.52-41.ent.6.i386.rpm
File outdated by:  RHSA-2011:1392
    MD5: 628410bcb878c778a9d08d1d5a5b6585
 
IA-64:
httpd-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 6b387bd8f44b094774e65f501b5e9356
httpd-devel-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: da6c1d96e1df86aea765e00517c361de
httpd-manual-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 6dceb0646173c8418281de0574d4a698
httpd-suexec-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 0d2454a39c34f5aebf7f4375175f4a29
mod_ssl-2.0.52-41.ent.6.ia64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 7f004e36bede5c1f9766ebe9fd3e3145
 
x86_64:
httpd-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c644427d94e29990a730c6905a2a1bfd
httpd-devel-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: c02c86057ce897aa83eb6f6b51723d6c
httpd-manual-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 9af23f1dfc0f922c7d132f809c087aaa
httpd-suexec-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: b46fad76f761e6034df809150975de3d
mod_ssl-2.0.52-41.ent.6.x86_64.rpm
File outdated by:  RHSA-2011:1392
    MD5: 3c86132ea1d5a1bd616b282d343d9f81
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

509125 - CVE-2009-1891 httpd: possible temporary DoS (CPU consumption) in mod_deflate
521619 - CVE-2009-3094 httpd: NULL pointer defer in mod_proxy_ftp caused by crafted EPSV and PASV reply
522209 - CVE-2009-3095 httpd: mod_proxy_ftp FTP command injection via Authorization HTTP header
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/