Skip to navigation

Security Advisory Moderate: httpd security and enhancement update

Advisory: RHSA-2010:0168-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-03-25
Last updated on: 2010-03-25
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
CVEs (cve.mitre.org): CVE-2010-0408
CVE-2010-0434

Details

Updated httpd packages that fix two security issues and add an enhancement
are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The Apache HTTP Server is a popular web server.

It was discovered that mod_proxy_ajp incorrectly returned an "Internal
Server Error" response when processing certain malformed requests, which
caused the back-end server to be marked as failed in configurations where
mod_proxy is used in load balancer mode. A remote attacker could cause
mod_proxy to not send requests to back-end AJP (Apache JServ Protocol)
servers for the retry timeout period (60 seconds by default) by sending
specially-crafted requests. (CVE-2010-0408)

A use-after-free flaw was discovered in the way the Apache HTTP Server
handled request headers in subrequests. In configurations where subrequests
are used, a multithreaded MPM (Multi-Processing Module) could possibly leak
information from other requests in request replies. (CVE-2010-0434)

This update also adds the following enhancement:

* with the updated openssl packages from RHSA-2010:0162 installed, mod_ssl
will refuse to renegotiate a TLS/SSL connection with an unpatched client
that does not support RFC 5746. This update adds the
"SSLInsecureRenegotiation" configuration directive. If this directive is
enabled, mod_ssl will renegotiate insecurely with unpatched clients.
(BZ#567980)

Refer to the following Red Hat Knowledgebase article for more details about
the changed mod_ssl behavior: http://kbase.redhat.com/faq/docs/DOC-20491

All httpd users should upgrade to these updated packages, which contain
backported patches to correct these issues and add this enhancement. After
installing the updated packages, the httpd daemon must be restarted for the
update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
httpd-2.2.3-31.el5_4.4.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: a031090020797128290ddd12b5df0cc1
SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
 
IA-32:
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: d3410d6c92c3c8a70346be8c373e74b6
SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-manual-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: fdfcaff02bc2248a9f36fa09f7145e0a
SHA-256: f57f01e91a767c06bcad97f994e1b231a536f01a8091d1d0eb9b64d48b028e81
 
x86_64:
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: d3410d6c92c3c8a70346be8c373e74b6
SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 319c1adaa3db790c6ae92bed6d341053
SHA-256: c417b1600481ed29e51110c07c38f32dfb06a3c3db0d64da56daf5d67bb258f9
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: a56721a9316233db55cda88b00982443
SHA-256: d1bb36ac4c7e6a4e2a269a0fccf5d938acfd2e7a4bf5094f9061aa5e2c5469c0
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
httpd-2.2.3-31.el5_4.4.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: a031090020797128290ddd12b5df0cc1
SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
 
IA-32:
httpd-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 0051b2bd340d07c5995c162e4a99c2ac
SHA-256: ecc1d64adc67d596472fa9aefd17253daae8bf4549f4eb661506b42ec6296ddd
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: d3410d6c92c3c8a70346be8c373e74b6
SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-manual-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: fdfcaff02bc2248a9f36fa09f7145e0a
SHA-256: f57f01e91a767c06bcad97f994e1b231a536f01a8091d1d0eb9b64d48b028e81
mod_ssl-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: edbb20f974ec2eb4f0112657e84181d3
SHA-256: 0a62ac0ad49cce0a4266ad2d07304c0f757ef3e9872745106d10471f57998b01
 
IA-64:
httpd-2.2.3-31.el5_4.4.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: f698a2dcdf763ecfea7c868e51f08389
SHA-256: fc28afc7d619c66ecd8ed3290cbf99384ea08c66fe14645909e26c0b66d6d0fc
httpd-devel-2.2.3-31.el5_4.4.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 37343ef2708612123dc6249fa3b5ee2a
SHA-256: 4c6837f419a927d428e3e4102f303a0cf96dae711231232b80544d47903aed8c
httpd-manual-2.2.3-31.el5_4.4.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 3923e90d784c906a0c50ae8d8369b6e6
SHA-256: 8b624ac98ed39c95a6e6a930c4e9b2d39671beac5726d49b7cb053a64651c87a
mod_ssl-2.2.3-31.el5_4.4.ia64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8b2dd9c9557f167b6b837b396c69b6e3
SHA-256: 4c70e0dce30edd693cec4714071a0042eb6571d6e539394e08ad2c24e4be1c45
 
PPC:
httpd-2.2.3-31.el5_4.4.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: c5c4cae9c62bdd02c46d65f22c295186
SHA-256: 95e9fce1f10922fb74570c213bcf81ee61b949bfc0c889673a2c53ab6c761e93
httpd-devel-2.2.3-31.el5_4.4.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: c1ad3d52f2ac2535af98fd2a3961f4f9
SHA-256: a6aab08dac52c666e5864544187fd9a949445cd5043e1d5bdead2edc6bb2fdcb
httpd-devel-2.2.3-31.el5_4.4.ppc64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 111b7762104b7b240bb7f5e9f34e186e
SHA-256: 0d4a1db5bf57a9475427f22910e32edf7b4ca7cb9722bf6569a426a2eb6a5cb6
httpd-manual-2.2.3-31.el5_4.4.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: 7e631f9f43580e81feb3a7687910811d
SHA-256: 84021d035d01969061615ca7384a2ffe5eb168a029690a1b0867dfcf5d43940b
mod_ssl-2.2.3-31.el5_4.4.ppc.rpm
File outdated by:  RHSA-2014:0369
    MD5: e3312040b85d8776a2b7b2d9dab861a1
SHA-256: d3a90a5d0f8293dbdb3796c117136a69f0c826516344e02eacff1d77cd027e06
 
s390x:
httpd-2.2.3-31.el5_4.4.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 871fe126952a1c8b867cc063b8fc06f7
SHA-256: a7e4acbc4107eae4d9634ec118d33298d45e8cec72f7dec0f3612450ea8d725c
httpd-devel-2.2.3-31.el5_4.4.s390.rpm
File outdated by:  RHSA-2014:0369
    MD5: 862c4171470909d2657bfe269abf2d1c
SHA-256: fd2e56acbf163c6f5a5d18ae319f34c4ef551f0892b44d93e48e3ca249033d71
httpd-devel-2.2.3-31.el5_4.4.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 3a899f14c8c70d42ae899c068583dc3d
SHA-256: d8221f2e3c028e552612755aa8ad2c7e8233a24f194b6c87e075e28420793b02
httpd-manual-2.2.3-31.el5_4.4.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 4a4c66d01fcdbf187d9ef20cd6244f72
SHA-256: 85df8a0221847f2d94ec687e97f68a5589cc05358b0a5bbea6c74532d5da21d5
mod_ssl-2.2.3-31.el5_4.4.s390x.rpm
File outdated by:  RHSA-2014:0369
    MD5: 6b92526f3ad6964e008888d0842fae41
SHA-256: 7f8a3b0aba579e121e9e7690475c171cf0f527d7bfeb39e0b75089427fe0c688
 
x86_64:
httpd-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8d0bea2237260eea1dc47aabe31a4758
SHA-256: 4c20b441040ae60166a64e9c61744f4f03c729fef7258eba0563c4b2041536c7
httpd-devel-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: d3410d6c92c3c8a70346be8c373e74b6
SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 319c1adaa3db790c6ae92bed6d341053
SHA-256: c417b1600481ed29e51110c07c38f32dfb06a3c3db0d64da56daf5d67bb258f9
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: a56721a9316233db55cda88b00982443
SHA-256: d1bb36ac4c7e6a4e2a269a0fccf5d938acfd2e7a4bf5094f9061aa5e2c5469c0
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: c86495c488bfeb95c98e200b4d5f3095
SHA-256: 8613980046ef3ff41d71e3f72ac1330bb25d62619954ecbc377e7838e35e5eac
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
httpd-2.2.3-31.el5_4.4.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: a031090020797128290ddd12b5df0cc1
SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
 
IA-32:
httpd-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: 0051b2bd340d07c5995c162e4a99c2ac
SHA-256: ecc1d64adc67d596472fa9aefd17253daae8bf4549f4eb661506b42ec6296ddd
mod_ssl-2.2.3-31.el5_4.4.i386.rpm
File outdated by:  RHSA-2014:0369
    MD5: edbb20f974ec2eb4f0112657e84181d3
SHA-256: 0a62ac0ad49cce0a4266ad2d07304c0f757ef3e9872745106d10471f57998b01
 
x86_64:
httpd-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: 8d0bea2237260eea1dc47aabe31a4758
SHA-256: 4c20b441040ae60166a64e9c61744f4f03c729fef7258eba0563c4b2041536c7
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2014:0369
    MD5: c86495c488bfeb95c98e200b4d5f3095
SHA-256: 8613980046ef3ff41d71e3f72ac1330bb25d62619954ecbc377e7838e35e5eac
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)

SRPMS:
httpd-2.2.3-31.el5_4.4.src.rpm
File outdated by:  RHSA-2014:0369
    MD5: a031090020797128290ddd12b5df0cc1
SHA-256: 92cde62e2da71f2ca01050637b6416c3b70063dc32a9d8ff53cd241a87ea5e9d
 
IA-32:
httpd-2.2.3-31.el5_4.4.i386.rpm     MD5: 0051b2bd340d07c5995c162e4a99c2ac
SHA-256: ecc1d64adc67d596472fa9aefd17253daae8bf4549f4eb661506b42ec6296ddd
httpd-devel-2.2.3-31.el5_4.4.i386.rpm     MD5: d3410d6c92c3c8a70346be8c373e74b6
SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-manual-2.2.3-31.el5_4.4.i386.rpm     MD5: fdfcaff02bc2248a9f36fa09f7145e0a
SHA-256: f57f01e91a767c06bcad97f994e1b231a536f01a8091d1d0eb9b64d48b028e81
mod_ssl-2.2.3-31.el5_4.4.i386.rpm     MD5: edbb20f974ec2eb4f0112657e84181d3
SHA-256: 0a62ac0ad49cce0a4266ad2d07304c0f757ef3e9872745106d10471f57998b01
 
IA-64:
httpd-2.2.3-31.el5_4.4.ia64.rpm     MD5: f698a2dcdf763ecfea7c868e51f08389
SHA-256: fc28afc7d619c66ecd8ed3290cbf99384ea08c66fe14645909e26c0b66d6d0fc
httpd-devel-2.2.3-31.el5_4.4.ia64.rpm     MD5: 37343ef2708612123dc6249fa3b5ee2a
SHA-256: 4c6837f419a927d428e3e4102f303a0cf96dae711231232b80544d47903aed8c
httpd-manual-2.2.3-31.el5_4.4.ia64.rpm     MD5: 3923e90d784c906a0c50ae8d8369b6e6
SHA-256: 8b624ac98ed39c95a6e6a930c4e9b2d39671beac5726d49b7cb053a64651c87a
mod_ssl-2.2.3-31.el5_4.4.ia64.rpm     MD5: 8b2dd9c9557f167b6b837b396c69b6e3
SHA-256: 4c70e0dce30edd693cec4714071a0042eb6571d6e539394e08ad2c24e4be1c45
 
PPC:
httpd-2.2.3-31.el5_4.4.ppc.rpm     MD5: c5c4cae9c62bdd02c46d65f22c295186
SHA-256: 95e9fce1f10922fb74570c213bcf81ee61b949bfc0c889673a2c53ab6c761e93
httpd-devel-2.2.3-31.el5_4.4.ppc.rpm     MD5: c1ad3d52f2ac2535af98fd2a3961f4f9
SHA-256: a6aab08dac52c666e5864544187fd9a949445cd5043e1d5bdead2edc6bb2fdcb
httpd-devel-2.2.3-31.el5_4.4.ppc64.rpm     MD5: 111b7762104b7b240bb7f5e9f34e186e
SHA-256: 0d4a1db5bf57a9475427f22910e32edf7b4ca7cb9722bf6569a426a2eb6a5cb6
httpd-manual-2.2.3-31.el5_4.4.ppc.rpm     MD5: 7e631f9f43580e81feb3a7687910811d
SHA-256: 84021d035d01969061615ca7384a2ffe5eb168a029690a1b0867dfcf5d43940b
mod_ssl-2.2.3-31.el5_4.4.ppc.rpm     MD5: e3312040b85d8776a2b7b2d9dab861a1
SHA-256: d3a90a5d0f8293dbdb3796c117136a69f0c826516344e02eacff1d77cd027e06
 
s390x:
httpd-2.2.3-31.el5_4.4.s390x.rpm     MD5: 871fe126952a1c8b867cc063b8fc06f7
SHA-256: a7e4acbc4107eae4d9634ec118d33298d45e8cec72f7dec0f3612450ea8d725c
httpd-devel-2.2.3-31.el5_4.4.s390.rpm     MD5: 862c4171470909d2657bfe269abf2d1c
SHA-256: fd2e56acbf163c6f5a5d18ae319f34c4ef551f0892b44d93e48e3ca249033d71
httpd-devel-2.2.3-31.el5_4.4.s390x.rpm     MD5: 3a899f14c8c70d42ae899c068583dc3d
SHA-256: d8221f2e3c028e552612755aa8ad2c7e8233a24f194b6c87e075e28420793b02
httpd-manual-2.2.3-31.el5_4.4.s390x.rpm     MD5: 4a4c66d01fcdbf187d9ef20cd6244f72
SHA-256: 85df8a0221847f2d94ec687e97f68a5589cc05358b0a5bbea6c74532d5da21d5
mod_ssl-2.2.3-31.el5_4.4.s390x.rpm     MD5: 6b92526f3ad6964e008888d0842fae41
SHA-256: 7f8a3b0aba579e121e9e7690475c171cf0f527d7bfeb39e0b75089427fe0c688
 
x86_64:
httpd-2.2.3-31.el5_4.4.x86_64.rpm     MD5: 8d0bea2237260eea1dc47aabe31a4758
SHA-256: 4c20b441040ae60166a64e9c61744f4f03c729fef7258eba0563c4b2041536c7
httpd-devel-2.2.3-31.el5_4.4.i386.rpm     MD5: d3410d6c92c3c8a70346be8c373e74b6
SHA-256: fea34687e942b4b4a8e40340af5cb4258fae763891e114829300c95ea7ba129c
httpd-devel-2.2.3-31.el5_4.4.x86_64.rpm     MD5: 319c1adaa3db790c6ae92bed6d341053
SHA-256: c417b1600481ed29e51110c07c38f32dfb06a3c3db0d64da56daf5d67bb258f9
httpd-manual-2.2.3-31.el5_4.4.x86_64.rpm     MD5: a56721a9316233db55cda88b00982443
SHA-256: d1bb36ac4c7e6a4e2a269a0fccf5d938acfd2e7a4bf5094f9061aa5e2c5469c0
mod_ssl-2.2.3-31.el5_4.4.x86_64.rpm     MD5: c86495c488bfeb95c98e200b4d5f3095
SHA-256: 8613980046ef3ff41d71e3f72ac1330bb25d62619954ecbc377e7838e35e5eac
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

567980 - [RFE] mod_ssl: Add SSLInsecureRenegotiation directive [rhel-5]
569905 - CVE-2010-0408 httpd: mod_proxy_ajp remote temporary DoS
570171 - CVE-2010-0434 httpd: request header information leak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/